Money mules – the accomplices who help move stolen funds – may be the real victims of online banking scams, not the bank customers who are the ostensible targets of fraudsters, according to new research from Microsoft.
In a paper that turns conventional thinking about online banking crime on its head, researchers at Microsoft argue that it is the mules – the witting or unwitting accomplices of the fraudsters – who are the real victims of account takeover scams, not the owner of the account that is raided.
“Money mules are not merely unwitting accomplices, they are the true victims in credential theft fraud,” wrote the researchers, Cormac Herley and Dinei Florencio of Microsoft Research.
Their paper, “Is Everything We Know About Password-Stealing Wrong” appears in the latest issue of IEEE Security and Privacy Magazine.
In it, Herley and Florencio argue that U.S. laws that indemnify victims of banking and credit card fraud change the calculus and economics of online fraud. Victims whose accounts are raided, they note, are made whole again by the bank or credit card company.
Mules, on the other hand, are not victims of fraud. Instead, they participate in it: receiving stolen funds into a legitimate account they own, then quickly forwarding those funds to the criminals responsible for the crime in exchange for a small commission.
Unlike the victims, mules are not protected by anti fraud laws. Unlike the criminals, they are not off shore and beyond the reach of the banks or law enforcement. Further, as banks and other financial institutions have gotten better at tracing account takeover scams and reversing charges, it is the mules who pay the price: having funds extracted from their account to make the victim whole, assuming such funds are available.
“The thief is really stealing from the mule, not the compromised account, though that fact does not become clear until the dust settles,” the researchers write.
Herley has made a name for himself turning conventional wisdom about online crime on its head. He has challenged estimates about the size of the underground online economy as ridiculously inflated. Such estimates are based on merely the presence of sellers, not records of actual transactions. He has written critically about the utility of cyber crime surveys which he said “are so compromised and biased that no faith whatever can be placed in their findings.” Passwords have also been a regular focus of his work. In a paper on the use of statistical guessing attacks to defeat passwords, Herley and two co-authors: Stuart Schechter of Microsoft Research and Michael Mizenmacher of Harvard University argued that many features to force the creation of strong passwords actually result in users picking passwords that are easy to guess or crack.
In his latest research, Herley and his coauthors tap much of that early work and suggest that concentrating security investments on passwords to secure online banking sessions probably doesn’t do much to reduce online banking scams, given the realities of the cut throat cyber crime marketplace.
Knowing the customer’s password, they argue, is just the first step in emptying their account and is of relatively small utility. That, Herley and his colleagues say, explains why fraudsters get just pennies on the dollar for credentials in online bazaars. “Why would anyone sell the credentials that unlock an account with a $5,000 balance for $5,” they ask. “It makes a lot more sense if emptying accounts is hard and stealing passwords is merely the first step in a difficult and error-prone process which only occasionally succeeds,” the authors wrote.
It follows, then, that merely making passwords harder to steal won’t do much to stem online banking fraud.
“If a large lake of credentials is drained by a narrow pipe of mules, then reducing the inflow to the lake might have no effect on the net harm done,” they wrote.
Rather than focus on authentication, banks and financial services, as well as law enforcement, might do a better job staunching online banking theft by focusing, instead, on better back end fraud detection to make it harder to empty accounts, or on the mule recruitment process, to cut off access to the key middle men and women who are needed to move actual money into accounts under the attackers control.
Online criminal groups have gone to great lengths to recruit mules in recent years. Social networks like Facebook, MySpace and Twitter have all been used to recruit individuals willing to let their bank account be used to receive a transfer from an illegal account, then forward it along. In turn, the FBI has said that it was going to be stepping up efforts to crack down on money mules.