TechDirt posted a short article about Craigslist and its war against spam. According to the article, certain parts of Craigslist have been entirely overrun by spammers: the personals and services sections now consist of 90% spam; now the job postings are under attack. Although the article focuses on the sophisticated set of tools that spammers created to attack Craigslist and some of Craiglist's countermeasures, what I find interesting is not the specifics but the broad principles that underlie Craiglist's defenses and the implications for overall Internet and financial security.
Craigslist, Google's Gmail, and other Internet companies that provide no-cost communications services on the Internet have straightforward and fairly foolproof tools to authenticate users — that is, my Gmail account isn't likely to be read by someone pretending to be me. But these no-cost services lack any decent method to identify users, which makes it impossible to determine if a single person opens a thousand Gmail accounts or posts a thousand times to Craigslist.
The Internet services companies tend to follow a common pattern as they attempt to cope with a wave of spam. At first, they attempt to introduce non-monetary costs to slow down the spammers; a typical method is to use "captcha," an image containing a distorted passphrase, and require that users enter the passphrase. This slows down spammers at first, but spammers rapidly evolve techniques to avoid the costs. The companies then start to use internal tools, such as statistics and pattern matching, to catch abuse. As shown in the case with Craigslist, spammers continue to evolve and learn to evade detection. The spammers and the companies are on an economic seesaw: the companies increase costs and spam volume drops; the spammers learn to decrease costs and spam increases.
At that point, some companies disaggregate their identification procedures — they introduce costs and identification through other companies' security systems. For example, Google requires that I use a cell phone to register for a new email address. This might seem to make sense: after all, when I purchase a cell phone, I have to convince the cell phone company to give me the phone and I have to pay real money to make the cell phone work. Google can rely on the phone company to extract money from me, a trivial amount if I just want a single account but quite expensive if I want thousands of them; and besides, the costly phone number serves to identify me.
Spammers seem to have solved the "problem" posed by that particular obstacle and the war continues. What's interesting is that Google, Craigslist, and similar companies could solve the spam problem immediately by taking a single, simple step: they could require that each spammer appear in person in a local company office in order to get an email address or place a job posting.
Absurd? Of course. These companies thrive because they provide low-cost or no-cost services while their internal cost are extremely low. Office visits would impose huge costs on both parties and kill the companies outright.
However, this problem extends beyond the Internet to the "real world." One reason for identify theft is that companies find it too expensive to have an applicant for a credit card show up in person. Instead, they rely on phone calls, faxes, email, and "secrets" such as social security numbers. The credit card companies impose some costs and accept some costs, but only as long as it makes financial sense; and if they make a mistake and someone impersonates you — well, after all, you're not even the company's customer, so why should they care if the theft costs you money and drives you mad?
A problem that stretches across different industries, extends throughout the world, and costs billions of dollars a year suggests that a solution can be found and there's money to be made in solving it. One solution is secure physical identification "tokens," that is, something you must own, that costs something (either time, money, or both) to obtain, and is both difficult to forge and easy to verify. A stand-alone company could use these to provide identification services to a wide range of different companies, and while the initial cost for an individual to claim a token can be set rather high, a shared service means that the cost is paid once instead of each and every time. For example, the service could sell (or give away) wallet-sized cards that contain a little window that shows a continually-evolving 6 digit number. Anyone who claims to be me must know this number and the card's account number. While cards can be lost or stolen, of course, judicious use of a identification "tokens" could turn spam from lucrative thievery into a bad memory.
Topics: · security
Link to this story · Leave comment or trackback
Comments are temporarily disabled while we work on anti-spam measures.
Trackbacks are closed for this story.
