Think of what this means, and how precarious a position the nation's banks must be in for the fed to take actions like this. We needed to reimplement Glass-Steagall yesterday.
People often act like victims of scams need to be smarter, however widespread scamming places an immense burden on the broader economy. It increases the cost of doing business, since you have to do more verification for any transaction. We don't blame victims of other crimes, scamming shouldn't be an exception.
Imagine if you went to a restaurant, and the staff refused to serve you until you showed them your bank account balance to prove you could pay. It is an immense failure of law enforcement to not crack down harder on widespread scams.
> It is an immense failure of law enforcement to not crack down harder on widespread scams.
I fully agree. My identity was stolen and used to sign up for retail credit cards in a spree, and I even did the research for them. I had a timestamp of purchase, the items purchased, and the cash register number. The police could not care less. For one, they are lazy as hell and throw up jurisdictions as an excuse. The mere fact that the thief seemingly only used one store per jurisdiction seemed almost intentional in terms of taking advantage of this. The total amount stolen was $9,000, but I don't think the police gave it a second thought after I contacted them, and this was in a city big enough that had a financial crimes department.
I worked briefly for a financial crimes prevention organization, and the minimum dollar amount of loss we could get police to act on was over $100,000. We would do all the research and present them with a complete case.
The cops have a pervasive misallocation of resources from the top down.
For example, US police eventually come up with enough evidence for prosecutors to start proceedings only in about 50% of murder cases [1]. Yet police departments spend very little of their time working on murder cases. [2]
Assuming you believe police investigating murders is valuable, I don't see how you can think police should be wasting time on broken taillight stops when they're failing that badly at it. (If the cops can't be reassigned they should be fired and their salaries used to pay cops who can)
[1] Technically I'm describing the murder clearance rate, but I use this phrasing to avoid the common and incorrect implication that a cleared murder means it's necessary actually "solved"
[2] There's no great metric for this. Assuming a police officer who just filed an incident report about a traffic stop for a broken taillight probably wasn't working on a murder case immediately before we can use incident reporting data. For ex, https://data.sfgov.org/d/wg3w-h783/visualization
Absolutely. And every dollar in the hands of scammers is funding the creation of new and better scams. Even if we didn't care about scam victims at all, society should vigorously pursue scammers just to keep the overall burden down.
And it seems like a no-brainer money-wise too. A dedicated task-force of 10 people might cost you a million a year, but they'll easily track down scammers doing that amount of damage per month.
I recently took an interest into a phishing campaign because the guy was using Amazon SES and kept using new email templates and it kept landing in my inbox. He was an amateur and it was easy to find juice things on his server, and it looked like he was engaging in all kinds of different scams, like phishing for bank logins, defrauding online-shops, identity theft etc. With law enforcement options, I'm pretty confident I could've nailed him with a few hours invested. Get him for one crime, you stop 10 others.
But the last time I talked to a police officer locally, he didn't know what Netflix was so I won't even try to explain phishing to them and how I got this information on the perp.
A task force of 10 law enforcement officers and support staff with the necessary technical skills is going to have a fully loaded cost way higher than $1M per year.
Ten fully skilled security experts deputized @ 200K/yr. Fifteen assistants at $75K/yr. All personnel grossed up to 140% for fully loaded cost. Hardware, infrastructure, software, hosting services, $200K/yr. Total (((20010)+(7515))*1.4)+200 = $4,575,000/year.
You don't think that such a team could stop $50 million in crime in a year? I'd expect that $500 million would be a slow year and stopping $5billion would be more like it. There is so much of it and such low-hanging fruit...
I know of large corporation divisions where $5 million per quarter was literally their rounding error threshold three decades ago (likely more like $15 million now).
The payoff is so great it is astonishing that some large tech companies don't do it just for the general reputation of the industry. Or the banks for the same reason (e.g., I wont' touch Zelle, both because when I first checked it out it was horribly clunky, my bank wanted $20/month just to use it, and all the persistent scams).
Or, just for lulz. This is rounding-error pocket-change for these corps. If it got going, I could see a rivalry between MS, Oracle, & Alphabet execs for who could dunk the most scam dollars, and jail the most perps...
Hmm, why do you think they couldn't prevent $50mm? I'd expect that to be the easiest number to to maximize. Take out a ransomware crew, and you prevent all their crimes for the next years, as long as you keep them offline; get the encryption keys, and you've undone every ransom demand still standing. Just busting them in a way that their are either denied bail or have conditions placed on them so they cannot use any computing device, and you've taken them offline (and sufficient monitoring will probably jail them soon when they go back online under bail conditions.
Definitely agree that successfully prosecute is harder than ID perps...
But you don't think there's enough scammers based in the US/Canada/EU to chase? Back to the Zelle scams as we started with, and an awful lot of scams that require cash mules, seem pretty trackable if someone puts in the effort, especially when people can drop the evidence at their doorstep.
Yes, there are. But none that would be addressable in any reasonable way by your above-hypothesized team of 10 cybersecurity experts. Any significant wire fraud operations are going to interesting to the FBI and something that is in their jurisdiction anyway.
What’s left would be cases like “I bought this iPhone off eBay and got mailed a brick”. If it was taking your team any longer than literally 10 minutes per successful recovery on average, you’d be better off just using that taxpayer money to reimburse victims directly. It just doesn’t make sense to throw 250/hr labor at a $500 problem.
The guy who mails out bricks instead of iPhones probably does that every day, so if you stop him, you're not just solving a $500 problem, you're solving a $500 a day problem, which is a $180k/year problem.
>> 3. this could be addressed with regular police work
The phrase "could be" is doing a lot of work there. Yes, all of these crimes could be — and I would argue SHOULD be — addressed by regular (presuming local or state) police work. Sadly, it is not.
Similar to rampant bicycle theft. It definitely could and should be addressed by local cops, but is largely ignored, and ignored even when people bring them real-time tracking of the bicycle. And you're not supposed to go vigilante and get it yourself (partly due to risk to you).
For #2, $50 million, that seems like a lot of crime. But let's take the mailing a brick for an iPhone example. Each one is roughly $1000. So we need 50,000 bricks per year. That's 137 per day. Way too much for one criminal. But with 250 criminals, they only need to send a brick every couple of days. And our cop team needs to average only a single capture per day to stop $50million of crime in a year.
Jurisdiction, yeah, they'd probably need national jurisdiction, since there are probably few crimes where the criminal and crime are in the same town (other than the FB market/Craigslist criminals). So, deputized by the FBI is probably best.
So, not unreasonable to search for a solution that actually works.
> The phrase "could be" is doing a lot of work there. Yes, all of these crimes could be — and I would argue SHOULD be — addressed by regular (presuming local or state) police work. Sadly, it is not.
I agree that it is not. I am saying that you don't need a team of 10 cybersecurity expertise to show that someone mailed bricks or stole their cousins venmo money. Ten traditional detectives would be cheaper and a better fit.
Any technically sophisticated scams that would require a team of cybersecurity experts are likely already at the scale and scope that the FBI already does address them.
The intersection -- a technically sophisticated scam that is a small dollar amount -- isn't a problem that exists.
The reason that large cities don't spend much time on small dollar crimes is because they have bigger stuff to worry about. Yes, there's definitely people selling stolen phones on my local Craigslist, but there's also people stealing checks out of mailboxes and washing them to steal $50,000+. It makes sense to address the latter first.
Ok, so you're saying that much of it is within the scope of regular detectives with appropriate training? If so, I'm inclined to agree -- no sense applying over-the-top expertise when not needed.
Actually, chatting about it, it seems like the ordinary L1/L2/L3 service teams approach could work well. Ordinary up-trained detectives on most cases, when they hit something more complicated, call in the L2 guys/gals, and when it goes over their skillset/toolset, call in the L3 team, etc...
However it gets done, it certainly seems that we need something more than we've got.
There are a lot of talented people you can sell on the dream of working for less than their full market value in order to help vulnerable people not get scammed. It would be very fulfilling work for a lot of people
Track them down and do what? Are you deploying a local police officer to arrest a scammer in India? It seems to me that in the vast majority of cases, law enforcement efforts will immediately run into jurisdiction issues, and most of the effort will be for nothing.
That's probably true for some part of the scams, but others are domestic. The one I was looking into was most likely speaking German natively, and from what I could tell, he was a German in Germany (some info pointed to a specific German state, and his homedir was a common German first name).
You'll still have scammers from India, but you'll also have a lot that are running more elaborate scams and do a lot of damage by defrauding the government and companies.
It's a fine line. It is not victim blaming to discuss what happened and a strategy to avoid it in the future, though I hear a lot of people suggesting just that. Sure, don't shame the person who got scammed, but if there is something they could do differently that would increase their protection, it needs to be communicated.
Exactly. This taboo against "victim blaming" is kind of holding society back from properly addressing scams (and other crimes). Yes, the scammers are responsible and yes, they are the only ones who should face consequences.
That being said, it's smart to take precautions, and it's not victim blaming to suggest things people can do to reduce their risk of becoming victims. I teach my kid not to play in busy streets. That's not blaming pedestrian victims for car crashes--it's just sensible, risk-mitigating precaution.
My opinion, based on observation, is the opposite (i.e. you perceive a "taboo" against victim-blaming because victim-blaming is a real problem). Obviously we need both sides of the coin (help targets to help themselves, and hamper attackers). And yes, some people may jump to accusations of victim-blaming too quickly. But, I think it's an exaggeration to imply that there is a significant problem where people are characterizing "suggesting things people can do to reduce their risk of becoming victims" as victim-blaming in the context of money scams.
I think that, by far the greater poison holding us back is the obsession with personal responsibility that many people use as an excuse to not have to expend additional effort on dealing with a problem pragmatically. If you are suggesting educating people or giving them tools to deal with scams, that's great. But a lot of people don't want to do that under the very same rationale that you are using to justify it - that the victims could have avoided it. You are saying, "people can avoid this - we need to help them do so", but there is a significant part of society whose opinion on many topics where there is a victim is, "people can avoid this - they need to take responsibility".
Teaching your kid not to play in busy streets wouldn't be victim blaming, it would be victim blaming if your kid got hit by a speeding car and people immediately started questioning how well you taught him street safety. The problem with victim blaming isn't that it seeks to teach people to avoid becoming victimized, the problem is that it gets brought up when people have already been harmed, making it insensitive, unhelpful (something something barn door), and, often, deflecting blame from the actual bad actor.
We should agree on some time frame when it's acceptable to talk about what you could do to avoid being a victim then. It's perfectly fine to say "maybe not now" while the victim is still getting stitches, but having to wait 10 years is also pretty useless because it'll be forgotten.
When something happens is usually the best time to talk to others about that same thing. A bank exploded? Hey, have you heard that there are ways to spread the risk over multiple banks? A hospital got all their files encrypted and needs to pay a ransom? Let's talk about backup strategies and how to secure infrastructure because that could be your organization.
I don't think people discussing strategies seek to deflect blame from a potential bad actor (it doesn't need to be about crime, accidents happen all the time, and there are plenty of things you can do to lower your risk), they just want it not to happen again, or at least less frequently.
Not only law enforcement. The communication systems that allow scammers to ride on their infrastructure anonymously and fail to give their users tools to push back also bear some responsibility.
The POTS and e-mail and usenet protocols are embarrassingly broken on this front.
For anybody who is building a communication system: If you are allowing anonymous messages to users is a default behavior and it is impossible or impractical to avoid, you have created a system for spam, scams, threats, and harassment.
Putting blame on the victim and pointing out that victim could've easily prevented the crime are two different things. We can put the whole moral responsibility on the perpetrator, and simultaneously advice other potential victims to properly safeguard themselves.
Shitty people ruin society at every level. Sure online scams are part of it but we have banks, locked doors, guns, an entire law enforcement and justice system etc. all to account for the small minority of humans who will hurt others given the chance.
An idiot in my neighborhood getting robbed because they leave their garage door open at night causes my insurance premiums to go up, but they are still an idiot.
>It is an immense failure of law enforcement to not crack down harder on widespread scams.
Do you think if we let cops put on their pretty SWAT gear and roll into the front yards of white collar criminals' front yards in their APCs they'd start taking these sorts of things seriously?
That's not what he's saying. The "digital money" can be real if it is put into circulation by the central bank, by buying assets. There is no inherent connection to paper currency.
You may feel like you're above this, but this excess leverage in the economy affects everyone who has a mortgage, works a job, or participates in the traditional economy in any way. For instance, businesses regularly draw on their credit facilities to make pay, and even well-run businesses usually hold debt. The artificially set price of these "chips" has a massive effect on all sectors.
But they are still the same, just more convenient. The state gives the money value, be it paper or digital. They could even create a third currency, literal plastic chips, and they’d also be the same. The articles goes from condescending to their conclusion, but they just fake explaining anything, they don’t actually.
"Select and support a 'Security Program Manager.' This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program."
Somewhat contradictory. A "security program manager" can't implement good security if they don't know what it looks like, even if given a checklist.
This reads like the sort of document that the government publishes because it has a fiduciary to protect the vaunted "small business owner," similar to "fraud awareness" campaigns, but is more laying the groundwork to say that they told you so, rather than real protection.
I doubt CISA believes that technical and cybersecurity experience is irrelevant. This is their way to say "put someone in charge of it."
Two reasons for this:
1. The failure mode for most SMB operational risks is "no one was behind the wheel. No one thought it was their responsibility." If someone is clearly identified as responsible, they can set the basic guidelines that most people already know should be done.
2. Once the term "responsible for X" is on the table, it will tend to push the business towards hiring skilled personnel. Precisely because no one wants to take that on. Recommend that a business hire a skilled IT security headcount at market rates, and all the stakeholders will vote no. Ask a business "who is responsible for IT security? Who will handle an incident or breach?" And they will hire an IT security person after no one steps forward.
We have interviewed a fake cybersecurity specialist some time ago. And I still use this experience as the main evidence that a pure compliance role, without technical expertise in system administration, does not make any sense. "He will make sure that there is a firewall everywhere, but will not make sure that your database is only accessible from the EC2 instance that runs your web app".
I think it's a tradeoff. As a comparison, I like learning about coding and software architecture through videos and other online resources. The field is so vast that looking at other peoples' code is the easiest way to absorb the broadest amount of material. However, eventually, actually sitting down and writing original software is key to achieving true expertise. I suspect reading & writing follows a similar pattern.
Secondly, if you dig a little deeper into the page you linked, you'll see it's because the system has changed around the banks and those specific requirements (to keep an account centrally, with the federal reserve, for a certain amount) are no longer considered useful.
I don't consider myself an expert on this, but waving this link around as if it means something, absent any context, is not particularly informative.
> But the reality is that growth only works when you build on someone's strengths.
Respectfully disagree. Growth comes from going beyond what you're comfortable with.
Also not sure this is "ungrowth" and more a general misallocation of human capital. Good bosses are proactive, yes, but that doesn't mean randomly messing with team dynamics and roles like you're a chemist trying to find the philosopher's stone.
https://www.bloomberg.com/news/articles/2023-03-12/us-moves-...
https://archive.is/FMuYW (archive)
Think of what this means, and how precarious a position the nation's banks must be in for the fed to take actions like this. We needed to reimplement Glass-Steagall yesterday.