Trish Supples: Hello, welcome to the Economy Matters podcast. I'm Trish Supples, with the Federal Reserve Bank of Atlanta. This episode is the first in a series spotlighting an Atlanta Fed strategic priority focused on safer payments innovation. The Atlanta Fed has payment expertise gained from our roles as network operator, supervisor, and researcher, and we're seeking to amplify that expertise by partnering with select academic institutions to conduct research and experiments. Our goal is then to share what we learn to educate the industry, which may lead to better solutions or operational practices—safer payments innovation.
Today, I'm joined by David Maimon
, associate professor and director for Georgia State University's Evidence-Based Cybersecurity Research Group. Professor Maimon and I will discuss a growing partnership between the Atlanta Fed and Georgia State, focused on the surveillance and assessment of online payments-related crimes and fraud. Welcome, Professor Maimon—David—thanks so much for joining. Would you share what the Evidence-Based Cybersecurity Research Group does?
David Maimon: Thank you so much for having me, Trish. The Evidence-Based Cybersecurity Research Group is an interdisciplinary group of scholars from various disciplines—including criminology, political science, computer science, computer information systems, psychology, sociology—who work together on various issues that are related to cybercrime and cybersecurity. Our goal is, essentially, to try and understand what works and what doesn't in the context of the cybersecurity discipline—the cybersecurity field—in the sense of the tools we're using—the different tools we're using to protect our organizations, as well as our own computers as individuals—as well as the policies many organizations are using in order to try and reduce the risk of victimization for different types of cybercrime they experience.We have a fairly large group of professors and students working with us on all these issues, and our end goal is to really understand what works and what doesn't in the context of this field.
David Maimon of Georgia State University and Trish Supples of the Atlanta Fed
Supples: That's really interesting, David. Could you maybe give an example, some context, about what type of work that you undertake?
Maimon: Of course. We engage in various types of research. Our research spans from understanding different types of online fraud—we try to understand hacking, we try to understand hacking careers, how hackers begin their hacking career and then progress throughout life in this type of illegal activity. We try to identify victims of online fraud as well as victims of online crime, make sure that they are aware of their victimization, and understand how we can mitigate the consequence of crime for these individuals. We study smartphones and folks' susceptibility to become victims over their smartphones. And we also spend a lot of time understanding darknet platforms and encrypted communication channels, on which we've seen a lot of illegal activities taking place during the last seven years or so.
Supples: We hear a lot about the darknet and encrypted criminal channels, and I know that's some of the basis of our partnership. Could you elaborate a little bit more about what the darknet is, and what do you mean by "criminal channels?"
Maimon: Of course. In order for one to understand that, I really need to go back and make sure we're all on the same page with respect to what the internet is, what the clearnet is, and I will try to do that without really diving deep into those concepts. So the internet is essentially a network of computers connected to each other and allowing folks to communicate, transfer information, between the different computers and routers and servers that are connected on the network. The clearnet essentially allows those individuals to communicate with each other using protocols as well as browsers that we're all familiar with—browsers like Firefox, Google Chrome, or Safari. These are all browsers that at the end of the day allow us to connect to the clearnet and search for the information we look for, consume videos, purchase stuff over the clearnet, and so on.
The darknet is very similar in this sense to the clearnet, but it requires different browsers in order to access it. One important thing that we need to understand in the context of the clearnet is the fact that it doesn't really allow you a similar level of anonymization to the level of anonymization that the darknet allows you. In other words, when you use the clearnet and use specific protocols, it's very easy for folks to track the computers you're communicating with, or from, and then sort of assign responsibility to your behavior, so to speak.
When you do that on the darknet, on the other hand, you have an extended level of anonymity that makes the task of tracking who you are and the computers you're communicating from more complicated. That's essentially why we call the darknet the "dark" net because again, people are essentially in the dark trying to figure out who you are and the computer you're communicating from. Encrypted communication channels, on the other hand, are text messaging apps—apps like Telegram, WhatsApp, Discord, Jabber—text message apps which, at the end of the day, allow folks to communicate with each other safely without having the stress of someone monitoring and being able to track what it is that they're discussing.
Supples: I use WhatsApp for my personal communication. It sounds like you're saying that there's another side of the use of these types of messenger apps, and they're being leveraged by criminals—and I know that I've seen that there are sometimes payments-related information that's found on these channels. Can you give a little context of the type of payments-related data that might be found on these markets, and who runs them, and how do they actually engage between a criminal who's selling illicit information and someone who's buying? That would be interesting.
Maimon: Anonymity that is provided by both darknet platforms as well as encrypted communication channels is being used by criminals because at the end of the day it's very difficult for law enforcement agencies to track who these guys are, as well as the type of communication they had while using those platforms. And so we see a lot of activity related to online payments being performed on those platforms, which includes folks selling bank accounts or credentials to bank accounts. We see a lot of activity related to folks establishing synthetic identities or fake identities under which customers—online offenders—open bank accounts and start using those bank accounts to launder money, transfer money from one account to another, use those bank accounts to recruit mules, send money to mules, receive money from mules. A lot of the communication between these actors of course takes place over those encrypted communication channels and darknet platforms, and we see a lot of that in the form of screenshots that criminals post in order to both recruit people to join their groups, as well as market their commodities. Many of the vendors, many of the users of those encrypted communication channels—as well as darknet platforms—simply try to sell the illegal commodity they have, and they use those platforms to do so.
Supples: Okay. So if you were thinking about it, it could almost be similar to online auction sites or platforms where we might go to buy something that's not a criminal activity—but they set it up to kind of look like that, and criminals join and they purchase the goods from other criminals.
Maimon: Sure, very similar—in the context of the darknet and the darknet markets, very similar to the websites we are familiar with, like Amazon and eBay. When you go on those platforms and you go on those websites, you see very similar setups—right?—of those markets, very similar rating systems, which essentially is supposed to increase trust in vendors. In the context of the encrypted communication channels, we're looking at a different setup because in order to open a channel and start selling your goods, you essentially need to open a group posting ads about the type of commodities you have and then hope that people will join the group in order for you to sell, market and communicate with your customers.
Supples: It seems as though criminals are adapting and adopting some of the same technologies that legitimate users are discovering and using them for illicit purposes—at kind of the same pace of innovation. Very interesting. So let's maybe talk about you for a second. What attracted you to this work? Did you always want to be a cybercrime fighter? Or is this something that you discovered after you set upon a different career?
Maimon: That's a really interesting question. I did not have in mind to be a cyber criminologist, that's for sure. My PhD is actually in sociology. When I graduated from The Ohio State University, I was focused on trying to understand the effects of neighborhoods on their residents. Back then, I was studying how the residential environment you live in impacts your deviant outcomes—things like suicidal thoughts, violent behavior, crime in general. But then at some point in my career, I got tired. I told my wife that I would like to go to Australia and pursue a PhD in marine biology. I've always been obsessed with the giant squid, and back then we simply didn't have the giant squid in photos or video, so I told my wife that I would like to give up everything I do and I just want to go and study the deeps—because at this point, we know more about the moon than we know about the deeps, right? The deep sea.
So my wife told me that I'm more than welcome to do that, but she will divorce me because she's tired of being poor as a graduate student. So I had to find something different to do that will keep me as excited, looking for new discoveries and new things. And at some point, one of my colleagues told me—11 or 12 years ago—that there's really not a whole lot of rigorous research in the context of the cybercrime field. So I looked, and I realized that I could come up with some meaningful contribution within the context of this field. I found out about the darknet, and then in a way I replaced the deeps with the darknet and encrypted communication channels. Because my dream was to sit in a submarine in the deeps, turn on a flashlight and discover new creatures, new types of animals—fish—on a daily basis. I couldn't have done that, so I found the darknet as a substitute for that. So now I simply sit in the darknet and in all those encrypted communication channels and find new things on a daily basis.
Supples: That's an interesting analogy—and I'm glad that you made that choice, and that you're still happily married.
Maimon: Same here.
Supples: This might date me, but you're sort of like the Jacques Cousteau, then, of cybercrime.
Maimon: [laughs] Right.
Supples: So, I'm just going to share one story with you, just because I think it's a little bit of a parallel to what we're talking about. Years ago, I was working and volunteering at a church when my purse was stolen. And at the time, I wasn't using the internet to pay for items or even to store my ID. But I did have to call credit card issuers, and I had to make that dreaded trip to the auto bureau to get my license replaced. But ultimately, what I lost was a little bit of cash, some time, and some trust in the goodness of others. But now, of course, the internet underpins all of our work and our home lives, for those of us privileged to have consistent access. And I know from what you've already shared—and the work that we're doing—that it's hosting a growing amount of criminal activity. Much of that is related to how we pay for things or identify ourselves.
When I look back at that instance, I was too trusting. I trusted the office workers at the church to watch my belongings consistently, and I trusted the people that were visiting the church to have good intentions. I thought about this and the work that you do, and I wondered if you could share with us how you've observed trust playing a role in payments-related crime.
Maimon: That's a great question. Trust, first of all, is a very important component that we know online criminals rely on when they're trying to victimize us. This whole idea of luring you to give me some information I need requires you to trust me. We see a lot of that in the context of phishing, for example, where we see online criminals sending us an email pretending to be an authority figure—someone like our boss or our bank—that requires us to change a password and username or provide sensitive information. And since we trust those individuals—we believe that the senders actually are trustworthy figures—we give away this kind of information.
So trust is very important in the modus operandi of online fraud. But then, when you were asking this question, I thought about another very important component of trust that we as targets don't even consider, and that is the trust we have in the systems that I was speaking about: the trust we have in the different software, the different companies, the different organizations that are supposed to protect us. We simply trust those organizations, and sometimes because we trust those organizations—that they will do their job—we simply believe that whoever reached our inbox is a reliable individual who we can trust. And so we play along with any request or any ask that the individual on the other end asks us to comply with. So trust is very important in the context of this whole ecosystem of cybersecurity, cybercrime, and specifically in the context of online payments because we as victims trust both the individuals who ask us to comply with their requests to type in a password and username on specific pages that we need to in order to access our online banking, our email, and so on. But at the end of the day, we also trust that the organization we work for—the people who operate the internet, so to speak—that they know what they're doing and that they will prevent us from falling victim to these types of crime.
Supples: That's interesting. I know phishing is a growing crime. So now you went from the deeps to phishing…marine biology humor.
Maimon: [laughs] I know, it's really interesting, and distrust—and I will elaborate a little bit about that in the context of what our group does. We have a tendency, as security officers and as individuals who are trying to protect themselves from becoming the victim of crime, to look for technology and to look for policies which will prevent us from becoming the victims of crime. But at the end of the day, we don't have evidence, rigorous scientific evidence, that suggests that those tools and policies that we have out there are really effective. Even though we don't have this kind of evidence, we're still trusting antivirus software, we're still trusting intrusion-detection systems. We still trust all those tools and policies that the industry came up with. We purchased them, and then at the end of the day we are puzzled when we become the victim of cybercrime. So the trust thing—the trust issue—is definitely something we need to work more on when we are trying to improve the way we do cybersecurity.
Supples: Yes, that is a good point. And I know that you and I have spoken before about perhaps the role of financial institutions in payments-related fraud—you know, large corporations. You just talked about some of the corporations. Would you have anything to say specifically to financial institutions in regards to this type of criminal activity?
Maimon: I think that the way we do things at the moment—trying to protect our organization as well as our customers—is very reactive in nature. We are trying to find victims in the system. We're trying to find accounts which have been compromised after the fact. I think that what needs to be done by the financial system, by banks, by organizations that deal with money, is to take a more proactive approach in identifying those issues. In other words, in my mind, because we trust those organizations to do what they're supposed to do in the sense of protecting our personal identifiers, protecting our bank accounts, we need to be more proactive in identifying those issues as they occur—as well as addressing them and mitigating them in a more efficient way. I think the current way we're doing things is very reactive. We want to be more proactive. We want to be able to identify actors who are trying to victimize our clients and do it more—as well as respond to that more rapidly.
Supples: Yes, I think that's an interesting point. That's one of the reasons that the Federal Reserve is interested in partnering with the Evidence-Based Cybersecurity Research Group, because we want to understand what information is in the darknet, how we can assess that information and figure out how that factors into fraud and crimes like synthetic identity that are created to open up accounts. Oftentimes, they merge and take pieces of a legitimate identity, like someone's social security number, and mix and match it with a different name and address. And it takes a long time for that type of fraud to be detected, and it's growing. So that's one of the focus areas that we will be partnering with, to try to understand more and assess—and then hopefully work with the industry to try to instill some mitigation and effective tactics to address it, proactively. Let me just ask you one last question, David—other than working with the Federal Reserve, what other aspects of your work most interest you?
Maimon: I like the fact that most of what we do is applied. I like the fact that most of what we do can really allow organizations to mitigate the consequences of crime to their clients, mitigate the consequence of online crime to the organization. We do a lot of work with financial institutions around the globe, and I really enjoy the fact that what we find at the end of the day could be used as actionable intelligence to guide financial institutions' efforts to protect their customers, as well as protect their infrastructure. This is what makes me tick, and I look forward to continuing to do this in the next couple of years with the Federal Reserve.
Supples: Well, great. Thank you so much, David, for your time and for sharing some of your insights with Economy Matters. It is reassuring that experts like you and your team are taking meaningful action to address cybercrime. And just so you know, to close that story: months after my purse was stolen, I got it back. The police recovered it from a storage locker, and inside was my license. So at that time, if I had maintained control of my wallet, my future risk seemed minimal. And I hope everyone leaves this podcast thinking about the realization that it's just not that simple today.
And I'd like to give a special thanks to our listeners. To learn more about Economy Matters and the Atlanta Fed's "promote safer payments innovation" strategy, visit atlantafed.org. To learn more about the Evidence-Based Cybersecurity Research Group, visit ebcs.gsu.edu. That's "E" as in Edward, "B" as in boy, "C" as in cat, "S" as in Sam, dot "GSU," dot "edu." Thank you for your time.