> But based on the records they did have, the government estimated that Ngo’s service enabled approximately $1.1 billion in new account fraud at banks and retailers throughout the United States...
Krebs really should have pressed this issue. Law enforcement always inflates these numbers significantly. They use sentencing guidelines to arrive at "financial losses" that aren't real.
For those who aren't aware, US Federal Sentencing Guidelines are how federal courts determine what punishment someone will receive. In many types of crimes they don't use true loss values because it would be very hard or impossible to determine. Instead they assign a fixed amount per instance.
For example, a single stolen credit card number may be considered $500 in fraud, even if the card was never used by the person being sentenced. I don't know if this is the current amount but it was 15 years ago when I was sentenced.
If someone has a database of 1000 credit card number they hacked, the court considers it to be $500,000 worth of fraud.
It makes sense in small cases but in larger ones like this it vastly inflates the amount of actual fraud.
The story was clear that this was only an estimate of damages. It also stated clearly that the investigators were somewhat constrained by the fact that Ngo's services did not keep reliable records of sales -- only what customers searched for.
I should add that in this case, a search for John Smith in Massachusetts would turn up all the John Smiths in Mass. The resulting sale (if there was one) could have been for all of the John Smiths in Mass, some of them, or just one. We don't know. This also made the notification of victims much more difficult.
> “He was selling the personal information on more than 200 million Americans and allowing anyone to buy it for pennies apiece.”
If 1% of those is used to commit $500 in credit card fraud that's $1B in hard losses without considering the cost to those 2M people cleaning up the mess.
This kind of reasoning also makes it hard in pyramid-scheme calculations.
When people say they lost X Billions from Madoff or whoever it's hard to know how much of that was on-paper losses. If I put in $10, got told I had $100 in earnings, then got $0 back, did I lose $10 (+ opportunity costs) or $100?
It depends on how they do it. In my case I had a DB on my computer with thousands of cards. They could have used those cards as part of my sentencing but didn't. Instead they tried to estimate losses based on cards they believed I used.
I don't know if it was correct but it seemed like a more reasonable way to do it.
Krebs really should have pressed this issue. Law enforcement always inflates these numbers significantly. They use sentencing guidelines to arrive at "financial losses" that aren't real.
For those who aren't aware, US Federal Sentencing Guidelines are how federal courts determine what punishment someone will receive. In many types of crimes they don't use true loss values because it would be very hard or impossible to determine. Instead they assign a fixed amount per instance.
For example, a single stolen credit card number may be considered $500 in fraud, even if the card was never used by the person being sentenced. I don't know if this is the current amount but it was 15 years ago when I was sentenced.
If someone has a database of 1000 credit card number they hacked, the court considers it to be $500,000 worth of fraud.
It makes sense in small cases but in larger ones like this it vastly inflates the amount of actual fraud.