Credit Card Companies Could Stop Spam Now. But Will They?
For more than a decade, computer software makers and security experts have tried to stop spam, and failed. It's now 90 percent of all email traffic.
But some University of California researchers may have found the magic bullet: Simply cut off the money.
It turns out that while spammers use thousands of domain names and hundreds of shell companies to peddle Viagra, knockoff handbags and pirated software, almost all sales of those goods are handled by just three banks in Azerbaijan, Latvia and the Caribbean nation of St. Kitts and Nevis.
Furthermore, almost every single sale made by spammers is processed by credit-card clearinghouses such as MasterCard or Visa.
The researchers argue that the major credit-card companies could stop spam dead in its tracks by refusing to process payments. But will they?
"The main problem is that spam isn't necessarily illegal," said Mikko Hypponen of the Helsinki, Finland security company F-Secure, in an interview yesterday (May 19) with BBC Radio. "This depends on which country you are, how it's being sent and all that."
"And we have to remember that spam is actually very profitable for the credit card companies themselves," added Hypponen, who was not involved with the University of California study. "That might affect how likely they are to actually do something about this."
Following the money
A team of 15 researchers based at the University of California, San Diego, and the University of California, Berkeley, used prepaid Visa cards to buy thousands of dollars' worth of goods advertised online by spammers.
"Spam-based advertising is a business," they argue in their paper. "While it has engendered both widespread antipathy and a multi-billion-dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise."
They traced the payments through a complicated web of affiliate programs and back-end processors, only to find dramatic consolidation at the deepest levels.
Only a dozen or so organizations were running the online stores selling the goods, and only 13 banks were handling the money.
In fact, 95 percent of the transactions were handled by just three banks: Azerigazbank in Azerbaijan, St. Kitts-Nevis-Anguilla National Bank in St. Kitts and Nevis (which has been linked to online scams) and the Latvian branch of DnB NORD, a Danish subsidiary of a Norwegian bank.
The researchers suggested that these banks could be pressured into refusing to process transactions from spammers, but doubted whether it would work. The online stores could find new banks, and "it is not even clear that the sale of such goods is illegal in the countries in which such banks are located."
Far more effective would be pressuring the major credit card associations to halt processing of spam-related sales, which could be easily identified and put on a "financial blacklist."
"We can provide credit card companies with lists of known spammers or known spam back ends -- those are the systems they actually use to move the money around," Hypponen told the BBC. "With that information, credit card companies, like Visa, MasterCard, American Express, they can simply shut down the operations and stop money flowing from their cards to those merchants."
The University of California researchers note that although telling credit card companies how to run their businesses might present "political challenges," there is already a precedent.
Five years ago, the U.S. Congress forced the credit card associations to stop processing payments from U.S. residents to online gambling companies, effectively shutting down the industry in this country.
Requests for comment from MasterCard, Visa and American Express were not immediately returned.