• Save
Payment Processing and Unlicensed Online Pharmacies by Damon McCoy
Upcoming SlideShare
Loading in...5
×
 

Payment Processing and Unlicensed Online Pharmacies by Damon McCoy

on

  • 1,919 views

Payment Processing and Unlicensed Online Pharmacies by Damon McCoy

Payment Processing and Unlicensed Online Pharmacies by Damon McCoy
Presented at the 2012 Partnership for Safe Medicines Interchange on September 28, 2012

Statistics

Views

Total Views
1,919
Views on SlideShare
1,919
Embed Views
0

Actions

Likes
2
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Mention coauthors

Payment Processing and Unlicensed Online Pharmacies by Damon McCoy Payment Processing and Unlicensed Online Pharmacies by Damon McCoy Presentation Transcript

  • P R E S E N TAT I O N SP AY M E N T P R O C E S S I N G A N DUNLICENSED ONLINE PHARMACIESDA M O N M C C OYGEORGE MASON UNIVERSIT YSEPTEMBER 28, 2012N AT I O N A L P R E S S C L U BWWW.SAFEMEDICINES.ORG
  • Payment Processing and Unlicensed Online Pharmacies Damon McCoy George Mason Universityjoint work w/Neha Chachra, Brandon Enright, Mark Felegyhazi (ICSI), Chris Grier(Berkeley), Tristan Halvorson, Grant Jordan, Chris Kanich (UIC), Christian Kreibich (ICSI), Kirill Levchenko, He “Lonnie” Liu, Justin Ma, Vern Paxson (ICSI/Berkeley), Andreas Pitsillidis, Stefan Savage, Geoff Voelker, and Nick Weaver (ICSI)
  • • Context – Unlicensed online pharmacies• Why payments are where the action is• Major doings in the last 10mos
  • Advertising-based e-crime• Range of abuse vectors to reach consumer – E-mail spam, SEO, OSN abuse, blog spam, etc.• Range of products/services advertised – Pharma, replica luxury goods, apparel and electronics, pirated movies, music, books and software, diplomas, porn, gambling (*)• Monetized directly & knowingly by consumers
  • Example: RX-Promotion Direct costs: 70.8%Indirect costs: 12.8% Profit: 16.3%
  • Where Does the Money Come From?
  • Where Does the Money Come From?• Consumer payment networks• Of $173M in Glavmed/Spamit revenue – 67% Visa, 23% Mastercard, 6% Amex, 3% echeck McCoy, Pittsillidis, Jordan, Weaver, Kreibich, Krebs, Voelker, Savage, Levchenko, Pharmaleaks: Understanding the Business of Online Pharmaceutical Affiliate Programs, USENIX Sec 2012
  • Example: Mailien Pharma Spam
  • High-Risk Merchant Accounts• “High-risk” accounts – Property of merchant (no history, big turnover) or of category (pharma, gambling, porn, etc) – Risks: chargebacks, non-repayment (e.g., fines) – Only some banks willing to underwrite high-risk• Risk controls – Higher fees, rates, holdback (10% 180 days)
  • Costs?• Up-front money (to set up account)• Fees (both monthly and per transaction) – Up to $1-2 per transaction• Discount rate (percentage of each sale) – e.g., 0.02 for “normal” transactions; pharma 0.10- 0.15, I’ve seen even higher for FakeAV• Chargebacks (both cost and penalty)• Fines (passed on by acquirer)
  • • Aug 1 -- Oct 31 2010• 7 URL/Spam feeds + 5 botnet feeds • 968M URLs • 17M domains• Crawled domains for 98% of URLs in • 1000s of Firefox instances • Large IP address diversity• Hundreds of purchases • Unique card # per order • Full transaction data
  • Merchant Banks (circa late ‘10) St. Kitts & Nevis AGBank• Low diversity DnB NORD • 3 banks covered 95% of pharma/replica/software spam • Fewer banks willing handle “high-risk” merchants• High switching cost • Time: In-person account creation, due diligence • Money: Upfront capital, holdback forfeiture
  • Hypothesis• If we could target merchant accounts… – Could demonetize entire system – Asymmetry that favors the good guys!
  • So… What Happened Since?• A stew of activities – Encouragement from D.C. – Brand interest – Card association cooperation – Complex politics around SOPA/PIPA/etc• Leads to two major changes – Visa Global Brand Protection Program (GBPP) – Targeted merchant intervention (IACC & brands)
  • Essence of Targeted Intervention• Undercover test purchase at counterfeit site – Only needs to authorize to get BIN• IP holder notifies card network (e.g., Visa/MC) – Investigation – Complaint delivered to acquiring bank• Leverage via card association contract – Remember acquirer owns liability – Fines, increased scrutiny, de-association• Merchant account shutdown
  • So… Does it Work?• Bottom line: Yes• We tracked bank association w/affiliate programs for over 18mos (continuing…) – ~800 purchases (Visa only)• Tracked impact of targeted complaints – 170 against 25 distinct programs; takedown in 30 days or less is typical• Joined programs to get damage assessment from inside McCoy, Dharmdasani, Kreibich, Voelker and Savage, Priceless: The Role of Payments in Abuse-advertised Goods, ACM CCS 2012
  • Major Pharma Affiliates
  • Major Banks Serving Pharma (last 18mos) State Bank of Mauritius becomes “go to” bank for medium programs Growth of Bank of China 19
  • FYI:The Big Pharma Acquiring Banks Today 20
  • Glavmed6/29/2012Dear Partners,As you may have noticed, in the last couple of days weve had problemswith processing. We dont have a solution yet, and there is no concretetime when it will be resolved.…….From this point forward, GlavMed is switching to a "PAUSED" mode. Nonew orders will be processed until the processing issue is resolved.……..We urge you to temporarily switch your traffic to other shops/projects.
  • Life is Tough all Around…“Right now most affiliate programs have a mass of declines, cancels andpendings, and it doesnt depend much on the program imho, there is ageneral sad picture, fucking Visa is burning us with napalm (for problematiccountries, its totally fucked, on a couple of programs youre lucky if you get50% through).”
  • Summary• Much of crime ecosystem is funded by Western consumers via payment cards• The banking relationship is the bottleneck resource in the business model – Can’t be hidden, high switching cost, valuable• Payment intervention is hugely effective when done right