Transvasive Security

the human factor

On Money Mules and Credential Theft

A threatpost article, “Money Mules, Not Customers, The Real Victims of Bank Fraud” and the paper it references caught my attention today. The premise of the paper is that due to banking regulations and how banks react to fraudulent online transactions affecting consumer accounts, the criminals are effectively stealing not from consumers, but from the “money mules” they recruit to move the stolen money. Brian Krebs, a journalist and blogger who writes about the online criminal underground and information security issues on his blog, Krebs on Security, posted a comment criticizing the authors’ conclusions, specifically calling out that the main victims of theft of banking credentials are small and mid-size business owners, who are liable for losses, and have lost significant amounts of money. I’ve reposted my reply in part below. I largely agree with Brian, however, I do think the authors raise good points about the difficulty of moving money through the banking system, and about the critical role mules play in online bank fraud.


Your point on the fraud losses to small and mid-size business owners with corporate banking accounts is spot-on, and while the paper makes it clear they are mainly addressing the consumer problem, it’s a fair criticism that they’re glossing over a significant portion of online banking fraud, and that they misrepresent the facts by citing the instances in which fraudulent transactions on commercial accounts and not the transactions that couldn’t be reversed.

However, I do believe the paper raises an excellent point about online consumer banking fraud, and online banking fraud in general. It is difficult to transfer money out of accounts, and the mules really do bear much of the risk, and (as you have noted) rarely get paid, and sometimes may not realize what they’re doing is illegal. Their point on the low black market value of stolen credentials relative to account value does indicate that extracting money is difficult, and unlikely to succeed. Even though their rationale on how banks resolve fraudulent transfers means that attackers are effectively stealing from the mules only applies to consumers, I welcome the suggestion that we attack the problem at other points in the chain, and not just passwords. We may do better to disrupt online banking fraud by putting more efforts into making mule recruitment harder.

I would also raise a point not yet covered in the article or the comments: I take issue with the authors’ comments on liability; the auto rental and identity theft insurance markets have little bearing on banks’ decision to offer zero-dollar liability; the reality is, when the consumers’ liability is limited by regulation to $50, offering the extra $50 is trivially inexpensive. When Banks aren’t legally obligated to bear liability, they quite willingly shift it to the account holder, as is the case for US commercial bank accounts. I for one would very much like to see regulators force the issue and limit liability for at least small and mid-size business, since they’re simply not equipped to handle this type of fraud on their own.