Share with your network!
Most social networks and other free Internet services have some sort of verification in their sign up process to make sure that a real person is signing up, and not a bot. Spammers and other cyber criminals wishing to abuse the service will attempt to automate this process so that they can sign up for accounts in bulk. In a recent blog post I described what happens when the value of a service exceeds the cost of signing up for it. That got me wondering what the cost of beating different forms of verification was, so I decided to investigate.
Many cyber criminals are specialists, and to complete a crime may require the interaction of several different specialists selling products, services, or information to each other. For example, Carlos may specialize in stealing credit card numbers using skimmers bought from Heinrich. He sells the credit card information to Milos via a forum operated by Vladimir. Milos uses equipment purchased from Franco to make fake credit cards which are used by Abigail, Betty, and Clarissa to purchase smartphones in the US. These are shipped using a shipping service run by Ahmed to Eastern Europe where they are sold by Dominik. (All names are fictitious, of course.)
In the same way, spammers who require accounts of various sorts in large numbers can simply buy them in bulk from a variety of vendors who do nothing but set up fake accounts. This market is less illegal than credit card fraud, so it is a lot more open. A simple Google search for "bulk yahoo accounts" will turn up vendors selling email accounts in batches of a thousand. Here's a price comparison of the cost per thousand of beating various forms of verification. Some of the more expensive services such as bank and Paypal accounts might not be available in those quantities, but I have scaled up the unit price accordingly.
As you can see, the Completely Automated Public Turing test to tell Computers and Humans Apart or CAPTCHA, is extremely cheap to bypass. One service offers "A hybrid system composed of the most advanced OCR system on the market, along with a 24/7 team of CAPTCHA solvers" and claims 90% accuracy. Another service does not even charge by the thousand, but offers software that will solve 60% of CAPTCHAs for $16 a month. In other words, CAPTCHAs will annoy your users and keep a few data miners and script kiddies away, but they provide no defense against a determined attacker.
An email check is not much of a defense, either. Accounts with Mail.ru can be purchased at $5 per thousand, and the more respectable Hotmail/Outlook and Yahoo! accounts are about $10 a thousand. However, phone verified Gmail accounts are starting to get more expensive at $100 per thousand. Social network accounts vary quite a bit as well. Twitter accounts cost $20 per thousand or less - one vendor apparently has excess stock and is currently running a special offer at $9 per thousand.
| Verification | Cost per Thousand |
| CAPTCHA | $1.39 |
| Mail.ru email account | $5 |
| Yahoo email account | $10 |
| Hotmail email account | $10 |
| $20 | |
| Gmail email account (verified) | $100 |
| $100 | |
| Phone (Google Voice) | $225 |
| Facebook (with profile) | $850 |
| Virtual credit card | $6,000 |
| Bank Account | $13,000 |
| Paypal | $15,000 |