Posts Tagged ‘cyber crime’

Perpetual Vigilance

January 23rd, 2013
Gwyn Headley

by Gwyn Headley

Managing Director

I don’t know if it’s age, cynicism or personal general grumpiness but there seem to be a lot more villains around now than when I were a lad.

If you run a shop, shrinkage is the name you give to shoplifting. I guess it’s endemic. If you run a website like fotoLibra, you make sure you are as well protected as possible from shoplifters, or hackers if we use a general term for web-based criminality.

To put it in terms that I understand, we have to stop thieves. We have two sorts — those who want to steal your photographs, and those who want to steal our money. The latter is far more common, I’m sorry to say.

Stealing photographs, first of all. The basic fact is they can’t, not unless they can design and mount an incredibly expensive and sophisticated assault on our firewalled servers. But frankly, we’re not Cartier or Tiffany. It’s much cheaper to buy an image from us than spend months trying to figure out how to steal it. So there’s little incentive. The few infringements we do spot are people using fotoLibra watermarked Previews on their websites, on the basis that if it’s on the internet, it must be free. On behalf of our Pro and Platinum members, we have successfully sued every commercial infringer we have discovered in our jurisdiction.

Stealing money is far more devious, and we fell for it once — and only once. This is how it works. First ‘You’ steal someone’s credit card details. Then You join fotoLibra as a free member and upload one picture. Then You join fotoLibra as a buyer, using the name on the stolen credit card. Then You buy the picture You’ve just uploaded for a humungous amount of money, using Your stolen credit card.

Unfortunately for You, we at fotoLibra scrutinise every sale carefully, and if something doesn’t look right, we pounce — unlike lethargic banks and credit card companies.

There was an incident last year when an Indonesian photographer uploaded a couple of images and six hours later two separate women in the USA signed up as buyers and bought his images for large sums of money. We notify photographers of sales every 30 days, but somehow our Indonesian chummy felt sure his images had been sold long before we would have informed him and pestered us daily to pay him ‘his’ money. We didn’t, and six weeks later the bank removed the entire amount from our account, citing credit card fraud. Strange that we never heard back from the photographer after we informed him a criminal investigation was under way.

Yesterday and today we made two big image sales, both of (I’m sorry to say) of unremarkable images, both uploaded by different Vietnamese photographers. One was bought for a great deal of money by an Australian, the other for nearly as much money by a lady in Leicestershire.

Now if my name is Gwyn Headley, I can’t for the life of me see why I should open a Hotmail account under the name of It’s just not logical. So when we saw the lady in Leicestershire — let’s call her Lulu Leicester — had ‘bought’ the image using the email address Debbie Derby the first warning bells began to ring.

We searched for ‘Lulu Leicester’ online, and found a telephone number for her. She is a respected academic. We rang her and asked ‘Have you recently bought a photograph from’ No, she hadn’t heard of us. ‘Does your credit card end in 1234?’ Yes, it does. “Cancel it immediately,’ we said, ‘it has been compromised and has been used in an attempt to commit fraud.’

We haven’t contacted the Australian gentleman, but as he signed up as a buyer seven minutes after the second Vietnamese photographer joined up and uploaded his one photograph we suspect he’s probably not what he claims to be.

All this takes time and vigilance. The scam works this way: we pay 50% of the money we receive to the photographer, the thieves prove the use of a working credit card and go on to empty its resources in a matter of hours. Six weeks later (it’s always a little over six weeks, never any quicker) the banks wake up and deduct the money from our account, never informing us in advance.

The Australian purchaser tried three different credit cards in three different names before the fourth went through. We cancelled these transactions immediately.

We can track these people down — we know where they are — and we would be happy to pass the information on to the competent authority. The trouble is, who has the authority? And are they competent?

Wouldn’t it be nice if the banks were as alert as we try to be?


The Cost of Complacency

September 26th, 2011

There was an interesting blog posting by Paoga’s Graham Sadd recently on the perils of ignoring cyber crime.

For the last four weeks someone based in China has been registering as a buyer on

Not once, but approximately every four minutes throughout the Chinese working day. It seems like a manual attack rather than an automated one, because although the fake addresses are all the same — Cherry Street Room 318 Atlanta Georgia USA 30332, which I think might be a lie — there are occasional spelling mistakes. It’s easy for us to block the attacks. But despite failing every time, they continue to trundle in every four or five minutes.

We hope we’re not complacent about online security. We do what we can to protect ourselves against such attacks, but what we can’t get our heads round is what can they hope to achieve through multiple registrations as a picture buyer on a picture library site?

At the very least they ought to try and buy a picture from us.