Now there's an exchange problem if ever I've seen one.

by Drek

Last night while grading some papers my Sainted Fiancee and I happened to find ourselves watching NBC. This, in and of itself, wasn't so strange except the program was Dateline. Many of you may remember Dateline from their series of programs, "To Catch a Predator," "To Catch a Predator II: Electric Boogaloo," and "To Catch a Predator III: Holy Shit, How Many Pedophiles Are There?" As you might guess, we don't tend to be enormous fans of sensationalized journalism so the whole "Your child might be getting raped by his computer RIGHT NOW"* style of reporting isn't a big draw for us.

Nevertheless we found ourselves watching Dateline because they were running an all new "sting" operation. Having, apparently, gotten tired of pedophilia, Chris Hansen has found something new to excite him: identity thieves. Doubtless you're aware of the problem- people somehow gain access to your personal identifying information and then use it to take out loans, open bank accounts, run up your credit cards, and so on. To scare the hell out of us inform us all about this dangerous new threat, Datline put together a little sting operation and took us all along in their appropriately, if stupidly, named program, \to catch_an i.d. thief.**

In any case, the program was mostly dull and uninformative, but it did include one thought-provoking segment. At one point Hansen, and an associate from a security firm, were masquerading as identity thieves on some sort of chatroom for the identity theft trade. There, they saw individuals selling identity information including credit card numbers, debit card numbers, ATM numbers, and so on. In and of itself that just seems terrible, but if we step back I think we may be able to learn something.

The most fascinating thing to me is that, simply put, people are actually selling these goods. There's a market. This is interesting because most of us generally assume that a credit card number is as good as cash. So, for example, let's say that you have illicitly obtained the information to use a $1,000 line of credit. That information is, therefore, worth$1,000. You wouldn't sell it except for more than $1,000 any more than you would "sell" a twenty dollar bill in exchange for a five dollar bill. On the other hand, nobody would buy a$1,000 line of credit except for less than $1,000. Thus, we would appear to have an insoluble exchange problem: nobody will sell the good for less than it's worth and nobody will buy it for more. The reality, of course, is that using a card, and getting the information in the first place, entail different risks. Thus, the initial thief is trading away the value of his or her holdings in exchange for a certainty of reward. So, if they sell a$1,000 line of credit for, say, $50 bucks, they're really "paying"$950 to stay out of the reach of police. Based on the existence of this market, we know that at least some law enforcement efforts are successful. Or, at the very least, that they are perceived as successful.

However, recognizing this we can ask two useful questions:

First, how do the buyers in this market evaluate the quality of the goods? Consider, for example, that you have obtained that same $1,000 line of credit as above. Now, this information is replicable, meaning you can sell it to as many people as you want. So, why sell the card to just one person? Why not sell it to two, or three, or four, or a hundred as fast as you can, collecting a fee from each one as you go? The result, of course, would be that you would make quite a bit of money but your buyers would receive a product shared among many others. Moreover, the faster charges are made, the shorter the useful lifetime of the card. Additionally, since the seller can't allow the buyer to "test" the card ahead of time as there is no way to do so without revealing the card information, there's no way for the seller to confirm that the number is even still valid before purchase. How, then, does this market generate sufficient trust between participants? In a second, and related, question how do the participants in this market actually pay for the information? Let's say you were chatting online with an identity thief: how would you pay this individual without risking your own vital information? Certainly you can't pay with credit cards or checks. Do identity thieves use PayPal? Do they use some other even more secure method of payment? And how can they be sure that such a method is not, itself, a front for criminal activity? How can those in the identity theft trade exchange safely? The answer here is most likely embeddedness. Reputational effects, essentially being embedded in a community, make it possible for eBay to function and the same thing might be true here. Developing a reputation for providing trustworthy goods may enable a seller to command higher prices from buyers. The buyer knows that this seller usually provides legitimate goods and so is willing to pay more for them. At the same time, without a central monitor like eBay's rating system, any deals with a new individual would always be risky even if both parties had been in the market for a long time. Reputation may only cohere in dyads and not generalize beyond that. There are also likely to be so many new entrants into the market at any given time that it may be difficult for true communities to form. How do the thieves respond? Do they form small syndicate like structures with groups of buyers and sellers who are known to each other? Similarly, if someone does develop a bad reputation, losing it may be as simple as changing IPs and handles. The anonymity of the internet, here, works against the market. Is it possible to repeatedly defraud sellers by changing handles, building up their trust, and then cheating? How can the market create trust if shedding a negative reputation is so easy? I don't have the answers to these questions but I think a lot of fruitful, if difficult, research could be done in this area. What do all of you think? * Man, that is a peripheral I wouldn't want to see. ** I especially like the random use of backslashes and underscore marks to emphasize that this is a story about the internets. Comments: A$1,000 LoC is only worth $1,000 if it is fully usable. The size of the purchase makes it more likely to be identified as "abnormal" buying and result in a call being made. Also, a salesperson will remember a buyer of large purchases more. (Remember, you don't get much value out of the new HDTV if you're not available to watch it.) Stealers (and buyers) of identities are working both against time (the more time you have the card from its first use, the more likely the real owner reports it as stolen) and the need not to be remembered. And you can't buy time-delayed things (e.g., concert or airline tickets). There isn't even that much more value, in that context, to a$10,000 than a $1,000 line--save that you might be able to sell the$10K line a few times.

This is a variation on those guys on street corners who sell phone card numbers--you're not paying for something that will have a long value, and you won't get full value from it. Knowing that, you don't pay full value. And no seller would expect you to do so.

See, this is why I decided to post this somewhere that economists hang out.