Credit Card Fraud

Abstract

This chapter provides a single person case study of Mr. Dan DeFilippi who was arrested for credit card fraud by the US Secret Service in December 2004. The chapter delves into the psychology of a cybercriminal and the inner workings of credit card fraud. A background context of credit card fraud is presented to frame the primary interview. A section on the identification of issues and controversies with respect to carding is then given. Finally, recommendations are made by the convicted cybercriminal turned key informant on how to decrease the rising incidence of cybercrime. A major finding is that credit card fraud is all too easy to enact and merchants need to conduct better staff training to catch fraudsters early. With increases in global online purchasing, international carding networks are proliferating, making it difficult for law enforcement agencies to be “policing” unauthorized transactions. Big data may well have a role to play in analyzing behaviors that expose cybercrime.

Introduction

Fraud is about exploiting weaknesses. They could be weaknesses in a system, such as a lack of controls in a company’s accounting department or a computer security hole, or a weakness in human thinking such as misplaced trust. A cybercriminal finds a weakness with an expected payout high enough to offset the risk and chooses to become involved in the endeavor. This is very much like a traditional business venture except the outcome is the opposite. A business will profit by providing goods or services that its customers value. Fraud takes value away from its victims and only enriches those committing it.

Counterfeit documents rarely need to be perfect. They only need to be good enough to serve their purpose, fooling a system or a person in a given transaction. For example, a counterfeit ID card will be scrutinized more closely by the bouncer at a bar than by a minimum wage cashier at a large department store. Bouncers have incentive to detect fakes since allowing in underage drinkers could have dire consequences for the bar. There is much less incentive to properly train cashiers since fraud makes up a small percentage of retail sales. This is sometimes referred to as the risk appetite and tolerance of an organization (Levi, 2008).

Lack of knowledge and training of store staff is by far the biggest weakness exploited when counterfeit or fraudulent documents are utilized by cybercriminals. If the victim does not know the security features of a legitimate document, they will not know how to spot a fake. For example, Visa and MasterCard are the most widely recognized credit card brands. Their dove and globe holograms are well known. A card without one would be very suspicious. However, there are other less known credit card networks such as Discover and American Express. Their security features are not as well recognized which can be exploited. If a counterfeit credit card has an appearance of legitimacy it will be accepted.

Background

Dan DeFilippi was a black hat hacker in his teens and early twenties. In college he sold fake IDs, and later committed various scams, including phishing, credit card fraud, and identity theft. He was caught in December 2004. In order to avoid a significant jail sentence, DeFilippi decided to become an informant and work for the secret service for two years, providing training and consulting and helping them understand how hackers and fraudsters think. This chapter has been written through his eyes, his practices and learnings. Cybercriminals do not necessarily have to be perfect at counterfeiting, but they do have to be superior social engineers not to get caught. While most of the cybercrime now occurs remotely over the Internet, DeFilippi exploited the human factor. A lot of the time, he would walk into a large electronics department store with a fake credit card, buy high-end items like laptops, and then proceed to sell them online for a reduced price. He could make thousands of dollars like this in a single week.

In credit card fraud, the expected payout is so much higher than traditional crimes and the risk of being caught is often much lower making it a crime of choice. Banks often write off fraud with little or no investigation until it reaches value thresholds. It is considered a cost of doing business and additional investigation is considered to cost more than it is worth. Banks in Australia, for instance, used to charge about $250 to investigate an illegal transaction, usually passing the cost onto the customer before 2002. Today they usually do not spend effort on investigating such low-value transactions but rather redirect attention on how to uphold their brand. Since about the mid-2000s, banks also have openly shared more security breaches with one another which have acted to aid law enforcement task forces to respond in a timely manner to aid in investigating cybercrime. Yet, local law enforcement continues to struggle with the investigation of electronic fraud due to lack of resources, education, or jurisdictional issues. Fraud cases may span across multiple countries requiring complex cooperation and coordination between law enforcement agencies. A criminal may buy stolen credit cards from someone living on another continent, use them to purchase goods online in state 1, have the goods shipped to state 2 while living in state 3, with the card stolen from someone in state 4.

Online criminal communities and networks, or the online underground, are often structured similarly to a loose gang. New members (newbies) have to earn the community’s trust. Items offered for sale have to be reviewed by a senior member or approved reviewer before being offered to the public. Even when people are considered “trustworthy” there is a high level of distrust between community members due to a significant level of law enforcement and paranoia from past crackdowns. Very few people know anyone by their real identity. Everyone tries to stay as anonymous as possible. Many people use multiple handles and pseudonyms for different online activities, such as one for buying, one or more for selling, and one for online discussion through asynchronous text-based chat. This dilutes their reputation but adds an additional layer of protection.

The most desirable types of fraud in these communities, and for monetary crime in general, involves directly receiving cash instead of goods. Jobs, such as “cashing out” stolen debit cards at ATMs, are sought after by everyone and are handled by the most trusted community members. Due to their desirability the proceeds are often split unequally, with the card provider taking a majority share of the reward and the “runner” taking a majority of the risk. The types of people in these communities vary from teens looking to get a new computer for free to members of organized crime syndicates. With high unemployment rates, low wages, and low levels of literacy particularly in developing nations, it is no surprise that a large number of credit card fraud players are eastern European or Russian with suspected ties to organized crime. It is a quick and easy way of making money if you know what you are doing.

Of course, things have changed a little since DeFilippi was conducting his credit card fraud between 2001 and 2004. Law enforcement agencies now have whole task forces dedicated to online fraud. Bilateral and multilateral treaties are in place with respect to cybercrime, although this still lacks the buy-in of major state players and even states where cybercrime is flourishing (Broadhurst, 2006). In terms of how technology has been used to combat credit card fraud, the Falcon system has been able to help in fraud that would have otherwise gone unnoticed. If the Falcon system identifies any transaction as suspect or unusual, the bank will attempt to get in touch with the cardholder to ascertain whether or not it is an authentic transaction. If individuals cannot be reached directly, then their card is blocked until further confirmation of a given transaction. Banks continue to encourage travelers to contact them when their pattern of credit card use changes, e.g. when travelling abroad. Software platforms nowadays do much of the analytical processing with respect to fraud detection. Predictive analytics methods, not rule-based methods, are changing the way fraud is discovered (Riordan et al., 2012). Additionally, banks have introduced two factor (also known as multifactor) authentication requirements which means an online site requires more than just a cardholder’s username and password. Commonly this takes the form of a SMS or a phone call to a predesignated number containing a randomized code. Single factor authentication is now considered inadequate in the case of high-risk transactions, or movement of funds to other parties (Aguilar, 2015).

Main Focus of Chapter 

Issues, Controversies, Problems

Katina Michael: Dan, let’s start at the end of your story which was the beginning of your reformation. What happened the day you got caught for credit card fraud?

Dan DeFilippi: It was December 2004 in Rochester, New York. I was sitting in my windowless office getting work done, and all of a sudden the door burst open, and this rush of people came flying in. “Get down under your desks. Show your hands. Hands where I can see them.” And before I could tell what was going on, my hands were cuffed behind my back and it was over. That was the end of that chapter of my life.

Katina Michael: Can you tell us what cybercrimes you committed and for how long?

Dan DeFilippi: I had been running credit card fraud, identity theft, document forgery pretty much as my fulltime job for about three years, and before that I had been a hacker.

Katina Michael: Why fraud? What led you into that life?

Dan DeFilippi: Everybody has failures. Not everybody makes great decisions in life. So why fraud? What led me to this? I mean, I had great parents, a great upbringing, a great family life. I did okay in school, and you know, not to stroke my ego too much, but I know I am intelligent and I could succeed at whatever I chose to do. But when I was growing up, one of the things that I’m really thankful for is my parents taught me to think for myself. They didn’t just focus on remembering knowledge. They taught me to learn, to think, to understand. And this is really what the hacker mentality is all about. And when I say hacker, I mean it in the traditional sense. I don’t mean it as somebody in there stealing from your company. I mean it as somebody out there seeking knowledge, testing the edges, testing the boundaries, pushing the limits, and seeing how things work. So growing up, I disassembled little broken electron­ics and things like that, and as time went on this slowly progressed into, you know, a so-called hacker.

Katina Michael: Do you remember when you actually earned your first dollar by conducting cybercrime?

Dan DeFilippi: My first experience with money in this field was towards the end of my high school. And I realized that my electronics skills could be put to use to do something beyond work. I got involved with a small group of hackers that were trying to cheat advertising systems out of money, and I didn’t even make that much. I made a couple of hundred dollars over, like, a year or something. It was pretty much insignificant. But it was that experience, that first step, that kind of showed me that there was something else out there. And at that time I knew theft and fraud was wrong. I mean, I thought it was stealing. I knew it was stealing. But it spiraled downwards after that point.

Katina Michael: Can you elaborate on how your thinking developed towards earn­ing money through cybercrime?

Dan DeFilippi: I started out with these little things and they slowly, slowly built up and built up and built up, and it was this easy money. So this initial taste of being able to make small amounts, and eventually large amounts of money with almost no work, and doing things that I really enjoyed doing was what did it for me. So from there, I went to college and I didn’t get involved with credit card fraud right away. What I did was, I tried to find a market. And I’ve always been an entrepreneur and very business-minded, and I was at school and I said, “What do people here need? ... I need money, I don’t really want to work for somebody else, I don’t like that.” I realized people needed fake IDs. So I started selling fake IDs to college students. And that again was a taste of easy money. It was work but it wasn’t hard work. And from there, there’s a cross-over here between forged documents and fraud. So that cross-over is what drew me in. I saw these other people doing credit card fraud and mak­ing money. I mean, we’re talking about serious money. We’re talking about thousands of dollars a day with only a few hours of work and up.

Katina Michael: You strike me as someone who is very ethical. I almost cannot imagine you committing fraud. I’m trying to understand what went wrong?

Dan DeFilippi: And where were my ethics and morals? Well, the problem is when you do something like this, you need to rationalize it, okay? You can’t worry about it. You have to rationalize it to yourself. So everybody out there commit­ting fraud rationalizes what they’re doing. They justify it. And that’s just how our brains work. Okay? And this is something that comes up a lot on these online fraud forums where people discuss this stuff openly. And the question is posed: “Well, why do you do this? What motivates you? Why, why is this fine with you? Why are you not, you know, opposed to this?” And often, and the biggest thing I see, is like, you know, the Robin Hood scenario- “I’m just stealing from a faceless corporation. It’s victimless.” Of course, all of us know that’s just not true. It impacts the consumers. But everybody comes up with their own reason. Everybody comes up with an explanation for why they’re doing it, and how it’s okay with them, and how they can actually get away with doing it.

Katina Michael: But how does a sensitive young man like you just not realize the impact they were having on others during the time of committing the crimes?

Dan DeFilippi: I’ve never really talked about that too much before... Look the aver­age person when they know they’ve acted against their morals feels they have done wrong; it’s an emotional connection with their failure and emotionally it feels negative. You feel that you did something wrong no one has to tell you the crime type, you just know it is bad. Well, when you start doing these kinds of crimes, you lose that discerning voice in your head. I was completely dis­connected from my emotions when it came to these types of fraud. I knew that they were ethically wrong, morally wrong, and you know, I have no interest in committing them ever again, but I did not have that visceral reaction to this type of crime. I did not have that guilty feeling of actually stealing something. I would just rationalize it.

Katina Michael: Ok. Could I ask you whether the process of rationalization has much to do with making money? And perhaps, how much money did you actu­ally make in conducting these crimes?

Dan DeFilippi: This is a pretty common question and honestly I don’t have an answer. I can tell you how much I owe the government and that’s ... well, I suppose I owe Discover Card ... I owed $209,000 to Discover Card Credit Card Company in the US. Beyond that, I mean, I didn’t keep track. One of the things I did was, and this is kind of why I got away with it for so long, is I didn’t go crazy. I wasn’t out there every day buying ten laptops. I could have but chose not to. I could’ve worked myself to the bone and made millions of dollars, but I knew if I did that the risk would be significantly higher. So I took it easy. I was going out and doing this stuff one or two days a week, and just living comfortably but not really in major luxury. So honestly, I don’t have a real figure for that. I can just tell you what the government said.

Katina Michael: There is a perception among the community that credit card fraud is sort of a non-violent crime because the “actor” being defrauded is not a person but an organization. Is this why so many people lie to the tax office, for instance?

Dan DeFilippi: Yeah, I do think that’s absolutely true. If we are honest about it, everyone has lied about something in their lifetime. And people... you’re right, you’re absolutely right, that people observe this, and they don’t see it in the big picture. They think of it on the individual level, like I said, and people see this as a faceless corporation, “Oh, they can afford it.” You know, “no big deal”. You know, “Whatever, they’re ripping off the little guy.” You know. People see it that way, and they explain it away much easier than, you know, somebody going off and punching someone in the face and then proceeding to steal their wallet. Even if the dollar figure of the financial fraud is much higher, people are generally less concerned. And I think that’s a real problem because it might entice some people into committing these crimes because they are considered “soft”. And if you’re willing to do small things, it’s going to, as in my case, eventually spiral you downwards. I started with very small fraud, and then got larger. Not that everybody would do that. Not that the police officer taking the burger for free from Burger King is going to step up to, you know, to extortion or something, but certainly it could, could definitely snowball and lead to something.

Katina Michael: It has been about 6 years since you were arrested. Has much has changed in the banking sector regarding triggers or detection of cybercriminal acts?

Dan DeFilippi: Yeah. What credit card companies are doing now is pattern match­ing and using software to find and root out these kind of things. I think that’s really key. You know, they recognize patterns of fraud and they flag it and they bring it out. I think using technology to your advantage to identify these patterns of fraud and investigate, report and root them out is probably, you know, one of the best techniques for dollar returns.

Katina Michael: How long were you actually working for the US Secret Service, as a matter of interest? Was it the length of your alleged, or so-called prison term, or how did that work?

Dan DeFilippi: No. So I was arrested early December 2004. I started working with the Secret Service in April 2005, so about six months later. And I worked with them fulltime almost for two years. I cut back on the hours a little bit towards the end, because I went back to university. But it was, it was almost exactly two years, and most of it was fulltime.

Katina Michael: I’ve heard that the US is tougher on cybercrime relative to other crimes. Is this true?

Dan DeFilippi: The punishment for credit card fraud is eight-and-a-half years in the US.

Katina Michael: Do these sentences reduce the likelihood that someone might get caught up in this kind of fraud?

Dan DeFilippi: It’s a contested topic that’s been hotly debated for a long time. And also in ethics, you know, it’s certainly an interesting topic as well. But I think it depends on the type of person. I wasn’t a hardened criminal, I wasn’t the fella down on the street, I was just a kid playing around at first that just got more serious and serious as time went on. You know, I had a great upbring­ing, I had good morals. And I think to that type of person, it does have an impact. I think that somebody who has a bright future, or could have a bright future, and could throw it all away for a couple of hundred thousand dollars, or whatever, they recognize that, I think. At least the more intelligent people recognize it in that ... you know, “This is going to ruin my life or potentially ruin a large portion of my life.” So, I think it’s obviously not the only deterrent but it can certainly be useful.

Katina Michael: You note that you worked alone. Was this always the case? Did you recruit people to assist you with the fraud and where did you go to find these people?

Dan DeFilippi: Okay. So I mainly worked alone but I did also work with other people, like I said. I was very careful to protect myself. I knew that if I had partners that I worked with regularly it was high risk. So what I did was on these discussion forums, I often chatted with people beyond just doing the credit card fraud, I did other things as well. I sold fake IDs online. I sold the printed cards online. And because I was doing this, I networked with people, and there were a few cases where I worked with other people. For example, I met somebody online. Could have been law enforcement, I don’t know. I would print them a card, send it to them, they would buy something in the store, they would mail back the item, the thing they bought, and then I would sell them online and we would split the money 50/50.

Katina Michael: Was this the manner you engaged others? An equal split?

Dan DeFilippi: Yes, actually, exactly the same deal for instance, with the person I was working with in person, and that person I met through my fake IDs. When I had been selling the fake IDs, I had a network of people that resold for me at the schools. He was one of the people that had been doing that. And then when he found out that I was going to stop selling IDs, I sort of sold him my equipment and he kind of took over. And then he realized I must have something else going on, because why would I stop doing it, it must be pretty lucrative. So when he knew that, you know, he kept pushing me. “What are you doing? Hey, I want to get involved.” And this and that. So it was that person that I happened to meet in person that in the end was my downfall, so to speak.

Katina Michael: Did anyone, say a close family or friend, know what you were doing?

Dan DeFilippi: Absolutely not. No. And I, I made it a point to not let anyone know what I was doing. I almost made it a game, because I just didn’t tell anybody anything. Well, my family I told I had a job, you know, they didn’t know... but all my friends, I just told them nothing. They would always ask me, you know, “Where do you get your money? Where do you get all this stuff?” and I would just say, “Well, you know, doing stuff.” So it was a mystery. And I kind of enjoyed having this mysterious aura about me. You know. What does this guy do? And nobody ever thought it would be anything illegitimate. Everybody thought I was doing something, you know, my own webs ites, or maybe thought I was doing something like pornography or something. I don’t know. But yeah, I definitely did not tell anybody else. I didn’t want anybody to know.

Katina Michael: What was the most outrageous thing you bought with the money you earned from stolen credit cards?

Dan DeFilippi: More than the money, the outrageous things that I did with the cards is probably the matter. In my case the main motivation was not the money alone, the money was almost valueless to a degree. Anything that anyone could buy with a card in a store, I could get for free. So, this is a mind-set change a fraudster goes through that I didn’t really highlight yet. But money had very little value to me, directly, just because there was so much I could just go out and get for free. So I would just buy stupid random things with these stolen cards. You know, for example, the case where I actually ended up leading to my arrest, we had gone out and we had purchased a laptop before that one that failed, and we bought pizza. You know? So you know, a $10 charge on a stolen credit card for pizza, risking arrest, you know, for, for a pizza. And I would buy stupid stuff like that all the time. And just because I knew it, I had that experience, I could just get away with it mostly.

Katina Michael: You’ve been pretty open with interviews you’ve given. Why?

Dan DeFilippi: It helped me move on and not to keep secrets.

Katina Michael: And on that line of thinking, had you ever met one of your victims? And I don’t mean the credit card company. I actually mean the individual whose credit card you defrauded?

Dan DeFilippi: So I haven’t personally met anyone but I have read statements. So as part of sentencing, the prosecutor solicited statements from victims. And the mind-set is always, “Big faceless corporation, you know, you just call your bank and they just, you know, reverse the charges and no big deal. It takes a little bit of time, but you know, whatever.” And the prosecutor ended up get­ting three or four statements from individuals who actually were impacted by this, and honestly, you know, I felt very upset after reading them. And I do, I still go back and I read them every once in a while. I get this great sinking feeling, that these people were affected by it. So I haven’t actually personally met anyone but just those statements.

Katina Michael: How much of hacking do you think is acting? To me traditional hacking is someone sort of hacking into a website and perhaps downloading some data. However, in your case, there was a physical presence, you walked into the store and confronted real people. It wasn’t all card-not-present fraud where you could be completely anonymous in appearance.

Dan DeFilippi: It was absolutely acting. You know, I haven’t gone into great detail in this interview, but I did hack credit card information and stuff, that’s where I got some of my info. And I did online fraud too. I mean, I would order stuff off websites and things like that. But yeah, the being in the store and playing that role, it was totally acting. It was, like I mentioned, you are playing the part of a normal person. And that normal person can be anybody. You know. You could be a high-roller, or you could just be some college student going to buy a laptop. So it was pure acting. And I like to think that I got reasonably good at it. And I would come up with scenarios. You know, ahead of time. I would think of scenarios. And answers to situations. I came up with techniques that I thought worked pretty well to talk my way out of bad situations. For example, if I was going to go up and purchase something, I might say to the cashier, before they swiped the card, I’d say, “Oh, that came to a lot more than I thought it would be. I hope my card works.” So that way, if something happened where the card was declined or it came up call for authorization, I could say, “Oh yeah, I must not have gotten my payment” or something like that. So, yeah, it was definitely acting.

Katina Michael: You’ve mentioned this idea of downward spiraling. Could you elaborate?

Dan DeFilippi: I think this is partially something that happens and it happens if you’re in this and do this too much. So catching people early on, before this takes effect is important. Now, when you’re trying to catch people involved in this, you have to really think about these kinds of things. Like, why are they doing this? Why are they motivated? And the thought process, like I was saying, is definitely very different. In my case, because I had this hacker background, and I wasn’t, you know, like some street thug who just found a computer. I did it for more than just the money. I mean, it was certainly because of the chal­lenge. It was because I was doing things I knew other people weren’t doing. I was kind of this rogue figure, this rebel. And I was learning at the edge. And especially, if I could learn something, or discover something, some technique, that I thought nobody else was using or very few people were using it, to me that was a rush. I mean, it’s almost like a drug. Except with a drug, with an addict, you’re chasing that “first high” but can’t get back to it, and with credit card fraud, your “high” is always going up. The more money you make, the better it feels. The more challenges you complete, the better you feel.

Katina Michael: You make it sound so easy. That anyone could get into cybercrime. What makes it so easy?

Dan DeFilippi: So really, you’ve got to fill the holes in the systems so they can’t be exploited. What happens is crackers, i.e. criminal hackers, and fraudsters, look for easy access. If there are ten companies that they can target, and your company has weak security, and the other nine have strong security, they’re going after you. Okay? Also, in the reverse. So if your company has strong security and nine others have weak security, well, they’re going to have a field-day with the others and they’re just going to walk past you. You know, they’re just going to skip you and move on to the next target. So you need to patch the holes in your technology and in your organization. I don’t know if you’ve noticed recently, but there’s been all kinds of hacking in the news. The PlayStation network was hacked and a lot of US targets. These are basic things that would have been discovered had they had proper controls in place, or proper security auditing happening.

Katina Michael: Okay, so there is the systems focus of weaknesses. But what about human factor issues?

Dan DeFilippi: So another step to the personnel is training. Training really is key. And I’m going to give you two stories, very similar but with totally different outcomes, that happened to me. So a little bit more about what I used to do frequently. I would mainly print fake credit cards, put stolen data on those cards and use them in store to go and purchase items. Electronics, and things like that, to go and re-sell them. So ... and in these two stories, I was at a big- box well-known electronics retailer, with a card with a matching fake ID. I also made the driver’s licenses to go along with the credit cards. And I was at this first location to purchase a laptop. So pick up your laptop and then go through the standard process. And when committing this type of crime you have to have a certain mindset. So you have to think, “I am not committing a crime. I am not stealing here. I am just a normal consumer purchasing things. So I am just buying a laptop, just like any other person would go into the store and buy a laptop.” So in this first story, I’m in the store, purchasing a laptop. Picked it out, you know, went through the standard process, they went and swiped my card. And it came up with a ‘CFA’ – call for authorization. Now, a call for authorization is a case where it’s flagged on the computer and you actually have to call in and talk to an operator that will then verify additional information to make sure it’s not fraud. If you’re trying to commit fraud, it’s a bad thing. You can’t verify this, right? Right? So this is a case where it’s very possible that you could get caught, so you try to talk your way out of the situation. You try to walk away, you try to get out of it. Well, in this case, I was unable to escape. I was unable to talk my way out of it, and they did the call for authorization. They called in. We had to go up to the front of the store, there was a customer service desk, and they had somebody up there call it in and discuss this with them. And I didn’t overhear what they were saying. I had to stand to the side. About five or ten minutes later, I don’t know, I pretty much lost track of time at that point, they come back to me and they said, “I’m sorry, we can’t complete this transaction because your information doesn’t match the information on the credit card account.” That should have raised red flags. That should have meant the worse alarm bells possible.

Katina Michael: Indeed.

Dan DeFilippi: There should have been security coming up to me immediately. They should have notified higher people in the organization to look into the matter. But rather than doing that, they just came up to me, handed me back my cards and apologized. Poor training. So just like a normal consumer, I act surprised and alarmed and amused. You know, and I kind of talked my way out of this too, “You know, what are you talking about? I have my ID and here’s my card. Obviously this is the real information.” Whatever. They just let me walk out of the store. And I got out of there as quickly as possible. And you know, basically walked away and drove away. Poor training. Had that person had the proper training to understand what was going on and what the situation was, I probably would have been arrested that day. At the very least, there would have been a foot-chase.

Katina Michael: Unbelievable. That was very poor on the side of the cashier. And the other story you were going to share?

Dan DeFilippi: The second story was the opposite experience. The personnel had proper training. Same situation. Different store. Same big-box electronic store at a different place. Go in. And this time I was actually with somebody else, who was working with me at the time. We go in together. I was posing as his friend and he was just purchasing a computer. And this time we, we didn’t really approach it like we normally did. We kind of rushed because we’d been out for a while and we just wanted to leave, so we kind of rushed it faster than a normal person would purchase a computer. Which was unusual, but not a big deal. The person handling the transaction tried to upsell, upsell some things, warranties, accessories, software, and all that stuff, and we just, “No, no, no, we don’t ... we just want to, you know, kind of rush it through.” Which is kind of weird, but okay, it happens.

Katina Michael: I’m sure this would have raised even a little suspicion however.

Dan DeFilippi: So when he went to process the transaction, he asked for the ID with the credit card, which happens at times. But at this point the person I was with started getting a little nervous. He wasn’t as used to it as I was. My biggest thing was I never panicked, no matter what the situation. I always tried to not show nervousness. And so he’s getting nervous. The guy’s checking his ID, swipes the card, okay, finally going to go through this, and call for authorization. Same situation. Except for this time, you have somebody here who’s trying to
do the transaction and he is really, really getting nervous. He’s shifting back and forth. He’s in a cold sweat. He’s fidgeting. Something’s clearly wrong with this transaction. Now, the person who was handling this transaction, the person who was trying to take the card payment and everything, it happened to be the manager of this department store. He happened to be well-trained. He happened to know and realize that something was very wrong here. Something
was not right with this transaction. So the call for authorization came up. Now, again, he had to go to the front of the store. He, he never let that credit card and fake ID out of his hands. He held on to them tight the whole time. There was no way we could have gotten them back. So he goes up to the front and he says, “All right, well, we’re going to do this.” And we said, “Okay, well, we’ll go and look at the stock while you’re doing it.” You know. I just sort of tried to play off, and as soon as he walked away, I said, “We need to get out of here.” And we left; leaving behind the ID and card. Some may not realize it as I am retelling the story, but this is what ended up leading to my arrest. They ran his photo off his ID on the local news network, somebody recognized him, turned him in, and he turned me in. So this was an obvious case of good, proper training. This guy knew how to handle the situation, and he not only prevented that fraud from happening, he prevented that laptop from leaving the store. But he also helped to catch me, and somebody else, and shot down what I was doing. So clearly, you know, failing to train people leads to failure. Okay? You need to have proper training. And you need to be able to handle the situation.

Katina Michael: What did you learn from your time at the Secret Service?

Dan DeFilippi: So a little bit more in-depth on what I observed of cybercriminals when I was working with the Secret Service. Now, this is going to be a little aside here, but it’s relevant. So people are arrogant. You have to be arrogant to commit a crime, at some level. You have to think you can get away with it. You’re not going to do it if you can’t, you know, if you think you’re going to get caught. So there’s arrogance there. And this same arrogance can be used against them. Up until the point where I got caught in the story I just told you that led to my arrest, I was arrogant. I actually wasn’t protecting myself as well as I had been, should have been. Had I been investigated closer, had law enforcement being monitoring me, they could have caught me a lot earlier. I left traces back to my office. I wasn’t very careful with protecting my office, and they could have come back and found me. So you can play off arrogance but also ignorance, obviously. They go hand-in-hand. So the more arrogant somebody is, the more risk they’re willing to take. One of the things we found frequently works to catch people was email. Most people don’t realize that email actually contains the IP address of your computer. This is the identifier on the Internet to distinguish who you are. Even a lot of criminals who are very intelligent, who are involved in this stuff, do not realize that email shows this. And it’s very easy. You just look at the source of the email and boom, there you go. You’ve got somebody’s location. This was used countless times, over and over, to catch people. Now, obviously the real big fish, the people who are really intelligent and really in this, take steps to protect themselves with that, but then those are the people who are supremely arrogant.

Katina Michael: Can you give us a specific example?

Dan DeFilippi: One case that happened a few years ago, let’s call the individual “Ted”. He actually ran a number of these online forums. These are “carding” forums, online discussion boards, where people commit these crimes. And he was extremely arrogant. He was extremely, let’s say, egotistical as well. He was very good at what he did. He was a good cracker, though he got caught multiple times. So he actually ran one of these sites, and it was a large site, and in the process, he even hacked law enforcement computers and found out information about some of these other operations that were going on. Actu­ally outed some, some informants, but the people didn’t believe him. A lot of people didn’t believe him. And his arrogance is really what led to his downfall. Because he was so arrogant he thought that he could get away with everything. He thought that he was protecting himself. And the fact of the matter was, law enforcement knew who he was almost the whole time. They tracked him back using basic techniques just like using email. Actually email was used as part of the evidence, but they actually found him before that. And it was his arrogance that really led to his getting arrested again, because he just didn’t protect himself well enough. And this really I cannot emphasize it enough, but this can really be used against people.

Katina Michael: Do you think that cybercrimes will increase in size and number and impact?

Dan DeFilippi: Financial crime is going up and up. And everybody knows this. The reality is that technology works for criminals as much as it works for businesses. Large organizations just can’t evolve fast enough. They’re slow in comparison to cybercriminals.

Katina Michael: How so?

Dan DeFilippi: A criminal’s going to use any tools they can to commit their crimes. They’re going to stay on top of their game. They’re going to be at the forefront of technology. They’re going to be the ones out there pioneering new tech­niques, finding the holes before anybody else, in new systems to get access to your data. They’re going to be the ones out there, and combining that with the availability of information. When I started hacking back in the ‘90s, it was not easy to learn. You really pretty much had to go into these chat-rooms and become kind of like an apprentice. You had to have people teach you.

Katina Michael: And today?

Dan DeFilippi: Well after the 2000s, when I started doing the identification stuff, there was easier access to data. There were more discussion boards, places where you could learn about these things, and then today it’s super easy to find any of this information. Myself, I actually wrote some tutorials on how to conduct credit card fraud. I wrote, like, a guide to in-store carding. I included how to go about it, what equipment to use, what to purchase, and it’s all out there in the public domain. You don’t even have to understand any of this. You know, you could know nothing about technology, spend a few hours online searching for this stuff, learn how to do it, and order the stuff overnight and the next day you could be out there going and doing this stuff. That’s how easy it is. And that’s why it’s really going up, in my opinion.

Katina Michael: Do you think credit card fraudsters realize the negative conse­quences of their actions?

Dan DeFilippi: People don’t realize that there is a real negative consequence to this nowadays. I’m not sure what the laws are in Australia about identity theft and credit card fraud, but in the United States, it used to be very, very easy to get away with. If you were caught, it would be a slap on the wrist. You would get almost nothing happening to you. It was more like give the money back, and possibly serve jail time if it was a repeat offence, but really that was no deterrent. Then it exploded post dot com crash, then a few years ago, we passed a new law that it’s a mandatory two years in prison if you commit identity theft. And credit card fraud is considered identity theft in the United States. So you’re guaranteed of some time in jail if caught.

Katina Michael: Do you think people are aware of the penalties?

Dan DeFilippi: People don’t realize it. And they think, “Oh, it’s nothing, you know, a slap on the wrist.” There is a need for more awareness, and campaigning on this matter. People need to be aware of the consequences of their actions. Had I realized how much time I could serve for this kind of crime, I probably would have stopped sooner. Long story short, because I worked with the Se­cret Service and trained them for a few years, I managed to keep myself out of prison. Had I not done that, I would have actually been facing eight-and-a-half years. That’s serious, especially for somebody who’s in their early 20s. And really had that happened, my future would have been ruined, I think. I probably would have become a lifelong criminal because prisons are basically teaching institutions for crime. So really I, had I known, had I realized it, I wouldn’t have done it. And I think especially younger people, if they realize that the major consequences to these actions, that they can be caught nowadays, that there are people out there looking to catch them, that really would help cut back on this. Also catching people earlier of course is more ideal. Had I been caught early on, before my mind-set had changed and the emotional ties had been broken, I think I would have definitely stopped before it got this far. It would have made a much bigger impact on me. And that’s it.

Future Research Directions

Due to the availability of information over the Internet, non-technical people can easily commit “technical” crimes. The internet has many tutorials and guides to committing fraud, ranging from counterfeit documents to credit card fraud. Many of the most successful are hackers turned carders, those who understand and know how to exploit technology to commit their crimes (Turgeman-Goldschmidt, 2008). They progress from breaking into computers to committing fraud when they discover how much money there is to be made. All humans rationalize their actions. The primary rationalization, criminals use when committing fraud, is blaming the victim. They claim that the victim should have been more knowledgeable, should have taken more steps to protect themselves, or taken some action to avoid the fraud. Confidence scams were legal in the US until a decade ago due to the mindset that it was the victim’s fault for falling for the fraud. There needs to be a lot more research conducted into the psychology of the cybercriminal. Of course technological solutions abound in the market, but it is less of a technology problem, than a human factor problem. Technology solution patents for making credit cards more secure abound. But with near field communication (NFC) cards now on the market, fraud is being propelled as investment continues in insecure devices. One has to wonder why these technologies are being chosen when they just increase the risk appetite. There also has to be more campaigning in schools, informing young people of the consequences of cybercrime, especially given so many schools are now mandating the adoption of tablets and other mobile devices in high school.

Conclusion

Avoiding detection, investigation, and arrest for committing identity theft or electronic fraud is, in most cases, fairly simple when compared to other types of crime. When using the correct tools, the internet allows the perpetrator to maintain complete anonymity through much of the crime (Wall, 2015). In the case of electronic fraud, the only risk to the perpetrator is when receiving the stolen money or goods. In some cases, such as those involving online currencies designed to be untraceable, it may be impossible for authorities to investigate due to anonymity built into the system. The internet and broad reach of information is a two-way street and can also work in law enforcement’s favor. Camera footage of a crime, such as someone using a stolen credit card at a department store, can now be easily and inexpensively distributed for the public to see. The same tools that keep criminals anonymous can be used by law enforcement to avoid detection during investigations. As with “traditional” crimes, catching a fraudster comes down to mistakes. A single mistake can unravel the target’s identity. One technique used by the US Secret Service is to check emails sent by a target for the originating IP address. This is often overlooked. Engaging a target in online chat and subpoenaing IP records from the service provider is often successful as well. Even the most technologically savvy criminal may slip up once and let their true IP address through.

Many types of fraud can be prevented through education. The general population becomes less vulnerable and law enforcement is more likely to find the perpetrator. A store clerk who is trained to recognize the security features of credit cards, checks, and IDs will be able to catch a criminal in the act. The problem with education is its cost. A store may not find a positive return on investment for the time spent training minimum wage employees. Law enforcement may not have the budget for additional training or the personnel available to investigate the crime. Added security can also prevent certain types of crime. Switching from magnetic stripe to chip and PIN-based payment cards reduced card present fraud in Europe but then we have seen the introduction more recently of NFC cards that do not require a PIN for a transaction less than $100. Consumers may be reluctant to adopt new technologies due to the added process or learning curve. Chip and PIN have not been adopted in the USA due to reluctance of merchants and banks. The cost of the change is seen as higher than the cost of fraud. NFC cards on the other hand allegedly add to convenience of conducting transactions and have seen a higher uptake in Australia. However, some merchants refuse to accept NFC transactions, as usually fraudsters go undetected and the merchant is left to with problems to address. Human exploitation is the largest factor of fraud and can make or break a scam (Hadnagy, 2011). Social engineering can play an important role when exploiting a system. Take using a stolen credit card to purchase an item in a store. If the fraudster appears nervous and distracted employees may become suspicious. Confidence goes a long way. When purchasing a large ticket item, the fraudster may suggest to the cashier that he hopes the total is not over his limit or that he hopes his recent payment has cleared. When presented with an explanation for failure before a failure happens, the employee is less likely to expect fraud. However, if there is more training invested when new employees start at an organization, the likelihood that basic frauds will be detected is very high. There is also the incidence of insider attack which is growing, where an employee, knowingly accepts an illegitimate card from a known individual, and then splits the profits. Loss prevention strategies need to be implemented by organizations and the sector as a whole need to address the credit card fraud problem in a holistic manner with all the relevant stakeholders engaged and working together to crack down on cybercrime.

References

Aguilar, M. (2015). Here's Why Your Bank Account Is Less Secure Than Your Gmail. Gizmodo. Retrieved from http://gizmodo.com/heres-why-your-bank-account-is-less-secure-than-your-gm-1683777281

Broadhurst R. (2006). Developments in the global law enforcement of cyber‐crime.Policing: An International Journal of Police Strategies & Management, 29(3), 408–433. 10.1108/13639510610684674

Hadnagy C. (2011). Social Engineering: The Art of Human Hacking. Indiana: John Wiley.

Herley, C., van Ooirschot, P.C., & Patrick, A.S. (20). Passwords: If We’re So Smart, Why Are We Still Using Them? Financial Cryptography and Data Security, LNCS (Vol. 5628, pp. 230-237).

Levi M. (2008). Organized fraud and organizing frauds: Unpacking research on networks and organization.Criminology & Criminal Justice, 8(4), 389–419. 10.1177/1748895808096470

Reardon, B., Nance, K., & McCombie, S. (2012). Visualization of ATM Usage Patterns to Detect Counterfeit Cards Usage. Proceedings of the45th Hawaii International Conference on System Science (HICSS). Hawaii (pp. 3081-3088). 10.1109/HICSS.2012.638

Turgeman-Goldschmidt O. (2008). Meanings that hackers assign to their being a hacker. International Journal of Cyber Criminology, 2(2), 382–396.

Wall, D. S. (2015). The Internet as a conduit for criminal activity. In A. Pattavina (Ed.), Information Technology and the Criminal Justice System (pp. 77-98). London: Sage Publications.

Key Terms and Definitions

Authorization: Authorizing electronic transactions done with a credit card and holding this balance as unavailable until either the merchant clears the transaction or the hold ceases.

Call for Authorization: Also known as CFA. A message that may come up when attempting to purchase something using a credit card. Requires the store to call in and verify the transaction.

Carding: Illegal use of a credit card. When criminals use carding to verify the validity of stolen card data, they test it the card by presenting it to make a small online purchase on a website that has real-time transaction processes. If the card is processed successfully, the thief knows the card is still good to use.

Card-Not-Present Fraud: Card-not-present fraud is when you make purchases over the phone or internet using card details without the card being physically presented.

Credit Card Fraud: Defined as the fraudulent acquisition and/or use of credit cards or card details for financial gain.

Cybercrime: Either crimes where computers or other information technologies are an integral part of an offence or crimes directed at computers or other information technologies (such as hacking or unauthorized access to data).

Hacking: Criminals can hack into databases of account details held by banks that hold customer information, or intercept account details that travel in unencrypted form. Hacking bank computers can lead to the withdrawal of sums of money in excess of account credit balances.

Identity Document Forgery: The process by which identity documents issued by banks are copied and/or modified by unauthorized persons for the purpose of deceiving those who would view the documents about the identity of the bearer.

Merchant: Account that allows businesses to process credit card transactions.

Risk Appetite and Tolerance: Can be defined as ‘the amount and type of risk that an organization is willing to absorb in order to meet their strategic objectives.

Citation: DeFilippi, Dan and Katina Michael. "Credit Card Fraud: Behind the Scenes." Online Banking Security Measures and Data Protection. IGI Global, 2017. 263-282. Web. 6 Jan. 2018. doi:10.4018/978-1-5225-0864-9.ch015

High-Tech Child's Play in the Cloud

Introduction

The “internet of things” mantra promotes the potential for the interconnectedness of everyone and everything [1]. The fundamental premise is that embedded sensors (including audio and image) will herald in an age of convenience, security, and quick response [2]. We have become so oblivious to the presence and placement of sensors in civil infrastructure (e.g., shopping centers and lampposts) and computing devices (e.g., laptops and smartphones) that we do not question their placement in places of worship, restrooms, and, especially, children's toys [3].

The risk with consumer desensitization over the “sensors everywhere” paradigm is, at times, complacency, but, for the greater part, apathy. When functionality is hidden inside a black box or is wireless, consumers can underestimate the potential for harm. The old adage “what you don't know won't hurt you” is not true in this context and neither is the “I have nothing to hide” principle. Form factors can play a significant role in disarming buyers of white goods for households and gifts for minors. In context, the power of a sensor looks innocent when it is located in a children's toy, as opposed to sitting atop a mobile closed-circuit television policing unit.

Barbie is Watching

The Mattel Vidster is a digital tapeless camcorder that was marketed as a children's toy. It features a 28-mm LCD display, a 2x digital zoom, and records into AVI 320 × 240 video files encoded with the M-JPEG codec at 15 frames/s, with 22-kHz monaural sound. It also takes still photos.

The Mattel Vidster is a digital tapeless camcorder that was marketed as a children's toy. It features a 28-mm LCD display, a 2x digital zoom, and records into AVI 320 × 240 video files encoded with the M-JPEG codec at 15 frames/s, with 22-kHz monaural sound. It also takes still photos.

An example of this shift in context is Mattel's Video Girl Barbie doll, launched in July 2010 [4]. It features a fully functional standard-definition pinhole video camera embedded in Barbie's chest, with a viewing screen on her back. Young children (Mattel is targeting ages six years and above) are supported by user design to make use of “doll's-eye-view” to record Barbie's point of view for up to 30 min. They can then create movies using the accompanying StoryTeller software. Video Girl comes with a (pink) USB plug-in cord for easy upload of the recorded footage. Initially, Mattel provided storage space for video makers in the cloud to share movies (http://barbie.com/videogirl), but the company later recanted and eliminated this video-sharing capability. We have speculated that one of Mattel's reasons for doing so was because it was faced with potential footage recorded at ground level that exposed young, carefree children at play.

The Barbie Video Girl doll—Create movies from Barbie's point-of-view with a real video camera inside the doll (the camera lens is in the necklace, and the video screen is on her back).

The Barbie Video Girl doll—Create movies from Barbie's point-of-view with a real video camera inside the doll (the camera lens is in the necklace, and the video screen is on her back).

In his book Cybercrime, Jonathan Clough makes it clear that offenses for child pornography are stipulated in Title 3, Article 9 of the Cybercrime Convention as producing, offering or making available, distributing or transmitting, procuring, or possessing child pornography [5], [p. 281]. While definitions of what constitutes an offense under child pornography laws vary greatly from one country to the next, court cases worldwide are providing clear precedents for unacceptable behaviors. It is quite possible that Mattel did not wish to find itself in the precarious situation of “offering or making available” debatable imagery of young children or as a potential, albeit accidental, accessory for possession. In essence, this places the manufacturer at the mercy of those who would label them as groomers or even procurers of child pornography, engineers of another insidious arm of the child pornographer. Three of the offenses that constitute the “making available” category of child pornography laws include to publish, make available, and show [5], [p. 287]. Mattel had obviously not thought through all the pros and cons associated with video sharing by minors. In fact, in most social media web sites, Facebook and Instagram included, policies preclude those under the age of 13 from registration and participation.

Four months after the official launch of Video Girl, the U.S. Federal Bureau of Investigation (FBI) privately issued a warning that the doll could be used to produce child pornography [6]. On 30 November 2010, in a situational information report “cybercrime alert,” from its Sacramento field office, the FBI publicly announced in a statement that there was “no reported evidence that the doll had been used in any way other than intended” [7], [8]. However, the report also stated that the FBI had revealed that there was an instance where an individual convicted of distributing child pornography had given the Barbie doll to a 6-year-old girl. In addition, there were numerous instances where a concealed video camera had recorded child pornography as well. All of these events are unsurprising [9]. The most obvious form of possession, with respect to the Barbie, would be if the accused had the item in his or her “present manual custody.” For example, if the defendant was found to be holding a Video Girl Barbie doll containing child pornography images or video, then, subject to the requirement of knowledge, he or she would be in possession of those images or video. In addition, if the doll was likewise found in the defendant's physical control (e.g., in his or her house), even that would constitute an offense.

There are professionals who have filmed Video Girl Barbie in a sexualized manner [10], but that in itself is not an offense. Although the YouTube video that compares the camera quality of the Canon 7D to Video Girl is unlisted (only people who know the link to the video can view it, and unlisted videos do not appear in YouTube search results), it sadly shows what distortion is possible through adult eyes, through using arguably borderline “adult” humor. In the YouTube comments for the video, Naxell wrote, “[t]hat USB in the back and the leg batteries make this seem like some kind of bizarre multipurpose sex gynoid,” while Marcos Vidal wrote, “Well, think on the Barbie's use; it can spy—with Cannon 7D, it's a lot harder.” While no one is claiming that Vidal was referring to the recording of a child for duplicitous reasons, it certainly suggests that Barbie could be used as a covert camera. Essentially, it is taking a form of child's play and making that an asset of the cloud for future use and possible manipulation. And this is just a fundamental issue in the new type of cybercrime—that “the advent of digital technology has transformed the way in which child pornography is produced and distributed” [5], [p. 251]. In essence, child pornography can be defined as “the sexual depiction of a child under a certain age” [5], [p. 255].

Marketing Mishaps

While we do not need to point to a video someone has made of Barbie and her super-power recording prowess “under the hood,” we can simply look at Mattel's poor taste in advertising strategy for the Video Girl doll as a children's toy. The key question is whether those who engineered the doll at Mattel understand that they are accountable for the purposeful user design and user experience they have created [11]. In a press release, the company stated, “Mattel products are designed with children and their best interests in mind. Many of Mattel's employees are parents themselves, and we understand the importance of child safety—it is our number one priority” [12].

The Barbie Video Girl doll is “doll vision” for ages 6 and above.

The Barbie Video Girl doll is “doll vision” for ages 6 and above.

At the time of the online media content review in early 2011, one of the authors, Katina Michael, was horrified to find some disturbing ways in which Mattel had softly launched the product. In fact, the doll sold out at Wal-Mart in its first release. The other author, Alexander Hayes, purchased a Barbie Video Girl in 2010 to inform his Ph.D. research on point-of-view technologies, and he told Katina that the doll was “hideous…a manifestation of the most cruel manner in which to permeate a child's play.” Katina agreed and noted that the purchased Barbie would remain forever unopened because the packaging itself formed a part of the bigger picture they would need to use for a stimulus for discussion to public audiences. Katina used the packaged Barbie during her presentation at the Fourth Regional Conference on Cybercrime and International Criminal Cooperation, which was well attended by law enforcement agencies, legal personnel, and scholars in the social implications of technology [13]. The Video Girl Barbie also made further appearances at the February 2012 SINS Workshop, “Point-of-View Technologies in Law Enforcement” [14], and an invited workshop at which Katina and Alexander spoke, the 2013 INFORMA Policing Technology Conference on the theme “Bring Your Own Body-Worn Device” [15].

In July 2010, Mattel released Barbie Video Girl, a doll with a pinhole video camera in its chest enabling clips up to 30 min to be recorded.

In July 2010, Mattel released Barbie Video Girl, a doll with a pinhole video camera in its chest enabling clips up to 30 min to be recorded.

Perhaps the most disturbing and disappointing aspect of the Video Girl Barbie was the way in which the doll was marketed. On the packaging was the statement “I am a real working video camera.” This vernacular is akin to adult sex workers and does not fit with societal moral and ethical frameworks by which we protect innocent children. It is questionable why the word working was introduced into the phraseology. In essence, Video Girl Barbie is a photoborg [16]. She is reminiscent of Mattel's Vidster video camera toy for kids [17], cloaked in the form of a Barbie doll. Elsewhere, Mattel mentions: “Necklace is a real camera lens!” But the location of the camera on the chest looks less like a necklace and more like cleavage with an additional statement: “This Barbie has a hidden video camera” [18]. There was also a picture of Barbie depicted on her knees with a visual didactic stating “for easy shooting,” indicating the three steps to making a movie. The storytelling video demo scenario Mattel used had to do with cats at the vet and was generally in poor taste. The cat was depicted getting her heartbeat monitored in one video scene, getting an X-ray in another, and then finding herself in a basket with another cat and finding love, with a heart symbol depicted above the cats' heads.

Comments varied for iJustine's video “OMG Video Girl,” which has more than 1.4 million YouTube views [19]. Here was a female adult commenting on a toy for kids. Taylor Johnson wrote, “My Favorite was the vet Barbie! Haha!” Mssjasmine commented, “That doll is kinda creepy (like a pedophile would buy that to watch little kids…ew).” Sam Speirs similarly wrote, “This ‘toy’ of yours will/could be used as a major predator trap! And I know that the idea was for the girls to have a camera [to] do stuff, but, seriously, it's a concealed camera in a popular little girl's toy…Creepy, if you ask me!” Another product reviewer of children's toys wrote: “Barbie sees everything from a whole different angle” [20]. There were several “Boycott Barbie” websites found in 2011: “Get Rid of Barbie Video Girl” Facebook page and “Boycott Porno Barbie.”

A child plays with traditional dolls. Today, we are making dolls that are connected to the cloud and use artificial intelligence to listen to questions from children and provide them answers over the Internet without human intervention. Soon, we will be asking the question “what is real?”

A child plays with traditional dolls. Today, we are making dolls that are connected to the cloud and use artificial intelligence to listen to questions from children and provide them answers over the Internet without human intervention. Soon, we will be asking the question “what is real?”

Perhaps the worst example of Mattel's approach in this product was its initial press release (sent to TechCrunch by the PR firm responsible), which stated: “Unsuspecting subjects won't know that Barbie is watching their every move…” [21]. Issues for Mattel to consider have much to do with corporate responsibility. Excluding the potential for pedophiles to use this technology to cause harm, what happens if innocents produce illegal content which would otherwise mean criminalization? Could the doll be used to groom and seduce victims of child pornography?

Hello? Barbie is Listening

But Mattel, like most high-tech manufacturers, has not stopped there. Convergence has become an integral part of the development cycle. If the Barbie Video Girl doll seemed amazing as a concept, then the Hello Barbie doll has outdone it. In its own words, Mattel states that the Hello Barbie is “a whole new way to play with Barbie!” She differs from Barbie Video Girl in several ways. The doll still comes equipped with a whole bunch of electronics, but Hello Barbie uses speech-recognition technology to hold a conversation with a child and only allows for still-shot photo capture. The product information page on Mattel's website reads:

Using Wi-Fi and speech-recognition technology, Hello Barbie doll can interact uniquely with each child by holding conversations, playing games, sharing stories, and even telling jokes! […] Use is simple after set up—push the doll's belt buckle to start a conversation, and release to hear her respond […] To get started, download the Hello Barbie companion app to your own smart device from your device's app store (not included). Parents must also set up a ToyTalk account and connect the doll to use the conversational features. Hello Barbie doll can remember up to three different Wi-Fi locations [22].

Thus, the doll transmits data back to a service called ToyTalk. Forbes reported that ToyTalk has terms of service and a privacy policy that allow it to “share audio recordings with third-party vendors who assist [Mattel] with speech recognition.” Customer “recordings and photos may also be used for research and development purposes, such as to improve speech recognition technology and artificial intelligence algorithms and create better entertainment experiences” [23]. There is, however, a “SafePlay” option, where parents and guardians are still “in control of their child's data and can manage this data through the ToyTalk account at any time” [22].

To manage SafePlay, parents must visit www.mattel.com/hellobarbiefaq to get more information, or call +1 888 256 0224—and every parent will certainly have time to do this [24]. “Parents must also set up a ToyTalk account and connect to use the conversational features…Use of Hello Barbie involves recording of voice data; see ToyTalk's privacy policy at http://www.toytalk.” Of course, it is not the parents who will end up downloading these apps but the children.

Continued Infiltration

This raises many questions about the trajectory of toys and everyday products that increasingly contain networked features that introduce new parameters to what was once innocent child's play, unseen and carefree. First, Samsung launched a television set that can hear household conversations [25], and now we are to believe that it is the real Barbie who is “chatting” with our children. Are we too blind to see what is occurring? Is this really play? Or is it the best way of gathering marketing data and instituting further manipulation into those too young to know that the Barbie talking to them is not real and actually a robot of sorts? Just like we were once oblivious to the fact that our typed entries in search boxes were being collated to study our habits, likes, and dislikes, we are presently oblivious to the onslaught of products that are trying to infiltrate our homes and even our minds.

A spate of products has entered the market doing exactly the same thing as Hello Barbie but targeting a variety of vertical segments—from Amazon Echo for families who allegedly need a cloud connector because they cannot spell words like cantaloupe [26], [27] to NEST's thermostat and smoke-detection capability that doubles as human activity monitoring and tracking (NEST says so openly in its promotional commercials) [28], to DropCam's reconnaissance video recordings of what happens in your household 24/7, just in case there is a perpetrator who dares to enter [29].

Cayla is Talking—And It's Not Always Pretty

Perhaps our “favorite” is the My Friend Cayla doll [30], which connects to the cloud like the Hello Barbie. She is seemingly innocent but has shown herself to be the stuff of nightmares, akin to the horror movie Child's Play featuring the character Chucky [31]. On the Australian Cayla page, potential buyers are again greeted by a splash page with a cat on it: “I love my cat Lily. I will tell you her story.” Cayla is depicted talking to two little girls. The British Christmas best seller is effectively a Bluetooth headset dressed as a doll. With the help of a Wi-Fi connection (like Hello Barbie), she can answer a whole lot of tough questions, Amazon Echo style, and you would be surprised at her capacity [32]. But security researcher Ken Munro from Pen Test Partners put Cayla to the test and identified some major security flaws that could give perpetrators a way in. In essence, Cayla was hacked. She was made to speak a list of 1,500 strong words and expletives, and her responses to questions were modified [33].

This reminds us of the 2015 article in IEEE Technology and Society Magazine by K. Albrecht and L. McIntyre on IP cameras that double as baby monitors [34]. The moral of the story is the same whether the cloud-connected device is a children's monitor, children's toy, desktop game for kids, television console, Q&A tool for households, or a plain-old Wi-Fi-enabled smoke detector or thermostat: if it's connected, then it's vulnerable to security hacks and breaches in privacy [35]. Worse still, if it can talk back to you in the spoken word, then you need to think about the logic behind the process and what we are teaching our children about what is human and what is not. If these electronics products are going back to the Internet seeking results, then don't be surprised if nonphysical autonomous software robots one day begin to spit out bizarre answers and manipulative responses based on what is out there on the Internet.

As Kate Darling said in a Berkman talk at Harvard University in 2013, “[s]o not to undermine everything that I've just said here, but I do wonder…Say McDonald's gets its hands on a whole bunch of children's toys that are social robots and interacts with the kids socially, and the toys are telling the kids…to eat more McDonald's, and the kids are responding to that. That is something that we also need to think about and talk about, when these things start to happen. They could be used for good and for evil” [36]. If only that is all they will be saying to the next generation!

Katina visited the My Friend Cayla website recently and found this message: “Due to changes in the external website which Cayla gets some information from, she is temporarily unable to answer some types of questions. Cayla can still talk about herself, do maths and spelling, and all other functions are unaffected. A free app update will be issued (for both iOS and Android users) within the next two weeks with a fix. Thank you for your understanding” [37]. Keeping our children safe and aware of the difference between virtual and real is one thing, but, if we aren't careful, we will soon welcome a future where My Friend Cayla might well be facing off against Hello Barbie in another Child's Play blockbuster.

References

1. K. Albrecht, K. Michael, "Connected to everyone and everything", IEEE Technol. Soc. Mag., vol. 32, no. 4, pp. 31-34, 2014.

2. M. G. Michael, K. Michael, C. Perakslis, "Uberveillance the Web of Things and People: What is the culmination of all this surveillance?", IEEE Consumer Electron. Mag., vol. 4, no. 2, pp. 107-113, 2015.

3. K. Michael, "Wearable computers challenge human rights", ABC Science, July 2013, [online] Available: http://www.abc.net.au/science/articles/2013/07/24/3809675.htm.

4. Barbie's video girl, Sept. 2015, [online] Available: http://service.mattel.com/us/TechnicalProductDetail.aspx?prodno=R4807&siteid=27&catid1=508.

5. J. Clough, Principles of Cybercrime, Cambridge Univ. Press, 2010.

6. A. Toor, FBI says video Barbie girl could be used for ‘child pornography production’, Dec. 2010, [online] Available: http://www.switched.com/2010/12/03/fbi-video-barbie-girl-could-be-used-for-child-pornography/.

7. FBI memo raises Barbie child pornography fears, BBC News, Dec. 2010.

8. M. Martinez, FBI: New Barbie ‘Video Girl’ doll could be used for child porn, CNN, Dec. 2010.

9. D. M. Hughes, "The use of new communications and information technologies for sexual exploitation of women and children", Hastings Women's Law J., vol. 13, pp. 127, 2002.

10. Canon 7D vs. Barbie Video Girl, Dec. 2010, [online] Available: http://www.youtube.com/watch?v=uLmgXk4RlOc.

11. A. Hayes, FBI pornography Barbie, Dec. 2010, [online] Available: http://uberveillance.com/blog/2010/12/30/fbi-pornography-barbie.html?rq=barbie.

12. S. Fox, "FBI target new Barbie as child pornography threat", LiveScience, Sept. 2015, [online] Available: http://www.livescience.com/10319-fbi-targets-barbie-child-pornography-threat.html.

13. K. Michael, "The FBI's cybercrime alert on Mattel's Barbie video girl: A possible method for the production of child pornography or just another point of view", Conf. Cybercrime and Int. Criminal Cooperation, 2011-May-19–20.

14. K. Michael, M. G. Michael, "Point of view technologies in law enforcement" in The Social Implications of National Security, Sydney Univ., 2012. 

15. K. Michael, A. Hayes, "WORKSHOP | Body worn video recorders: The socio-technical implications of gathering direct evidence", INFORMA Police Technology Forum 2013, 2013-Mar.

16. K. Michael, "Wearables and lifeblogging: The socioethical implications", IEEE Consumer Electron. Mag., vol. 4, no. 2, pp. 80, 2015.

17. Mattel's Vidster is for kids, Sept. 2015, [online] Available: http://gizmodo.com/124713/mattels-vidster-is-for-kids.

18. VideoGirl, May 2011, [online] Available: http://www.barbie.com/videogirl/.

19. OMG Video Girl!, May 2011, [online] Available: http://www.youtube.com/watch?v=kSCfbSKSxMc.

20. "TimeToPlayMag", Barbie video girl doll from Mattel, [online] Available: http://www.youtube.com/watch?v=YKqrTycSHIQ&NR=1&feature=fvwp.

21. P. Carr, Feds finally closing the net on America's most wanted Barbie (since Klaus), May 2013, [online] Available: http://techcrunch.com/2010/12/03/you-can-brush-my-hair-arrest-me-anywhere/.

22. "Hello Barbie™ Doll—Light brown hair", Mattel Shop, Sept. 2015, [online] Available: http://shop.mattel.com/product/index.jsp?productId=71355596.

23. J. Steinberg, This new toy records your children's private moments—Buyer beware, Forbes, Mar. 2015.

24. High-tech Barbie sparks privacy concerns parental backlash, ABC News, Sept. 2015.

25. N. Grimm, Samsung warns customers new Smart TVs “listen in” on users' personal conversations, ABC News, Mar. 2015.

26. Introducing Amazon Echo, Dec. 2015, [online] Available: https://www.youtube.com/watch?v=KkOCeAtKHIc.

27. Amazon Echo, Sept. 2015, [online] Available: http://www.amazon.com/gp/product/B00X4WHP5E?*Version*=1&*entries*=0.

28. L. Whitney, Google closes \$3.2 billion purchase of Nest, C|NET, Feb. 2014.

29. G. Kumpara, Google and NEST acquire Dropcam for \$555 Million, TechCrunch, June 2014.

30. My Friend Cayla, Sept. 2015, [online] Available: http://www.myfriendcayla.com/.

31. "MovieClips Extras", Child's play behind the scenes—Making a nightmare (1988)—HD, Sept. 2015, [online] Available: https://www.youtube.com/watch?v=2EUwq9acGB8.

32. D. Moye, Talking Doll Cayla hacked to spew filthy things, Huffington Post, Sept. 2015.

33. N. Oakley, My Friend Cayla doll can be HACKED warns expert—Watch kids' toy quote 50 Shades and Hannibal, Sept. 2015, [online] Available: http://www.mirror.co.uk/news/technology-science/technology/friend-cayla-doll-can-hacked-5110112.

34. K. Albrecht, L. McIntyre, "Privacy nightmare: When baby monitors go bad", IEEE Technol. Soc. Mag., vol. 34, no. 3, pp. 14-19, 2015.

35. K. Goldberg, "Cloud Robotics Intro", Talks at Google, Sept. 2015, [online] Available: https://www.youtube.com/watch?v=IzUXT3_7tWc.

36. K. Darling, Kate Darling on near-term ethical legal and societal issues in robotics, Berkman Centre, Sept. 2015.

37. Meet Cayla, My Friend Cayla, Sept. 2015, [online] Available: http://myfriendcayla.co.uk/cayla.

Keywords: Cameras, Sensors, Consumer electronics, Motion pictures, Computer crime, YouTube, Context, social aspects of automation, cloud computing, Internet of Things, children toys, high-tech child play, cloud, Internet of Things, embedded sensors, civil infrastructure, computing devices

Citation: Katina Michael, Alexander Hayes, High-Tech Child's Play in the Cloud: Be safe and aware of the difference between virtual and real, IEEE Consumer Electronics Magazine ( Volume: 5, Issue: 1, Jan. 2016 ), pp. 123 - 128, Date of Publication: 11 December 2015. DOI: 10.1109/MCE.2015.2484878