Cyber Crime: Real Crime in Virtual WOrlds Some content based on A Feasibility Study of Money...
-
Upload
aubrey-houston -
Category
Documents
-
view
214 -
download
0
Transcript of Cyber Crime: Real Crime in Virtual WOrlds Some content based on A Feasibility Study of Money...
Cyber Crime:Real Crime in Virtual
WOrldsSome content based on A Feasibility Study of Money Laundering and Terrorism Financing in
Virtual Environments by Dr Angela S M Irwin
Typical categories of electronic crime
Paedophilia and sex crimes; Fraud and phishing; Identity theft; Viruses,worms,Trojans and other malicious
code; Denial of service.
Categories of electronic crime
Paedophilia and sex crimes The use of the internet to display and
exchange child pornography (different in other countries);
Companies need to deter employees using company resources for such crimes;
This can be done by limiting internet access and auditing web logs.
Categories of electronic crime
Fraud and phishing Fraud involves tricking users into parting
with money in fake online transactions; Phishing occurs when criminals get personal
information through social engineering or technical means;
Criminals create websites that imitate other websites;
Users get emails directing them to these websites.
Categories of electronic crime
Identity theft Offences using a false identity Offences using a real identity but different
from the perpetrator Includes credit card thefts Business need to secure storage and transfer
of data. Biometrics offer protection against identity
theft
Categories of electronic crime
Viruses, worms, Trojans and other malicious code
A virus is a program that attaches a copy of it’s self to other programs it finds
Worms are similar but multiply without attaching to a another program
Trojans are programs that offer false services and disguising hidden malware
Risks from such attacks can be mitigated using antivirus software
What about financial crime? What about real large scale financial crime in
virtual worlds?
But wait…
“Online communities face money laundering” and “Second Life world may be haven for terrorists” (The Telegraph, 2007)
“Virtual money laundering and fraud: Second Life and other online sites targeted by criminals” (Bank Information Security, 2008)
“Online games are new choice for money laundering: massively multiplayer online role-playing games like 'Second Life' offer a nearly fool-proof way to mask and move money” (Police One, 2010)
“Cash in the millions circulating via games – virtual world provides a more open environment for laundering of money” (Investor's Business Daily, 2011)
“Money laundering using virtual worlds, Bitcoin on watchdog's radar” (Computer World, 2012)
Virtual ML/TF in the news
South Korea established the Korean Cyber Crime Investigation Team to investigate in-game crimes. In 2003, the team fielded over 40,000 complaints—22,000 of which involved activity that occurred in virtual worlds (2003)
U.S. Department of Justice identified how virtual worlds were being used by Mexican drug cartels to launder narcotics funds (2007)
FATF identified virtual currencies and new payment methods as being a money laundering/terrorism financing risk in 2005, 2008, 2010 and 2012
Australian Transaction Reports and Analysis Centre (AUSTRAC) identified virtual-worlds and digital currencies such as Bitcoin© as potential ML/TF threats (2012)
Money laundering/terrorism financing risk?
Determine through in-world experimentation, the likelihood and feasibility of money laundering and/or terrorism financing being carried out in and through virtual environments
Feasibility of using virtual money laundering over, or in addition to, traditional ML & TF methods
Factors examined are:o Ease of useo Time takeno Amount laundered/raisedo Cost to launder/raise fundso Risks mitigatedo Chances of detection
Focus of our research 2009 - 2013
1. What constitutes suspicious behaviour inside a virtual environment and how can illegal and non-illegal transactions be differentiated?
2. How can money laundering or terrorist financing activity be detected in virtual environments when there are potentially millions of transactions per day, millions of individual account holders and no clear signature or pattern associated with money laundering and terrorism financing activity? Can suspicious transactions be detected when activities range from a single transaction to a culmination of months of complex transactional activity?
3. What personal information is collected from an account holder when creating an account with a MMOG or online financial service provider (OFSP)? Can the information collected be associated with an individual in a real-world context?
Research sub-questions
4. Is it practical to use virtual environments such as Second Life to carry out money laundering or terrorism financing activity? How much can be achieved over different timeframes? How does money laundering or terrorism financing in virtual environments compare to traditional methods for the same result?
5. What is the risk of being defrauded in virtual environments? What is the likelihood of stolen financial details being used in these environments?
6. Does cultural background have any impact on the use of virtual environments for money laundering and terrorism financing activity?
Research sub-questions
Research phases
Analysis of real-world ML & TF typologies
Creation of entity relationship models
Review of models to determine which ones might be suitable for in-world replication
In-world observation and evaluation to discover weaknesses which may allow ML & TF to take place
Assessment of OFSPs, payment methods and financial instruments
In-world experiments
Allocation of a feasibility score to each of the virtual scenarios
A review of typology and annual reports from various AML/CTF agencies and regulatory bodies to discover the methods, techniques and behaviours involved in money laundering and terrorism financing activity
A total of 300 typologies collected from:o AUSTRACo Egmont Groupo Financial Action Task Force (FATF),o The Belgian Financial Intelligence Unit (CTIF CFI)
Dates ranged from 1996 to 2009 146 ML and 38 TF cases found to be suitable for analysis and modelling 116 typologies excluded due to incomplete or ambiguous information or not
enough information on financial flows
Analysis of real-world ML/TF Typologies
Analysis of real-world ML/TF Typologies
Individuals/ entities
Transactions
Interactions
Suspicious behaviours
Red flag indicators
Massively multiplayer online games (MMOGs) are computer games in which a large number of players can simultaneously interact in a persistent world – hundreds of thousands of players supported at one time.
Each player controls one or more Avatars Growing in popularity - in 2011, there was estimated to be over 1.7 billion
registered virtual-world account holders. From the third quarter to the fourth quarter of 2011, the total cumulative registered accounts grew by 282 million (+18.9% increase)
Only MMOGs that possessed their own internal economy and in-world currency, which could be purchased and sold inside the virtual environment itself or traded using a number of OFSPs, were selected for review and experimentation in this research - Second Life, Avination and IMVU
In-world observation and evaluation
Online Financial Service Provider (OFSP) is defined as an organisation that can be used to deposit either real-world, digital or virtual funds into a virtual environment
OFSPs were selected based on the following criteria:o They can be used to deposit funds into at least one of the MMOGs under
investigation either directly or indirectlyo They provide a variety of payment methods for uploading fundso There are no (or few) restrictions to the jurisdictions where accounts can be
opened
OFSPs used during the experimentation phase of research:o PayPalo VirWoXo AnsheXo IMVU Credit Express (IMVUCE)
Assessment of OFSPs, payment methods & financial instruments
The information collected from each of the MMOGs and OFSPs: How they work Personal information required to open an account and perform financial
transactions Payment methods accepted for uploading funds Currencies accepted for purchase/exchange of virtual/digital currency Identity and payment method verification procedures in place Know Your Customer/Customer Due Diligence, Anti Money Laundering
/Counter Terrorism Financing and anti-fraud measures in place Terms of service General fees for using the service Fees for sending, receiving uploading and withdrawing funds Daily/weekly/monthly transactions limits Identification of any loopholes or system design flaws that may make the
system vulnerable to attack or exploitation Determination of how the MMOG/OFSP might be used to launder money
or raise funds for terrorism financing
In-world observation and evaluation
12 payment instruments reviewed to determine level of anonymity they afford to users
4 payment methods used in research:
o Pay terminal inside MMOGo PayPalo Prepaid Visa/MasterCard gift cardo Australia Post Load&Go card
These payment methods were used due to:o Difficulty in determining who is opening/operating an accounto No personal details required to open an account/purchase financial
instrumento If personal details are required, no or insufficient account holder
verification procedures carried outo No face-to-face contact
Assessment of payment methods and financial
instruments
In-world experiments
Fictitious personas and accounts they successfully opened
Incomplete information in the typologies examined – amount of funds laundered/raised was not disclosed in a large number of caseso Figures used in experiments may not be representative of ML/TF Type/ML/TF
population Lack of funds available to conduct in-world experiments
o Small amount of funds used to test whether a behaviour, transaction or scenario possible
o Knowledge gained during review, analysis and experiments were applied to determine whether a specific scenario might be successful using larger amounts
o Can not say with any degree of certainty whether ADS would have been triggered had larger sums been used
Lack of tools normally available to ML/TF such as stolen credit cards, stolen identity details and unregistered mobiles not available to this researcho Experiments conducted using real, legal financial details and financial
instrumentso Every attempt was used to preserve anonymity - used financial instruments that
have high levels of anonymity such as prepaid gift cards/Load&Go cardso Experiment stopped if ID documents requested
Inability to make a direct (and accurate) comparison between costs involved in real-world ML/TF and virtual-world ML/TF (i.e. commission paid to middlemen, cost of couriers etc)
In-world experiments
Limitations of research
The experimentation phase of research was split into two stages:
Stage 1 – determine the identity and payment method verification procedures implemented by MMOGs and OFSPs - are the systems currently in place by the MMOGs and OFSPs under investigation sufficient to uncover the identity of those who may wish to use them to conduct money laundering or terrorism financing activity?
Stage 2 – determine whether the money laundering and terrorism financing behaviours discovered during the real-world typological analysis and in-world observation phases of research can be replicated inside virtual environments
In-world experiments
The systems currently in place by all of the MMOGs and OFSPs investigated are wholly inadequate to successfully establish the real-world identities of account holders
None of the information required at the account setup stage is verified and, therefore, cannot be reliably associated with an account holder in a real-world context
All MMOGs leave identity and payment method verification to OFSPs. However, most of these do not have adequate systems in place to successfully verify the identities of their account holders or users either
On the surface, all of the MMOGs an OFSPs collect information on account holders in an attempt to avoid fraud. They each gather an electronic footprint and information about transactions, activity oThe electronic footprint can be circumvented using IP cloaking software and disabling cookieso Information about transactions and activity is useless if the individual cannot be accurately
identified All MMOGs and all but 1 of the OFSPs (Pecunix – does not sell virtual currency directly to the a/h)
accepted unverified payment methods (prepaid gift card and/or Load&Go card) either directly or indirectly
All MMOGs and all but 1 of the OFSPs (eForexGold) allowed us to create accounts using fictitious identity details
All MMOGs and all but 1 of the OFSPs (Pecunix - does not sell virtual currency directly to the a/h) allowed us to transfer virtual funds into and out of the virtual environment using anonymous payment methods directly or using a PayPal account set up using fictitious identity details and anonymous payment method
In-world experiments
Results for Stage 1 experiments MMOGs and OFSPs
Stage 2 – Determine whether the money laundering and terrorism financing behaviours discovered during the real-world typological analysis and in-world observation phases of research can be replicated inside virtual environments and assign a feasibility score to each scenario
In-world experiments
In-world experiments
Stage 2 – Feasibility rating scales
Ease of use:
Time taken to launder/raise funds*:
Amount of funds laundered/raised compared to traditional
methods (overall):
In-world experiments
Stage 2 – Feasibility rating scales
Cost to launder funds/raise funds:
Risks mitigated/addressed:
Chances of detection:
In-world experiments
Stage 2 – Feasibility rating scales
Typical rating scale multiplies the score for each element to produce an overall rating - unsuitable for this research as it would skew the overall resultso A score of .6 or greater for each element may be considered acceptable (resulting
in an overall score of .04 or above as feasible)o Not realistic when some scores are above .6 and some are below .6
o Example 2, would in fact be unfeasible as many of the risks associated with ML/TF still present and chances of detection still being high – not worth the effort – continue to use traditional methods
o Example 1 shows the same score but would be feasible due to most risks mitigated and chances of detection being low
More weighting given to ‘risks mitigated’ and ‘chances of detection’. If these score above .6, a score of .4 is acceptable in one of the other elements
Scenarios where risks mitigated and chances of detection are below .6, even if the other elements receive high scores, the scenario is unfeasible
One caveat to this rule is when the effort and initial cost of setting up and maintaining a scenario far exceed the amount to be laundered/raised
The virtual-world scenarios have varying degrees of complexity - VS1 and VS4 are the easiest to conduct due to limited interaction with the VE. No prior knowledge required of VEs and a basic knowledge of IT and Internet technologies
VS2 and VS3 require some complex steps - Suspect(s) must have at least a basic knowledge (VS2) and good knowledge (VS3) of VEs, IT and Internet technologies
VS5 is the most complicated of the virtual scenarios examined due to the need for very good IT/programming skills
VS6 requires no special skills to carry out the scenario but must have at least a basic knowledge of IT and Internet technologies
All virtual money laundering scenarios require a large number of accounts to be created with many service providers and have a complex system in place for opening, funding and moving funds between accounts to avoid account linking
Large number of stolen or fake identities required to open accounts The level of difficulty increases exponentially as the amount of funds to be laundered
increases The skill levels possessed by many ML and TF exceed the IT an Internet technology skills
required for VSs 1 to 4 and 6 It is unlikely that the typical TF will have the skills necessary to successfully carry out VS5 –
it is likely that these skills will need to be specifically recruited for
In-world experiments
Ease of use of virtual scenarios
All virtual scenarios take longer to conduct compared to their real-world counterpart due to increased number of steps and many time consuming processes involved:
o Obtaining financial instrumentso Setting up accountso Transferring funds between accounts (both internally, to obfuscate the money trail, and
externally, to get the digital/virtual funds back into a currency that can be used in the real-world)
Transactions limits are imposed by all of MMOGs and most of OFSPs, therefore, it takes much longer to launder/raise the same amount of funds (e.g. Second Life has a transaction limit of AUD 83.00 per day for accounts that have been financially active for over 1 month)
o The more funds you want to launder, the more accounts you need to createo The more accounts you need to create, the more labour-intensive the scenario becomes
With VS5, if suitable victims can be found the funds could be attained very quickly. However, as details of the social engineering attack become more well-known, it will become increasingly difficult to find victims
With VS6, there is a two-week lead time for obtaining land inside SL but once the event is set up (could take as little as a few hours to set this up) the funds could start arriving straight away - especially if the donors are known to the event holder(s)
In-world experiments
Time taken to launder/raise funds using virtual scenarios
The amount of funds that can be laundered is significantly less than the real-world scenarios examined
VS1 and VS4 are unsuitable and impractical for laundering sums larger than AUD 300,000 – due to unwieldy increase in time, effort and complexity involved in laundering larger amounts
VS2 and VS3 are suitable for laundering larger amounts (up to 2.8M and between AUD 1.6M and AUD 10M respectively)
o This is due to the wider network of individuals that are involved in both of these scenarios:o workload is spread across the individuals involved, more people
can buy more financial instruments, more accounts can be opened and therefore, more funds can be laundered
With VS5 and VS6 the amount of funds likely to stolen/raised are likely to be low (in the hundreds and thousands rather than hundreds of thousands) – this may be sufficient for TF purposes
In-world experiments
Amount that can be laundered/raised using VSs
Costs relating to VS1 is significant (21.30%) The costs relating to VS4 are also significant (22.4%) – however we were unable to
accurately calculate the true cost to the RW launderer as we cannot accurately cost how much commission might be paid to middlemen, couriers or other hidden costso Most of the costs in VS1 and VS4 relate to unfavourable rates when exchanging real-world
currency to virtual currency and back again The costs relating to VS2 and VS3 are significantly less, 10.59% and 9.01% respectively
o Most of the costs relate to fees incurred by the Second Life businesses for selling virtual products on the SL Marketplace and the fees incurred by the SL fictitious personas for buying the virtual products (buyers and sellers in this scenario are the same)
o Use of SL business accounts means that funds can be drawn in larger amounts as legitimate business income at a lower cost
o Rather than making multiple exchanges as in VS1 and VS4, virtual/digital funds can be converted back into real-world funds inside LindeX exchange and transferred to a PayPal account(s). Therefore, less funds are lost in the exchange
In-world experiments
Cost to launder/raise funds using virtual scenarios
Costs relating to VS5 are significantly less than would be experienced in the real-world scenarioo No travel costs, no skimming hardware, no need to create fake credit/debit cards on
which to withdraw funds Attacks can be carried out from the Suspect’s computer, anywhere in the world The only hardware or equipment required to carry out the attack is a computer and a
prepaid Visa®/MasterCard® gift card or a stolen credit/debit card (to verify the account at setup)
The main costs associated with VS5 are the ones for creating the initial attack script. These costs are significantly reduced if the terrorist organisation has expertise within the organisation or within terror cells. If these skills do not exist the costs are likely to be prohibitive (one attack script may be used only a few times before it comes useless)
Costs relating to VS6 are very small (AUD 100.00 for setting up and advertising a fundraising event) – this is likely to be small compared to the amount of funds that can be raisedo Most of the costs involved in this scenario relate to transferring the funds out of the
virtual environment to a PayPal account (likely to be between 2.9% and 3.4% of the amount collected). These can be subtracted from the amount raised, rather than out-of-pocket expenses
In-world experiments
Cost to launder/raise funds using virtual scenarios
Many of the risks associated with ML and TF are removed:o It is very difficult for MMOG, OFSP (and law enforcement) to discover the real-world
identity of the account holder(s)o Only a small amount of funds are lost if activity is discoveredo It would be extremely difficult to detect whether an individual has created multiple
accountso No need to carry large amount of cash over national borders
Benefits include:o Lack of face-to-face contact when setting up accounts, using financial
instruments/placing funds into VEs (removes an important element of suspicious activity detection)
In-world experiments
Risk mitigated using virtual scenarios
The chances of detection are significantly less than the real-world scenarios due to the high levels of anonymity provided by MMOGs and OFSPs
Electronic footprint can be removed using freely available tools Difficult to connect accounts, activity and transactions if some basic precautions are
taken:o accounts are set up using fictitious or stolen identity details o privacy enhancing software is used that conceals the IP address o the amounts sent between accounts are variableo the transfer values are kept relatively smallo the day and times that transactions take place are varied
These precautions aim to avoid identification of the individual’s real-world identity and activity that shows repetitive patterns
Chances of detection are significantly increased if:o The Suspect(s) does not remove his/her electronic footprint every time he/she enters the
MMOG or users the OFSP – this is difficult to doo The Suspect(s) does not carefully plan his/her activity to ensure accounts cannot be linkedo The MMOG becomes aware that there is a lack of legitimate gaming activity in although
large amounts of funds are being transferred through account(s) on a regular basis
In-world experiments
Chances of detection using virtual scenarios
All but one of the virtual money laundering scenarios would be suitable as a fundraising tool for terrorism financing. Virtual scenarios 1, 2 and 3 are better suited to terrorism financing than money laundering as many of the drawbacks associated with the money laundering scenarios are removed or decreased: o VS1 experienced difficulty in obtaining sufficient prepaid gift cards to
launder large amounts of funds - this issue is significantly reduced in terrorism financing due to terrorists already favouring the use of smurfing techniques to obtain financial instruments or place funds into financial systems
o Human resources are more likely to be in placeo Smaller sums are involved in terrorism financing, therefore, the level of
effort to set up and administer the virtual scenario is reducedo As the amount of funds are less, they can be moved though the financial
system/virtual environment more quicklyo As sums involved are significantly less, the likelihood of suspicions being
raised are likely to be significantly reduced
In-world experiments
Application of virtual money laundering scenarios to terrorism financing
What constitutes suspicious behaviour inside a virtual environment and how can illegal and non-illegal transactions be differentiated?
This research shows that, like real-world environments, there are a number of red flag indicators and suspicious behaviours that may be exhibited by ML/TF when carrying out illicit transactions. RFI may indicate that the account holder may not be a legitimate user
Findings to research sub-question 1
Problem: No procedures or practices in place for identifying, sharing or reporting virtual ML/TF:Potential solution:Establishment of a collaborative information sharing and knowledge management initiative
allowing flow of information between MMOGs, OFSPs, law enforcement agencies, AML/CTF regulators and financial intelligence units
Initiative should include the introduction of a central repository which holds a set of real-world and virtual-world ML/TF behaviour models and red flag indicators for detecting ML/TF activities in real-world and virtual-world environments
MMOGs can report any suspicious behaviours or activities that they see inside their environment by submitting an incident report or creating and submitting a model of the suspicious activity to the information sharing system
AML/CTF agency(ies) can then decide whether they wish to investigate the incident further or determine whether the activity has any relevance/connection to existing investigations or suspicious activity reported by other reporting entities
This system provides stakeholders with an up-to-date picture of the threat landscape, allowing MMOGs and OFSPs to act more rapidly to freeze offending accounts and report illicit or illegal activity to the necessary AML/CTF agencies. It would only be truly effective if the MMOGs and OFSPs were active partners and freely participated in the initiative
More research is required to determine the feasibility of such a system and iron-out jurisdictional issues
Recommendations sub-question 1
How can money laundering or terrorism financing activity be detected in virtual environments when there are potentially millions of transactions per day, millions of individual account holders and no clear signature or pattern associated with money laundering and terrorism financing activity? Can suspicious transactions be detected when activities range from a single transaction to a culmination of months of complex transactional activity?
This research shows that it is extremely difficult to isolate illegal from non-illegal transactions inside virtual environments. This is because transactions can be structured to look exactly like one of the millions of transactions that take place in virtual environments every day
Only possible way to detect illegal transactions is to be able to accurately attribute a transaction or series of transactions to an individual/group
A true picture of the activity carried out by these individuals can be constructed:o Frequency, value and movement of funds may throw some light on the legality
of the activity
Findings to research sub-question 2
Potential solution(s):MMOGs and OFSPs should be required to save the IP address of the connection every
time an account holder logs into his or her account or performs a transaction, rather than at the point of account creation only
Periodic analysis should be performed on the connection data and anomalies recorded – it should raise suspicion if an IP address from a different continent or country is recorded every time an account holder logs into his/her account
If anomalies are found and it is believed that an account holder is attempting to conceal their identity, the account should be put under surveillance/investigation and the funds contained in those accounts frozen until the individual can sufficiently identify him or herself
Although these actions may not identify who is operating an account, it will relieve a potential ML/TF of their funds if they are unable to successfully identify, verify and authenticate their identity. For those legitimate users whose accounts have been frozen, they should have no issues verifying themselves to have their accounts unfrozen
Each individual would need to go through verification similar to that in place by the gambling industry
Recommendations sub-question 2
What personal information is collected from an account holder when creating an account with a MMOG or online financial service provider (OFSP)? Can the information collected be associated with an individual in a real-world context?
The systems currently in place by all of the MMOGs investigated are wholly inadequate to successfully establish the real-world identity of account holders
None of the information required at the account setup stage is verified and, therefore, cannot be reliably associated with an account holder in a real-world context
Identity and payment method verification is left to third party organisations. However, many of these organisations do not have adequate systems in place to successfully verify the identities of their account holders or users either
Findings to research sub-question 3
Potential solution(s): Introduction of KYC and CDD regulations:
o Any regulations imposed on virtual environments should resemble those imposed on the online gambling industry as operators’ face the same challenges as online gambling firms when identifying, verifying and authenticating gamers/gamblers
o Gambling operators are obliged to reasonably identify the location and identity of account holders before allowing financial transactions to take place but KYC and CDD regulations do not mandate that every potential customer be required to produce irrefutable evidence of their identity before being allowed onto a gambling website. Identity verification must be carried out before any payments are made to the registered player
o Many VE account holders deposit funds into virtual environment to pay for membership and purchase virtual goods, they never require the funds to be moved out of the VE again – under these circumstances account holder would not need to be verifiedo Introducing KYC and CDD may force many smaller MMOG and OFSP operators
out of business or force them to charge/charge more for their service
Introduction of electronic KYC/CDD approach
Recommendations sub-question 3
Recommendations sub-question 4
Example of electronic KYC/CDD approach
Benefits of electronic KYC and CDD approach: o Deals effectively with the challenges of anonymity and non-face-to-face
business relationshipso Information supplied by account holder is verified by a reliable and independent
source, thereby ensuring that effective CDD activities can be carried outo Since checking is done by a third party organisation, there is no need for the
MMOG/OFSP to know how to identify false or counterfeit documents or obtain specialist equipment such as ultraviolet lamps
More research required to determine how an electronic approach could be used to effectively identify individuals from different jurisdictions as MMOGs and OFSPs deal with customers from all over the world
MMOGs should become responsible for identifying, verifying and authenticating their own account holders, even when financial transactions are performed via a third party – this allows cross-checking of details provided and makes it easier to identify whether an account holder is attempting to structure transactions
Recommendations sub-question 4
Is it practical to use virtual environments such as Second Life to carry out money laundering or terrorism financing activity? How much can be achieved over different timeframes? How does money laundering or terrorism financing in virtual environments compare to traditional methods for the same result?
More complex Takes longer to transfer funds Costs more Significantly less funds can be laundered High levels of anonymity Reduced risks Decreased chances of detection The maximum amount of funds that can comfortably be laundered through
virtual environments is likely to be in the region of AUD 10M. To launder sums larger than this would involve an exponential and unwieldy increase in time, effort and complexity
Findings to research sub-question 4
What is the risk of being defrauded in virtual environments? What is the likelihood of stolen financial details being used in these environments?
Virtual environments make ideal targets for credit card fraud Virtual environment users are at as much, if not more, risk of being defrauded as they are in the
real world Credit cards can be used in two ways in VEs:
o verify an account holder’s identity – does not affect the financial status of the card owner and it’s unlikely the service provider or card owner would discover that identity fraud has taken place
o Remove funds from an account holder’s credit card Card-not-present fraud lends itself well to VEs and the anonymity they provide Attackers will often have more detailed knowledge of new media and technology than their
victims Scams are becoming more sophisticated and more personalised VEs provide fraudsters with access to a large number of potential victims The community nature of VEs may result in victims having their guard down and more likely to
be duped in a social engineering attack Knowledge of in-world attacks not “common knowledge” yet
Findings to research sub-question 5
Findings to research sub-question 6
Virtual environments do not take into account the personal or cultural values of its users. However, research shows that participants purposefully modify their behaviour in interactions in different setting in order to accommodate different cultural norms of appropriate behaviour
VEs are western-centric – does not appear to act as a barrier to widespread use by a variety of cultures and religions – many culture and religion-specific areas in SL
No cultural of religious obstacle to performing financial transactions inside VEs 44.5% invested funds in SL64.5% have earned Linden Dollars in SL25.3% have sold virtual items in SL84.9% have shopped in SL
No specification of demographic profile, cultural or religious beliefs of users, however, there is a number of Islamic, Christian and Jewish malls and in-world shops selling male and female religious clothing and artefacts – this leads us to believe that users from these cultures are comfortable performing financial transactions in VEs - We can deduce from this research that there are no cultural barriers to using VEs for ML/TF
Does cultural background have an impact on the use of virtual environments for money laundering and terrorism financing activity?
Thank you for your time...
Any questions?