Wednesday, September 05, 2007

USA Today Offers Proof of Stupid Pills

Once in a while, a gambling-related piece shows up in the mainstream that is so mind-numbingly dumb that it must be savored. Enter this gem from the Technology section of Monday's USA Today. Now, Gannett's not known for exceptional quality in reporting, but this beauty must be savored in its entirety:

Cybercrooks use bots to deal winning hand

By Jon Swartz, USA TODAY

SAN FRANCISCO — Bots, the millions of compromised computers remotely controlled by crooks, are doing more than spreading spam and phishing.

Increasingly, they're agents for various forms of fraud, such as money laundering.

Over the past five months, RSA senior researcher Uriel Maimon has witnessed a spike in the use of bots on gaming sites to move money overseas.

An estimated $200,000 to $300,000 has been moved monthly — a reflection of a crackdown on online gambling in the U.S. after the passage of a federal law in October.

"Bot nets are the BlackBerrys of the fraud world," says Maimon. "You can't do anything without them." According to Maimon, one-in-20 to one-in-50 PCs worldwide are bots. A year ago, it was one-in-200 to one-in-500.

Here's how the gambling scam typically works: A fraudster steals a batch of credit card numbers and, for each number, opens an account in an online payment processing service for the purpose of gambling.

At the same time, the fraudster opens accounts on an online payment-processing service with credit cards with minimal cash balances — either under their name or that of an accomplice. The cybercrook goes to such lengths because they want to move the money of the victims, who are usually in the U.S., to accounts overseas, where they are located. The banks in these countries have less stringent banking laws and accept the transfer from the U.S.

The fraudster then floods the poker forum of small-to-midsized websites with "players" in the form of bots. These are compromised PCs loaded with poker-playing programs that play poker, but not necessarily well. A human in cahoots with the crook then enters the same room as the bots to compete against sub par competition. The odds are heavily in favor of the human, who wins the pot. The money from the losers is transferred to the winner — in this case, the fraudster.

Cybercrooks are going to elaborate measures in this use bots because it is difficult to transfer the money of a legitimate credit card account overseas. And there are still online payment processors that process online wagers — despite a recent crackdown on Neteller, a popular payment processor overseas.

"Money launderers are going to extra steps to move money because of the federal law," says John Pescatore, a security analyst at Gartner. "You have to get more creative to move money overseas. This is another way to cash out."

While large, established poker sites are good at electronically scanning for bots and for players who intentionally lose to a "designated" winner, small sites are not, says Joseph Kelly, a professor who specializes in online gambling issues at SUNY College Buffalo.

"The bots are prevalent," says Anna Calder, an online poker player from Canada, where such gambling is legal. "If you suspect you're playing a bot, you send an (instant message) and attempt to chat with them. They usually don't reply, but some are programmed to respond, "I do not chat."

--- source: usatoday.com

It's hard to know where to start with a gem like this, which starts with an unsupported supposition from a talking mouth from a firm attempting to sell security services, ladles in a dollop of paranoia and trots out the old bugaboos of terrorism and money laundering, offers not one iota of fact or even the faintest shred of anecdotal evidence, and wraps up with an inane comment all but unrelated to the topic at hand.

So read through the piece again and enjoy the full flavor of the stupidity served up here. Then ponder the following:

1. How are all these stolen credit-card numbers going to be used on poker sites when the cards themselves are already blocked by the issuing banks, who in almost all cases won't let them be used for gambling purposes?

2. How can the author of the piece not understand the difference between a 'bot' computer that's hijacked for the purpose of e-mailing spam, and a poker 'bot,' which is a program that runs on a dedicated computer and attempts to play the game? This line from the article --- "Bot nets are the BlackBerrys of the fraud world... one-in-20 to one-in-50 PCs worldwide are bots. A year ago, it was one-in-200 to one-in-500." --- is insensate in the context of online poker.

3. Anyone ever play poker on a poker forum? I didn't think so. Such a basic lack of understanding of how a poker site works precludes the rest of the piece from being believable.

4. Who the hell is Uriel Maimon, and is he the one who made the estimate of $200,000 to $300,000 monthly being laundered through poker sites? Maybe, maybe not; you'll notice that the estimate itself is carefully not attributed to anyone, despite the prevalence of frothing mouths elsewhere in the story. Generally, such carefully non-attributed estimates can be judged be ass leavings.

5. If anyone can find significant evidence that the cited SUNY professor, Joseph Kelly, is an expert in online gambling issues, please share, if you could. His resume doesn't indicate anything close to that.

6. Same for the Canadian poker player cited, Anna Calder. Yes, Calder seems to exist, but again, there's no evidence whatsoever that she has any knowledge of bots, and the example attributed to her is ludicrous. Let's see... most bots don't chat... but those that do... say that they don't chat. Damn. I'm convinced by that logic. Gotta be bots.

7. The article claims that since the larger poker sites do a good job of sniffing out bots, then only the smaller one's suffice for the money-launderer's purpose. But wait! They also have to be US-facing sites, to use the damn credit-card numbers in the first place. The number of poker sites that fit this general description can probably be counted on both hands. That makes the whole scenario unlikely, independent of any other evidence.

8. Even assuming that these smaller sites could somehow generate the traffic required, is the money launderer going to always win the money put into any given pot by a bad bot? No, he'd be fighting for it with between four and eight other players. Unless it was some heads-up chip-dumping. Oh, wait, only the larger sites offer heads-up games. So much for that idea....

In a nutshell, dreadful. It's hard to believe that shit like this made it to press in any publication that offers the pretense of neutrality or competency. But somehow, this did.

2 comments:

Gnome said...

Wow, what a sloppy article. Nice post.

Short-Stacked Shamus said...

Reminds me of the time when I was in the middle of explaining to a colleague my need to back up a website, who then interrupted me to ask "Can't you just scan it?"

Thanks for following up here -- stuff like this needs to be called out.