Introducing Thomas Holt Associate Professor at Michigan State University. [Applause] >> Thank you. Thanks, everybody. I appreciate it. Thanks for coming during lunch. I know this is always a hard thing to do. Hopefully you have a beer and some liquid food to enjoy. Today what we're going to talk about are Stolen Data Markets. This is something you probably have familiarity with already. Raise your hand if you have heard about mass data bridges. I would think everybody, good. Anybody had their card reissued this year? I'm working on my fourth card this year thanks in part to the fact that I have a nine month old who requires all kinds of stuff so between going to Target and going out to eat we've lost many a card this year so mass data breaches have become a big problem in part of my personal and professional life. Today we're going to talk about research funded through the National Institute of Justice. This thing at the bottom is a direct result of our funding agency. So as a point of clarification this research was funded by the U.S. Department of Justice and everything I'm going to talk about today is in no way a reflection of the attitudes, opinions or what have you of the Department of Justice itself. With that out of the way we'll jump into the fun stuff. In thinking about Data Breaches in an academic point of view, there's been a good deal of research that's started to come out. Most looked at two angles either the IRC communications that go on or through forum data sets. Thinking about the IRC data this is good but there are substantial limits. The same is true as far as what it seems as though forums are becoming a little bit more of a popular medium for individuals to sell data through mass breaches but the limitations through all of these data sets are substantial and we have to give some consideration to that. When we think about who is selling data, one of the biggest dilemmas that emerges is the fact that communications typically take place in cyrillic or to a certain extent English languages communications. Cyrillic based languages, are they Russian or are they using machine translation. If you have ever used Google translate you know the translations are adequate, sometimes very poor so that's going to have a direct impact on what it is we're studying. Most of them are based off of a small sample. It could be maybe two to four forums. Some people have started to use single IRC sets and a small number of researchers have begun to use dead forums. So groups like the shadow crew, the grifters, the dark market data set and analyzing those. It's very helpful but if we're talking about a group was that active five to 10 years ago what is that going to tell us about the processes of the market as it exists now? So one of the biggest issues that emerges within this whole round of research is the fact that very few people have tried to assess anything with regard to the economics of the markets themselves. Only two studies have even published information about the basic pricing for data. So if we're talking about a credit or debit card number how much is it going for? That information is largely absent from the empirical research. The same is true in regard to organizational issues. Are we talking about a complex mafioso organized crime network or talking about something that's more distributed? More of a network of colleagues rather than something that's very, very sophisticated. And in thinking about the data markets themselves there's good, good theoretical research that talks about the idea of these markets being lemon markets, basically prices vary and what you pay directly impacts what you get. Same with buying a bad car from a car lot. If you buy a car for a thousand dollars and it breaks down as soon as you leave the lot that's a direct expense you incur. You might have gotten the car cheaply, but it stopped working on you almost immediately. The same could be true with data markets. If we're looking at information from English language forums where people are untrustworthy and there's lots of complaints the fact that they're selling data for five dollars a lot doesn't tell us much because that data might be inactive or old or invalid and it's not a true reflection of what we are seeing. So there's an argument that there are multiple markets operating. There's a lower barrier to entry for English language forums. If we were to Google stolen data markets we would see no barrier to entry and you probably can't trust what's being sold. There's a deeper secondary market that exists where we expect higher prices, greater trust, greater insularity and as a result, those may be a more accurate reflection of the market in and of itself but few people have tried to address these questions empirically. Instead we end up with the question what do the markets look like? We'll talk about what the conditions are like within the market, what are the costs for goods and services, what's the organization of the market and then what are the structures like between participants, how do they know and relate to one another? And to do this we collected a set of posts and threads from 13 active forums. We oversampled on Russian language groups and tried to capture a range of entities operating world wide. We have a number operating out of Russia, some in Germany, one in the UK, Netherlands and a few in the U.S, one in the British Virgin Islands, but communicated in Russian. It gives us a sense of where the sites operate. The language is more important. If we're talking about a site in the British Virgin Islands where everyone's communicating Russian it's unlikely that it's the residents participating. We're talking about Russians, eastern Europeans or people using Google translate to talk. And we captured a number of threads from each of the forums and tried to over sample on time frame. We have data going back to 2007 in four of our forums and some going back to 2008. Our data collection stops at 2011 or 2012 depending as we had to collect all of it and had to analyze it and translate it. We worked with a certified Russian translator to get the tranlasations as they appeared in as close as we could in approximation to English as possible because unfortunately I don't speak Russian. My colleague in the study is a native Russian and her assistant was great in getting the project off the ground. The reason that we have both English and Russian language groups in our sample is because we wanted to get at this question the lemon market argument. What does an English language market look like relative to a Russian one and can we find evidence of differences in terms of products, resources or organizational dynamics within the market based on language? So that's the rationale for this study. In thinking strategically about what is sold we conducted an economic analysis breaking out products by specific purpose. Most of the data in our set involved advertisements for data sales. So we have a range of things like dumps if you are familiar with the term dump it refers to a lot of personal information associated with a credit or debit card. Some individuals selling CVV's the security code on the back of the card. A small proportion selling Fulls and those are all of the information associated with an account including Social Security number, address and pertinent information that would allow an individual to take over the account. Some people selling Ebay accounts, and other personal accounts and personal information whether it's E‑mail user names and passwords and other financial products generally. In case you are wondering no we did not see medical data in here nor stocks or other types of financial products of that nature instead it's mostly involving financial institutions, banks and credit card agencies. But we had a number of individuals selling data manipulation tools. This might be cash out services, people who can go withdraw cash from legally acquired accounts, some people offer drops where you buy goods online and have them shipped to a specific location and left via UPS or FedEx and those products are pawned, fenced, or shipped on to another person so an intermediary for goods. And a small number doing money transfers. And a small number offering personal identity documents so if you needed a credit report or credit history or something else they would be the individuals to go to. Also a small amount of sellers we saw offering associated services in order to manipulate data on the back end or acquire it on the front end. A small number of people sell skimmers, that's a device that you clip on to an ATM or gas station terminal where you swipe the card and it captures the data on the back of the magnetic strip. That's a very small proportion. 84% of our ads involved data sales of some type. Moving from the economy we're going to look at this from a organizational perspective. We use a sociological framework which is admittediably a little bit different than what you're used to. >> In this case we tried to understand how people operate based on how they work together, how they communicate and how long they exist. This gives us a framework for analysis, are they like a Acusa or Mafia or flat but tries to understand the group based on different divisions. How long they operate, what kind of division of labor is present? Do you have someone that is a distinct coder? Another person receives goods so is there any kind of specialized labor force operating? Do they offend together? That's the issue of mutual participation? And then there is the issue of mutual association. How do they get along? There are some types of crime where you don't have to know the person. For example prostitution. You don't have to know anybody, you go, solicit, do your business, everybody leaves. We want to know what types of relationships are we seeing in these markets for stolen data? And finally depending on time, we also conducted a network analysis. So if you are familiar with network analyses these are ways to statistically connect individuals within a market. This sociograph here represents participants in one of our boards. We have a small number of individuals connected. Say here we have one person who is a seller with a number of people and you can talking to that seller and see what we can buy and what we can get. Then we have a number of isolates at the bottom. These are people who no one talks to for one reason or another. >> This is important if we're thinking about targeting groups. How do you disrupt the network if they're loosely connected? It's different than how you might if there's a hierarchical structure in place. This is an important way to think about connectivity. How does the market operate? What I'll talk about now relates to both social organization and economics. If you are not familiar with how these markets operate it starts when someone posts an ad. This is an ad for instance, for dumps. I realize this is small but I'll hit the high notes for you. This person is selling Dumps: stolen credit card numbers from around the world. They're offering U.S. data. A classic or standard card is 20 bucks, Gold or a platinum card is 25 bucks, a business or signature corporate card is 30 and American Express card is 20. And then Canadian dumps. Interestingly Canadian data is more expensive. $50 for a classic or standard card, $70 to $200 depending on what type of advanced data you want. Then getting into European markets in places where chip and pin encryption is used, you can see the prices are even higher. This is important to note. Every ad typically incorporates information about pricing structures and the quality or quantity of data available. They piece it out by product and type. They also explain their conditions for sales. Since vendors have the ability to advertise and direct their traffic they can explain in very crystal clear terms how you and the seller are going to interact. In this case the person explains how you do business. You contact them, use the one ICQ number that you want to use, calculate the price and then submit your order. Send money first and your e-mail. How's that for a bum deal. Send money first and then we'll send you product. This is different than a drug transaction or other illicit markets in the real world where product and payment can be exchanged near simultaneously or within relative close proximity. Instead this seller says send me money and within 24 hours we'll complete your order. In this case Liberty Reserve payments are what they prefer. Anybody heard of Liberty Reserve payments before? They were recently taken out of a large scale law enforcement use in the U.S. This payment venue no longer exists but online currency payment systems like Liberty Reserve are the preference for individuals in this marketplace. We didn't see anybody using Bitocin incase you were curious, or any other types of crypto currencies. These individuals seem to be tailored more towards immediate transfers of payments. There's an interesting point here. Point 5. We replace only pick-up or hold call dumps within a 24 hour period. What that means if you bought 100 cards from this person and 90 worked and 10 came back as either invalid, inactive or held as inactive cards, you can contact the seller and say I need these 10 cards replaced and they'll do so. That's a degree of customer support they're willing to offer. Just wait. It will get weirder. Customer service is an important venue within these market places to generate people to your business, you want people to come back and buy from you on a consistent basis. Offer them something and give them a reason to come back to you. So this individual for instance, offers free replacements. There are other types of customer service that are out there. This is a good example. A person selling eBay and PayPal accounts from the US and the UK. You can see Tthe pricing structure is low. If you want an unverified account with a credit card number, it's 1WMZ or LR. That means web money US. Z is the designated nation or $1 Liberty Reserve. If you want an unverified account attached to a bank account that's a dollar. If you want a verified Pay Pal account with a credit card number, that's $3. Anybody have a confirmed account? a couple of you? That's pretty cheap. We have accounts with E‑mail, just ask. The seller's not responsible for security measures. We check all accounts manually prior to giving them to you and you will get a clean socks5 proxy. the rationale being if you are an individual living in Europe trying to use a U.S. account it's clear that the traffic is coming from Romania you will not be able to use the account. They will give you a proxy for the associated country. If you burn the proxy it's on you as they say here. Seller is not responsible for the unsuccessful usage of the account. If you burn the proxy you have to get another one. They're offering a modicum of support but nothing too fancy. This is the type of communication that each individual can specify. Vendors can control the market based on what they feel is relevant and a final example an individual offering money laundering service. They work specifically with the Russian federation, they will work with cash funds , they will transmit electronic funds, with dirty funds and the advantage working with them, low commission. With regard to customer service they're going to take a portion of the amount of money. Say there's a thousand dollars being laundered they'll take between 10 and 20 percent as you dictate the terms and work out the relationship. And speed, as a rule funds are received on the day they're credited to the company's account. Next day or maximum of one day after they're credited. So you want your money quickly work with us. We turn things around fast. This idea of customer service is very, very interesting and very unique to these markets. Just to give you a quick sense of how products are priced, this is a break out of our product pricing. Let's go with dumps because that's a common item sold. The lowest price we saw was 4 cents, highest was $8,000. Gives us an average of $102.60. We saw CVVs going for between 1 dollar 8,000 dollars, the average being $26.We saw the majority of our pricing going towards our data products. Data manipulation services vary and largely it was because individuals would list percentages rather than total amounts. The reason being if you are laundering money on someone's behalf or working as a cash out team, it will be easier to take a proportion of those funds than to have a set rate in advance. It works out for everyone to have a little bit of difference in payment. What I want to do is move on to a specific idea about quality and quantity of services. These are the products that are sold in our markets based on the top 10. If we include all forums in our sample the majority of products sold are dumps and CVVs. But since any individual can enter this market and there's potential for lemon markets where people are going to rip you off, we had a number of complaints in two of our forums so we designated them as ripping forums. Places where if you go there to buy data, you're going to get ripped off. That's a common term used within the market itself. If you are a ripper you are a bad guy. We just want to deal with people who are going to get us our money and get us our data and everyone makes a profit. So you want to avoid rip off artists. When you exclude two of the ripping forums from our data set the proportion of products change dramatically. Dumps are still number one. Cash out services become more prevalent, other products, could be consumer equipment, different accounts or other products. Malware jumps up quite a bit dedicated hosting services drop. EBay and PayPal jumps up quite a bit. So there are differences when we think about the products and quality of sellers within any given market So to continue with the idea of dumps for a moment, given that they can come anywhere we ran an analysis to see the pricing differentials by country. Given that the US was one of the most prevalent in our data set. We tried to see what the average price was and how pricing differs by country. So we took a logged price for each specific item to remove variation in prices and separated them by Asia, U.S, Canada or different regions and compared the two. What's interesting to note is that U.S. data for dumps was cheaper than other countries. Same for the UK and even Canada to a certain extent. These are statistically significant differences. That is if you are going to buy data from a different country, the U.S. and UK are going to be cheaper than other countries. If you think about the quantity of mass data breaches that we've had in the last few years, that might be part of it because the market has been flooded by data from these nations. Plus we have lower standards for security and for use of payment mechanisms. So there are real variations that are evident. Moving from products let's stick with the sales process itself. An ad goes up. Once the ad goes up the individual contacts the buyer and all sales happen outside of the forum. This is important because it makes it hard for us to understand how much the price is for any given data. That's part of why these limits are present in a lot of the research out there. What an advertised price is could be radically different from what a person paid. Generally we know all of the exchanges are going to take place through E‑mail or ICQ which is 50 percent of the preferred mechanisms for contact. And the various systems we saw were electronic primarily like Liberty Reserve or WebMoney. We also saw a proportion taking Western Union or MoneyGram. Some sellers that accepted Western Union payments ratcheted up the price by 10 to 20 percent. The rationale meaning they had to have an intermediarial work with them or in some way they had to have someone physically show up to a location to get cash so it made it harder. There's another point here, escrow payments. This was offered but at a small percentage and within a few of the forums. Escrow payments were present for those boards that had a good degree of organization and had a lot of trust between the participants. This is an example of Guarantor service. The guarantor of a forum has been created so that you will not be deceived. By conducting a transaction with a guarantor you know you can trust. Here's the terms. Buyer and seller reach an agreement working through a guarantor. Someone who has specifically designated by that forum as the guarantor. The buyer contacts the seller and using the guarantor they get in touch with the ICQ. One of the parties gives money to the guarantor and the other the goods. The party holds the money in reserves. Once the money is there and the data is sent each individual party gets what they paid for in this case data to the buyer, money to the seller and that gives a way to ensure everybody's happy. Otherwise you don't know who you are working with or who you can trust. As a result grantors are there to ensure everyone gets what they want. And grantors also get a little bit of takes, you can see guarantors services are free for up to $30 but once you go up to $500 it's prorated 8%. So the more you buy the less you have to pay the guarantor. This idea of trust is really important. It's odd to think about illicit markets because we don't think about thieves having honor or trust but within these markets that's the way people get things done. In fact since sales take place out of the forum it's hard to know how an exchange goes and that's why individuals offer feedback. If you buy something from someone there's a reasonable expectation that you are going to go back into the forum into that person's thread and explain how it worked, how it went and what you thought of the data and services. That way the seller can validate their reputation and the buyers can demonstrate how things went so it's a way to be open and transparent in the marketplace. This is one example of some feedback that was provided. This went to a money launderer service. They said the Thread Started laundered $300, the speed is comparable to the second cosmic speed. Everything was magnificent, I'll go back. The next person said I did some laundering of money from a female partner,, everything was quick ad excellent, and the Thread Started takes a small percentage which makes everybody happy. You can imagine if you were working in Amazon or eBay this is the feedback you would want to see for a reliable vendor. It's the exact same thing here. This leads to an important thing to consider. Negative feedback has the same role in the marketplace. If you don't think you can trust a person read their feedback. If it's negative you don't want to work with that vendor. In this case this is a good example of negative feedback. A person asks has your service been tested or vouched? How do we know that we can trust you? I can provide potential business for you if I can trust you. Next person says he's a ripper. Don't believe him. He says his drops are from Florida. The seller says I'm no ripper, I've never had a complaint, this guy is just trying to cause trouble. I've never dealt with him before, moderator please ban him. He's just trying to disrupt my transaction. The next person said, I contacted him on another forum, I asked him if he accepts escrow for grantee, of course he refused. this person won't work with a guarantor, I don't think we can trust him. The negative feedback if it stacks up can get them completely blocked from a forum. Moderators and individuals who are engaging in transactions don't want to deal with people who are just messing around. People want their money, products and they want a successful outcome. This is as much a legitimate business using certain business practices like customer service in order to get people to use illegal products to engage in identity theft and cyber crime. So this is an important issue. When we think about organization we've got a participatory experience with regard to transactions. Buyers and sellers interact. Buyers get the potential to give everyone feedback through the use of the positive or negative reviews. That affects the way that sellers are perceived in the market. This also creates an additional layer of complexity. Not only do we have guarantors operating but some of our forums, those that are sophisticated have guarantors forums, etc, will even provide product reviews and testing and that affects all the transactions. You might think why would a forum provide a check or validation process for selling? Because they want everyone to be satisfied and this is just an example of one forum's checking process. Checking your goods takes place voluntarily or if the administrator of the forum requires it. Checking is done by one specific person, takes one to three days. After the check the guarantor there will be no stupid flames in the topic, like we showed earlier where the person is trying to argue no, we're a legititmate vendor. The moderator will write a review on this and close the topic. If a requirement to provide your product or testing is refused you are risking ban and your announcement is erased. So either you play or you don't. If you don't and you are asked to play then this runs the risk of you being kicked out of the board. No money is taken for testing. This is interesting because unlike guarantor services or escrow payments the forum's completely doing this out of the goodness of their heart for participants involved. They want to make sure that everyone is satisfied with the outcome. You provide the products for the test in the same configuration in which you sell it. You give it to us exactly as you would give it to the buyer. A good review is going to go a long way because it demonstrates that you are trustworthy. In some cases forums will designate an individual as a verified seller. A verified vendor of a specific product. That's its type of person you know you want to go to because they're not going to cheat you or rip you off This creates an additional layer of complexity. And when we think about all of the encounters, not only do we have the potential for checking and testing but our best forums also had a good degree of administrative oversight. In that case forums would actively go in and disrupt or remove vendors on the on the basis of negative feedback. This is an example of just one of the forums rules on how vendors get banned or blocked or how complaints are processed. They say if the transaction has been carried out it has to be confirmed. If you leave a fictitious review you will be banned perhaps even permanently. You can't just come in and junk up the thread and make complaints. They have to be validated. They're going to want you to post logs proving guilt and what they're saying is they want the ICQ logs of your conversation with the person. They want to see how exactly it went down. You can't just say this person is a ripper or a rip off artist. You have to provide validation. In the last part, users with one to ten messages that have not been on the forum for long will be deleted at the discretion of the moderator. That means if you are a seller you can't create five accounts and say this guy is great, I've worked with him before because those will be removed. This has an important implication. In some of the recent publications regarding how we might disrupt stolen data markets some people have argued for a civil attack procedures, where you go in and post anything that makes it hard for sellers to interact and for buyers to know who to trust. A civil attack is only going to be effective in those disorganized forums. The ones heavily managed will figure out what's going on and block the individual, block the account.If you're doing it from a specific computer, the computer itself might even be banned. So better organized forums may not be disrupted by a civil attack. If it is effective it will probably only be for a short period of time. So we have to think what we're going to do about a disorganized market That leads us to a final point about Organization. We have individuals working in a collegial fashion to engage in transactions. We have a peer process where individuals are being reviewed, vetted, tested, challenged. At a macro level where we divorce ourselves from the individual transactions and think about interaction we're dealing with what we might think of as formal organizations. As a moderator who provides a place for people to buy and sell data. They also offer a good degree of managerial structure that is to an extent that is hierarchical. And there are interconnections between our forums. Some of the better vendors would say I advertise on the following sites, you can see my reviews there as a way of demonstrating I am trustworthy and reputable so this kind of cross form interaction is important. And finally duration over time. Four of our five forums we had posts over a five year window. If you look at a date of an individual's post some of them went back to 2004. So we're talking about a long period of time where some of the groups have been active. That's a very important thing when we're talking about market disruption. If you have a group that's been active for a decade they might be harder to disrupt than one that's been active for three months or one that has come up and gone away. So there's a definitive difference in the types of markets we see. What I'll do now is transition away from the Organizational issues and I'm going to talk for a moment about the economic impact of the markets. We've talked about pricing and the way in which products are bought and sold. So, let's take just a second and look at the potential money that people might make. There's a lot of data being sold. How much can an individual reasonably make? In order to come to these conclusions since we can't necessarily know how many transactions were successfully completed what we've done is added up all positive and negative feedback that an individual received. That has potential for error. There could be fictitious reviews and false positives in the data. There could be one potential way to understand how many instances the transaction took place. As you can see with dumps we had 190 instances of transactions from our non‑ripping forum and 67 in our ripping forums so 257 dumps or transactions that took place. We have 63 for CVVs, the majority of them coming from the ripping forums, reinforcing that our data point from earlier. On bank accounts the majority come from ripping forums. From eBay and PayPal accounts we saw 6 from non-ripping forums and 3 from ripping forums. So this gives us some degree of how many transactions might have taken place. Another problem that comes up though is this excludes anyone who didn't have a product review. They may have had no feedback. They could have had transactions but we didn't capture the product reviews in our data points so there's potential for bias there and I will talk about how we tried to correct that in just a second. Taking those metrics we tried to overlay some of the pricing metrics. Thinking about our average cost for data and the total number of transactions that take place. With our dump sellers many specified they wanted to sell data in large amounts. In some cases their minimum quantity buy might have been a hundred. So we tried to set up base lines for how many pieces an individual might have purchased in the course of a transaction. For Dumps, we took 100 dumps per transaction. Taking the average cost, if you buying $102 for 100 dumps your average would be $10,260, for CVVs, taking 50 accounts that is an average cost of $1,310. For eBay and PayPAl accounts thinking again about 50 that gives us $1,362.50 average. If we multiplied the number of transactions by the amount of money that we expect has taken place this gives us some pretty dramatic estimates for profit. In the case of dumps we're looking at $2,636,000. That's a staggering amount of money. That leads to the potential that there's no way your math is right on that. You could argue that. So if we take the median price for dumps, not the mean that's $40. At that rate we're still looking at a million dollars in total transactions. If we want to throttle that a little and say all right we're probably getting false positive. If we're only getting 65% of the feedback that was received that puts us somewhere in the neighborhood of $668,000 or $1,000,713 so we're still talking about a substantial profit for dumps sells. We're not disaggregating rippers from non‑rippers either. This means how much money one vendor could make. This gives us total economic estimate. We could run this is couple of different ways but this is a potential for loss that we wanted to highlight So sellers could make a substantial amount of money. We might argue this is a seller's market. If we take the number of buyers that provided positive feedback that gives us a different sense of how things go. FOr non-ripping dumps we only had 117 instances of positive feedback and our ripping forums only 24 people had a satisfactory encounter. So there's a difference in what individuals report. Buyers are not going to come out as good when we compare it with dumps vendors. Let's try to figure out how much money a prospective dumps buyer might make. If you've ever read any of the reports, you know that they provide potential loss metric per person. It's $188 in the 2013 report but it varies from time to time. What we've tried to do here is take an amount reported by the Bureau of Justice Statistics for identity theft. Victimization. For a credit card losses in the US in 2012 Victims reported an average loss of $1,448. The median was only 300. When we compared it against debit cards losses we're talking about $500 versus $200, so there is some difference. Let's talk about the return on investment for a dumps for a dumps buyer then. If we had 117 instances of positive feedback. Just assume for a second try to throttle the amounts that they received, that only 65 cards they buy are valid and depending on what metric you want to use this creates a lot of different outcomes. But if we take the credit card loss average we're talking about $94,000 in gain per transaction so 8 on the ROI. If we take the median the ROI drops dramatically. But buyers have the potential to gain somewhere in the neighborhood of $2,281,000 which isn't bad but not as good as we might see with regards to dumps vendors. If we take the debit card amount using the median loss we're looking at buyers acquiring somewhere in the neighborhood of $1.5 million so it's a different type of metric depending on what you do. Thinking strategically. Maybe dumps aren't the way to go. Let's just say you use eBay and PayPal for a moment. Let's assume the 25 pieces you buy from an eBay or Pay Pal vendor are active. The ROI is way better in these instances than for any other type of transaction. In this case it could be $36,000 per transaction using the credit card loss average or 13,000 if we use the debit loss average. So there are dramatic differences here and it would strike people, hopefully in the audience, that the better way to go is to be a vendor and not a buyer. Because at least you are always going to make a profit whether or not your data works. someone who buys from you may not know you're disreputable but they're going to pay you anyway. So this economy is one that is very very complicated. unfortunately we're running out of time so I'm going to have to skip over the social network analysis portion of this but we can talk about it more in depth later. Generally, what's the take away from all of this. When we think about the markets themselves they are organized in a unique fashion. At the individual level we're talking about a process where we're seeing peers and colleagues. At the formal forum level we're seeing a more formal organization that takes place. The variation in terms of market sophistication will tell us these markets are insufficient. We're going to see different individuals acting different based on their status based on what they're told based on forum moderators or administrators. When we think about market disruption, given all of this, it's probably going to be a more effective strategy from a law enforcement perspective, or a more strategic point of view, the better way to go after these markets based on how they're organized is to take out the entire forum. Given the number of dumps vendors and product sales that take place, one individual can jump in and take over another person's share of the market. We have to think critically how do we affect individuals? A one on one basis removal is not going to work. Civil attacks are going to fail most likely in a better organized forums. Something like a dark market procedure where law enforcement sets up and runs the entire forum. Taking out the entire site is going to have a much more dramatic impact than just occasionally removing a seller. Another alternative strategy might be to go after the payment processers that were used. Taking out Liberty Resevere for instance, has had some chilling effect on the market. It's very, very short term but it's going to make an impact because that means they have to transition to another service. That poses other challenges but it's an alternative venue that may have a longer effect on markets disrupting. In general this is something we can look at in a much, much more broad perspective. But with all the data that we have, one of the most important things I can tell you from all of this is the need for greater participation and collaboration. As an academic we're getting one‑half of the pie. We can see what goes on in markets but not the individual exchanges between people outside of the forums. If we can set up better relationships with law enforcement and industry we could get a different perspective on what's going on. For instance, if we could have a direct partnership with law enforcement or industry partners we could look at trying to disrupt a market and do evaluation so at the time a site goes down we can look at where people go to. This idea of displacement, if you take out a market, individuals who are interested are going to go somewhere else. Where do they go and how quickly do they move there? We can assess disruption and what it does to the markets in a broad way. We can get some of the external communications through ICQ and other media; and we can do different processes of analysis with that information. In general, we're going to try to do a lot more with this data. We're going to try to compare our economic stuff with the social analysis and see whats going on. We're going to through IRC channels and a few other sites to and try to create an even larger data set and we would like to compare with some of the sites and compare them to what we see in more active markets. So there is a lot that we can do from here. With that in mind I will go ahead and stop. Does anybody have any questions? Yes, sir. [off mic] [inaudible] >> Sure. The question is when people were selling credit reports what were they actually offering? What we saw were people offering credit report services so they would do checks not credit report dumps. Any other questions? Yes, sir. [off mic] >> He asked what was the average age of accounts? No one provided us with that information so we couldn't tell without actually buying the data. Any other questions? Yes, sir. [off mic] >> So if I understand correctly, the question is what do sellers do to review moderators? So the question is how do sellers get into the market and how do they operate? The better organized forums will stipulate the terms for transactions or at least how things should go. They can't guarantee that you have to work that way, sellers have the ability to say I'm going to do this, not that so there's variation that is allowed at the individual level but generally speaking the disorganized boards on our site were like the wild west, you could do whatever you wanted. There's no necessary reason why someone would have to act a certain way. If anybody else has any other questions come on up or I can go to the chill out room and we can set things up that way. Thank you. [Applause]