Mules lose money, phishing victims do not lose money

US consumer protections against fraud ensure that irreversible untraceable transactions are hard, and hence mules are necessary. Mules essentially receive bad transfers and initiate good ones. A surprising consequence is that in the series of transfers between victim, mule and attacker it is really the mule’s rather than the bank’s or the victim’s money that is stolen. This means that the size of the online fraud business is determined not by the number of credentials that can be stolen, but by the number of mules who can be recruited, and how much they can send. This suggests an explanation for the fact that stolen credentials sell for small fractions of the underlying account value:  there is shortage of mules. It also suggests that banks find nvestments in back-end fraud detection provides greater return on  investment than front-end schemes such as stronger authentication.

Paper at:


About cormac

Very, very occasional thoughts on security from Cormac Herley
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s