Schneier on Security
A blog covering security and security technology.
« The Risk of Anthrax |
| Kids with Cell Phones in Emergencies »
August 14, 2008
Data Mining to Detect Pump-and-Dump Scams
I don't know any of the details, but this seems like a good use of data mining:
Mr Tancredi said Verisign's fraud detection kit would help "decrease the time between the attack being launched and the brokerage being able to respond".
Before now, he said, brokerages relied on counter measures such as restrictive stock trading or analysis packages that only spotted a problem when money had gone.
Verisign's software is a module that brokers can add to their in-house trading system that alerts anti-fraud teams to look more closely at trades that exhibit certain behaviour patterns.
"What this self-learning behavioural engine does is look at the different attributes of the event, not necessarily about the computer or where you are logging on from but about the actual transaction, the trade, the amount of the trade," said Mr Tancredi.
"For example have you liquidated all of your assets in stock that you own in order to buy one penny stock?" he said. "Another example is when a customer who normally trades tech stock on Nasdaq all of a sudden trades a penny stock that has to do with health care and is placing a trade four times more than normal."
This is a good use of data mining because, as I said previously:
Data mining works best when there's a well-defined profile you're searching for, a reasonable number of attacks per year, and a low cost of false alarms.
Another news article here.
Posted on August 14, 2008 at 6:10 AM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And how does this help to proove anything?
Here is the (sad, for some) truth:
Markets efficiently allocate resources. People who loose money through pump&dump shouldn't have any, since their decisions are irrational (because they know zilch about the company they are investing in).
What are the odds that a penny stock will go to $20? I know that Chrysler was something like $0.30 and then took. Was this Pump&dump?
The term 'bull-market' is pretty much equivalent to pump&dump on a large scale. So there is no well-defined profile, either.
The proposal is simply to create an illusion, that it will be safer to gamble in the stock-market.
How about this investment strategy:
Simply buy every penny stock. If it's legit, you make a fortune. If it's fraud, you get your money back.
This must be the most stupid idea for effective data-mining I've ever come across.
I'm somewhat familiar with how these attacks have worked recently. Here's a brief sequence of events:
1) Victim's credentials are stolen via variety of methods...
2) Said creds are sold to criminal organization
3) criminals use creds to log on to victim's brokerage account and sell existing positions, thus freeing up cash
4) criminals accumulate shares of low cost securities that are rarely traded, such as "penny stocks," typically held offshore
5) cash from victim's account is used to make large purchases of penny stocks that criminals own a position in, thus causing the price of that stock to rise significantly. (this step is usually performed simultaneously using several victim accounts from different brokerages, thus maximizing gain before trading on stock is blocked)
6) criminals sell off entire position in penny stock (now significantly more $$$) and wire proceeds to offshore account, the sell off causes value of penny stock to dive and leaves the victim with a portfolio of stocks that are nearly worthless.
7) brokerage works with victim to clean up mess...
The key to stopping this sort of thing is to identify what is happening before the sell off phase (step 6 above.) Data mining usage patterns of investors for activities that fit this pattern is a step in the right direction but it won't stop it entirely.
@ Team America
The victims of these schemes (probably) aren't stupid. Anyone's credentials can be stolen. They aren't "falling for" anything. This is not the "pump and dump" scheme of the past that was done over the phone by a "boiler room" operation. This is fraud and theft, plain and simple. The victims didn't buy penny stocks of their own free will.
The NASD and NYSE have had these sorts of fraud detection data mining systems in place for years.
They work reasonably well, but look for collusion and other types of fraud - not whether or not an individual account is compromised.
For instance, have you ever heard of Daisy Chain fraud?
As far as I can tell, this type of system analyzes what is "usual" and searches for cases more than a few standard deviations outside of that and calls it a problem. This probably works better applied to an individual than a statistical universe.
It certainly seems to work reasonably well for my credit card company though it does cause occasional problems when I travel without telling them (low cost of false-positive, in general.)
I'll add a condition to Bruce's list: It works well when "usual" and "abnormal" behavior are significantly different.
For problem in trying to drive it too fine grained (i.e. abnormal and typical behavior only a few percent different) examine The Case of the Quake Cheats.
Hi, I'm the Mr. Tancredi of the quote. The focus of the module is actually to protect investors who's accounts have been hijacked (as Anonymous stated). A case in point can be read about in The Register (http://www.theregister.co.uk/2007/03/12/more_pump_and_dump_charges/) whereby one hapless investor lost almost $400K while fishing in Alaska.
Even for the foolish who believe the emails they get that encourage this kind of investing, they are not the only victims. The companies involved often can't recover from the nosedive their stock inevitably takes, and assuming the are not complicit with the hype, are innocent victims. Also, market instability and market manipulation has ripple effects beyond the people directly involved (think of how reckless drivers affect your insurance rates).
Also, to the point about data mining, that's not exactly how the system works. It's more akin to systems that analyze streaming data. It alerts based on that in real-time, and allows brokerages to do something, from investigation to warning investors who are making bad choices, and even intervening before a trade is placed to make an investor prove his or her identity to protect against hijackers.
The idea is to give the brokerages more intelligence sooner in the process. Nothing will be 100% effective, but this will raise the bar and force the attackers to evolve, which is usually the best we can hope for.
It seems to me you could also solve the problem by improving the authentication needed to initiate trades. The RSA secure fob comes to mind.
That is, solving the problem of fraudulent login also solves the problem of fraudulent trading.
@Anonymous for a reason
Oh. Well, I guess that makes slightly more sense.
But in that case the unauthorized access is the real problem, because if you can control other investors' accounts you'll always be able to front-run them, even if the transaction is indistinguishable from something ordinary.
On a side note, having all your assets in one account is not what diversification of risk means.
"Data mining works best when there's ... a low cost of false alarms."
Bruce, I call tautology on your post.
X works best when it does not fail expensively? If that is a condition, then do the others even matter?
Who could argue with that logic for any system?
"Nothing will be 100% effective, but this will raise the bar and force the attackers to evolve, which is usually the best we can hope for."
> have you ever heard of Daisy Chain fraud?
No, so I searched the Internet, and the website which seems to be the originator of the information on this topic is www.stewwebb.com, whose home page claims that the Mossad controls the US government, among other things.
The mechanism of the fraud itself, however, seemed plausible, to some extent. It requires not one, but several companies with crooked accounting practices, all selling and reselling assets between themselves at constantly inflated valuations, so it seems to me to be less likely to occur in practice than your ordinary one-company types of fraud.
"daisy chain fraud" == "carousel fraud" ?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.