Combating Digital 'Overage' in a Goods-'Shrinkage' World


Posted on

It’s that time again, when retail businesses across the country expect to see the year's highest volume of consumer transactions. Stores are decked out, discounts are advertised, and shoppers—both physical and cyber—are rolling in.

A friend of mine, a manager of several retail branch stores for a national brand, told me that in brick-and-mortar retail stores, they keep in mind the concept of “shrinkage.” She said that retailers build into their financial model a “shrinkage” component, expecting a certain amount of goods missing via shoplifting or other fraudulent methods. They anticipate theft.

Today this is a concept that has no direct equivalent in the cyberspace. In the digital world, large-scale "victimless" fraud is creating a "cyber-overage" situation.

How does that work?

Recently I attended a closed-door cybercrime talk by a former FBI cyber crime expert. He said that credit card numbers now fetch less than $1 a piece on the underground market, but legitimate email addresses, with real login credentials, can command as high as $30 per address on the illegal digital information market.

As fraudsters attain legitimate user email addresses, we are starting to see these addresses enable fraudulent transactions in new and creative ways.

For example, traffic fraud is a category of fraud that occurs with stolen email addresses. Fraudsters that harvest email addresses and credentials use them to subscribe for data-intensive services like Netflix or Hulu. Once the account is set up, the criminals start streaming a large amount of data from these content providers during the free trial period, routing an enormous amount of traffic through a particular ISP. As a result, this ISP gets a big revenue bump from the traffic, and the fraudsters get a cut.

From the outset, this is almost a victimless crime; the owners of the email addresses are not adversely affected. One could assume content providers like Netflix or Hulu are happy, because increased subscription numbers contribute to their bottom line. Even though the fraudsters and the colluding ISPs have managed to defraud the system of hundreds of thousands (and potentially millions) of dollars, no one is willing to press charges or pursue legal options to stop this kind of fraud.

If it is victimless, is there really a problem?

The fraudsters exploit loopholes in the content-commerce supply chain to divert funds to themselves. Since the supply-chain ecosystem does not play the zero-sum game, it creates an environment where fraudsters can profit while everyone else is not worse off—and therefore none the wiser.

According to this cyber crime expert, cyber frauds are increasingly gravitating towards such large-scale, victim-less frauds.

This seems to be the exact opposite of the “shrinkage” model that exists in traditional commerce, where physical stores would expect a certain percentage of goods to be stolen. In fact, holders of cybergoods (non physical goods like content, software, or information) should expect “cyberoverage” due to fraud.

What’s more interesting is that this overage may not be tied to actual transactions; it may be simply tied to the expectation that transactions occur in the future. Like the stock market, where some transactions create a “positive sum” (as opposed to zero sum) for participants, these overage frauds help create the illusion of a positive-sum situation where everyone is better off than before.

But, there is a critical difference between a true positive-sum economy and  “positive'sum” fraud. The former moved capital in the system to create net-new value— company WhizCo sells a stake in the company to raise funds in order to invest in new product development. The product succeeds, injecting new value into the ecosystem. WhizCo’s value goes up, and the investors who bought the stock enjoy a handsome return of their investment. Everyone wins.

In the latter scenario, capital also gets moved around within the system, but without the eventual creation of net-new value. There are no new services, new innovations, or new efficiencies created. Without net-new value creation, it is not possible to have a true “positive-sum” economy. At some point, the market or the supply-chain economy will crash.

Taking technologies that may detect or stop fraud out of the equation for a minute, let’s think about this purely as an economic exercise: What if holders of cybergoods built into their financial models the concept of a “cyberoverage”, which attributes a certain percentage of recorded transactions to fraud? In practice, you may consider delayed revenue reporting or delayed accounting of revenue realization, and if the system does see net-new value creation, perhaps the delayed revenues can be realized.

Of course the actual implementation of such a model is difficult and has not been attempted previously. The observations made here are a narrow example of a changing cybereconomy. But with continued cyberintrusions and fraud, perhaps it is time that we seriously consider alternative economic models.  

data security fraud

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs