Security: Spam’s Merchant-Acquirer Chokepoint

 

By Peter Lucas

 

Spam e-mail may be a constant irritant to consumers, but it’s big business for merchant acquirers willing to settle transactions resulting from those unsolicited ads. Can anything be done to stop it?

 

 

 

Every day some unsuspecting consumer receives an unsolicited e-mail from a merchant with which he has no prior relationship advertising an offer that is too good to pass up: Rolex watches at wholesale prices, Viagra from a Canadian pharmacy without a prescription, or the latest anti-virus or CD/DVD-burning software at a deeply discounted price.

 

Although the consumer knows the e-mail is spam, he can’t resist a bargain. He clicks on the link in the message to land at the merchant’s Web site, where he buys the product.

 

When the item is delivered, the consumer often discovers, much to his dismay, that the product is either counterfeit, shoddily crafted, does not meet Food and Drug Administration guidelines, or is pirated software, the use of which can lead to fines for violating copyright laws.

 

Too embarrassed to let anyone know that a virtual flim-flam man took him, the consumer opts to eat the transaction rather than initiate a chargeback through his card issuer.

 

Since no complaint is filed against the merchant, the spam scam continues, sucking in thousands of unsuspecting consumers every day.

 

While spam represents more than three quarters of daily e-mail volume—global spam accounted for 77.8% of e-mail in July, or one in every 1.29 e-mails, according to Mountain View, Calif.-based Symantec Corp.—it was not until earlier this year that researchers at the University of California, San Diego, and the University of California, Berkeley, shined a light on how merchant acquirers help it to proliferate.

 

The study, titled Click Trajectories: End-to-End Analysis of the Spam Value Chain, traced the flow of spam, looking at the feasibility of cutting it off at various points such as at domain registrars or Web-hosting services.

 

The authors concluded that interception at those places wouldn’t work. In the case of hosting services, the thousands of players involved would make such a strategy exceedingly difficult to execute. In the case of registrars, previous efforts to control them have been slow and fraught with politics because any action requires global cooperation.

 

But the researchers, who examined about 1 billion spam e-mails and even made some purchases, did find that spam does have a few critical chokepoints.

 

According to the study, some 95% of card purchases generated by e-mail spam advertising pharmaceuticals, consumer item knock-offs, and software are cleared through just three acquiring banks: one located in the Republic of Azerbaijan, one in The Federation of Saint Kitts and Nevis in the West Indies, and one in Latvia that may have since relocated to Russia, according to National Public Radio.

 

Eliminating spam by targeting card transactions could be achieved in one of two ways, according to the study. Card networks could either pressure acquirers that knowingly settle transactions generated by spam to stop, or pressure card issuers to refuse to authorize transactions from known spammers and the acquirers that settle for them.

 

“Without an effective mechanism to transfer consumer payments, it would be difficult to finance the rest of the spam ecosystem. Moreover, there are only two networks—Visa and MasterCard—that have the consumer footprint in Western countries to reach spam’s principal customers,” the study says.

 

Spammers build their e-mail databases by gathering addresses from chatrooms, Web sites, customer lists, newsgroups, viruses that harvest consumers’ e-mail address books, and by purchasing lists from other spammers.

 

They also employ a practice called e-mail appending in which they use known information about their target, such as a postal address, to search for the consumer’s e-mail address.

 

Puzzle Pieces

 

While the concept of shutting down acquirers that sign merchant spammers as clients sounds effective in theory, putting it into practice poses many challenges.

 

For starters, the products spammers peddle are not illegal in the countries where they and their acquiring banks are located. Indeed, one mantra of the spammer community is that the products they sell address a need for the consumers they target and that attempts to criminalize their actions are motivated by protectionist commerce policies of the countries where their customers reside.

 

“Merchant spamming and the transactions that result from those ads is a gray area because no crime is being committed, and that makes it tough to resolve the problem,” says Peter Cassidy, secretary general of the Anti-Phishing Working Group (APWG), a Cambridge, Mass.-based association dedicated to eliminating identity theft and fraud from phishing and e-mail spoofing. “Merchant spammers are more like ankle biters than criminals.”

 

Perhaps, but the bite these merchants take out of consumer wallets is substantial. The sale of counterfeit drugs alone is estimated to total $75 billion a year, according to David Jevans, chairman of the APWG.

 

Further, spam e-mail costs just pennies to produce. Yet with as many as 100 billion spam e-mails sent a day, even with a response rate anywhere from one-tenth of a percent to 0.5%, the money to be made can be hefty.

 

“It does not require a lot of resources to become a spammer, which is why anyone can do it,” says Julie Fergerson, vice president of emerging technologies for Toronto-based Ethoca Technologies Inc., a provider of anti-fraud technology. “Because the barrier to entry is low, there is always someone willing to step in to take the place of a spammer that has been shut down.”

 

So why haven’t the card networks, the Federal Trade Commission, or the U.S. Department of Justice—which in late August reached a $500 million settlement with search-engine behemoth Google Inc. for allegedly enabling Canadian pharmacies to advertise to American consumers—cracked down on the practice?

 

Payment experts point to a puzzle with myriad pieces that makes a systemic attack on spam tough.

 

“There is an absence of ability to aggregate the data needed to show the extent of the problem and make a case for taking steps to solve it,” says Cassidy. “There does not seem to be one regulatory entity that has the authority to collect all the data needed to show the dollars lost and number of people affected.”

 

Cardholder Backlash

 

Further complicating matters is that many consumers who are victims of spam scams do not initiate chargebacks by claiming the product is not as advertised, which would help alert card issuers and Visa and MasterCard to the problem. Nor do they report the merchant to the FTC or the DoJ as a violator of the Can-Spam Act.

 

Passed in 2003 to address unwanted commercial e-mail, the Can-Spam Act prohibits falsification of certain information used in the transmission of e-mail, as well as the use of proxies to disguise the identities of individuals sending the e-mails. Without an adequate trail of complaints or chargebacks to follow, the size and scope of the problem are difficult to determine.

 

“The Internet made U.S. citizens global almost in what seemed a blink of the eye, but law enforcement and consumer protections have a long way to go before they are global,” says Fergerson.

 

Pressuring card issuers to create a blacklist of merchant spammers, thereby denying authorization of transactions from them and in turn putting pressure on acquirers not to sign those merchants as clients, as the study suggests, is not a sure-fire solution to the problem. Despite the seeming practicality of blacklisting, payments experts argue that such a policy would result in a cardholder backlash.

 

“If Bank of America starts blocking transactions for certain merchants, cardholders are likely to get upset and question why the bank feels it has the authority to decide which merchants they can and can’t do business with,” says Fergerson. “At one time American Express did not support transactions through gaming and adult-entertainment sites, but it is loosening that policy, at least in Europe, because it’s what the consumer wants.”

 

Educating consumers about the risks of purchasing from spammers and using tools available from the card networks to protect them from doing business with shady merchants are considered more palatable alternatives.

 

Aggressively promoting Verified by Visa, an online cardholder verification process that includes a list of approved online merchants consumers can consult for assurance they are purchasing from a legitimate one, can empower consumers to determine from which merchants they want to buy.

 

“If there was larger-scale adoption of Verified by Visa, which shifts the liability for the transaction away from registered merchants to the card issuer, there might be more involvement by issuers to curtail merchant spam, but losses from online transactions are suffered by the merchant and the acquirer, so there is not a lot of incentive for issuers to get more actively involved in fighting spam,” says Fergerson.

 

Deep Pockets

 

Nor is directly blocking known spammer acquirers considered a viable solution.

 

While the recent report shows that three acquirers apparently are processing more than 95% of transactions generated from merchant spam, revoking their licenses to settle transactions over the Visa and MasterCard networks is unlikely to make much of a dent in spam, since there are plenty of acquirers waiting in the wings to take their place.

 

Card experts point to adult-entertainment sites as an example of why it would be so hard to stop acquirers from settling for merchant spammers.

 

While pornographic Web sites typically generate chargeback levels well above the industry average, the high potential revenues assure that there is no shortage of acquirers willing to sign these merchants despite the loss of interchange revenue on chargebacks and potential network fines for merchants constantly exceeding acceptable chargeback levels.

 

One reason experts view fines as an ineffective deterrent is that spammers, and in some cases the financial backers of acquirers they do business with, have deep pockets enabling them to get back in the game after being fined, or start up again under a new corporate name after being shut down.

 

“It is sort of like a whack-a-mole problem,” says APWG’s Jevans. “If there is enough money in it for acquirers, there will be no shortage of them lining up to take on the business, because there is no shortage of spammers.”

 

Spokespersons for the researchers at UC-San Diego and UC-Berkeley did not return repeated Digital Transactions calls. In an interview with NPR in May, Stefan Savage, a computer science and engineering professor at UC-San Diego and one of the report’s authors, said essentially the same thing as Jevans.

 

“There are far more than three banks that would be happy to step in and do the work,” he told NPR. “And this is the challenge of going after the banks themselves—that shame is a very slow process.”

 

Collective Solutions

 

Even if a blacklist of merchant spammers were created, there is the potential that the acquirers willing to service high-risk merchants might view it as a road map for finding new clients.

 

The bottom line on blacklisting is that it is viewed as a carpet-bombing strategy, lethal yet also highly inefficient because it would not only choke off questionable transactions, but also transactions from legitimate merchants that are clients of spam-friendly acquirers.

 

“It’s doubtful that all the transactions these acquirers settle come from merchant spammers and without a way to flag transactions related to spam there is no way to know for sure what percentage of volume is spam-related and what is not,” says Madeline K. Aufseeser, a senior analyst with Boston-based Aite Group LLC. “It’s like saying since all my spam comes through my Internet service provider, I will block all e-mail from my ISP. It’s going to take some very sophisticated technology to flag spam-related transactions.”

 

Indeed, not even ongoing advances in spam-filtering technology used by ISPs such as Yahoo!, MSN, Google, and AOL—the guardians of consumer e-mail boxes—and tougher rules for rating the reputations of bulk e-mail senders, such as tracking opens, clicks, and reply rates, have been able to stop the flow of spam.

 

Some of the ways spammers stay ahead of the game include tracking what keywords ISPs are flagging in the subject line or main body of the e-mail text, identifying the message size limit that a spam filter will allow, and determining what limits are placed on the overall size of a bulk-mailing campaign.

 

“There are always ways around the rules and spammers will find them,” says Jevans. “What is needed is for the card industry to come together and discuss the problem and identify ways to collectively address it. Collective solutions work much better than uncoordinated, individual efforts.”

 

Until the card industry can reach a collective agreement on how to stop spam, e-mails pitching dubious products will keep finding their way to the inboxes of naïve consumers eager to jump on a deal that usually is too good to be true—and who are too embarrassed to report they were scammed.