Technology

Symantec, the BBC and hype: an tale of how not to report online crime

Online fraud is a serious problem, but that shouldn’t be a reason to turn off your critical faculties when a firm that sells software to deal with online fraud issues a news release on the topic.

On Monday the software firm Symantec (they of the, er…, interesting customer service) issued a press release, which included this combination of claims:

While stolen credit card numbers sell for as little as $0.10 to $25 per card, the average advertised stolen credit card limit observed by Symantec was more than $4,000. Symantec has calculated that the potential worth of all credit cards advertised during the reporting period was $5.3 billion.

The $5.3 billion figure comes from taking the number of stolen credit cards and multiplying it up by $4,000.

But that doesn’t give any real sense of the value of the stolen cards because if a criminal is using a stolen card, they aren’t necessarily going to be able to use it all the way up to its limit:

  • There may already be items outstanding on the card; how often is there nothing outstanding on your card? Even if you pay it off in full each month, it is still quite possible for there to be an outstanding amount on it all the time.
  • His or her transactions may result in the card being stopped before the limit is reached.
  • Not all of the stolen cards are still usable. Many of those for sale have already been blocked.

The give away that this $4,000 per card number doesn’t really mean anything is that the price for buying a stolen card is as low $0.10 – $25, as the Symantec quote makes clear. If stolen cards were really worth something approaching $4,000, they wouldn’t be going that cheap.

Read it all very carefully and the information is there – “potential worth” is the Symantec opt-out that allows the firm to say, “hey, we didn’t say anything untrue”. But the $5.3 billion figures is misleading, and put a big figure in a press release and what do you expect to happen…?

Enter stage left, the BBC and its screaming headline, “Online fraudsters ‘steal £3.3bn'” (which is $5.3 billion translated into pounds and pence). Sounds awful doesn’t it? Bit of a shame it ain’t true though. Even the BBC seems to realise this, because part way through the report it admits:

Symantec said it was likely that many of the cards offered for sale were invalid or cancelled.

In other words, ‘the figure in our headline was worked out based on assumptions that aren’t true’ (no cards invalid, no cards cancelled, full limit available on each). Oops.

P.S. The BBC is by no means alone in taking a meaningless number, repeating it and wrapping it hyperbole. Ironically, included in the other culprits are specialist news outlets who you’d have thought should know about such things, such as Tech Radar (who manage to both say stolen credit cards are really cheap – only 7p! – and also worth huge amounts – £2,650 on average! I guess we’re not meant to ask why criminals sell cards for just 7p if they’re worth so much more on average).

Leave a Reply

Your email address will not be published. Required fields are marked *

All comments and data you submit with them will be handled in line with the privacy and moderation policies.