In a Twitter discussion (>140 characters at a time) with Chris J @rattis about tracing credit cards from pictures on Twitter posted by users, to dissemination, and subsequent use. The following experimental protocol was developed. The scenario being examined is something like this (any mistakes are purely mine).
User of Twitter gets brand new credit card in the mail. In their glee at the new found debt delivery mechanism they post a picture of their credit card. As a bonus sometimes they post a picture of their new drivers license too. With enough data to use the credit card and more importantly a photo of the credit card a thief can use, sell, or trade the credit card information. Does it happen? Does this translate into a crime? There is strong anecdotal evidence that such might happen. What is the life span of the card? How long until detection? What kind of carding forums does the card show up within? All of these make great questions and we can design an experiment to find out the answers.
Strictly speaking we are not talking about an empirical form of science. Beyond the scope of this discussion it is true that not all science requires a control group. Science is about discovering and describing things that happen in the world. As such we can generate a hypothesis but we have only internal data from the experiment and can not sustain a challenge to generalizability. That would be a limitation of this exercise. There are delimitations we set as the protocol would be best run in groups of ten or so.
Research Question: Are credit cards posted on Twitter are found on card selling forums?
Hypothesis 1: Credit cards posted on Twitter are found on card selling forums.
Research Question: What is the life span and average time from posting on Twitter to illegitimate use?
Hypothesis 2: The time period of a credit card posted on Twitter will directly correlate to the number of Twitter followers (and associated retweet followers) the account holder has.
Some instrumentation and protocol refinements are needed. A sock puppet army of twitter users is going to be required. A hundred Twitter users would need be created and follow at least a few hundred real world users. This will require an Institutional Research Board approval. The sock puppet army will have to generate approximately 500 posts each that are not spammish or seem trollish. This will need to be done randomly across the army of sock puppets for at least four or five months. A fully developed protocol for this test group would need to be designed.
The only way that really makes sense to run this is with the auspices of a credit card company. Preferably a consortium of credit card companies. That would allow the experimenters to run the exercise with the assistance of the fraud protection mechanisms of the credit card companies in full play. ANY activity against these cards would be fraudulent. As such I could see a variety of credit card companies being very interested in the data. The results would basically be able to track back against the credit card network and as such salt and allow for a variety of products.
A network analysis and time based analysis of social media exploitation could be created that then would be traced back into the card sharing networks. That might be very interesting. The protocol could also be used to do a life span analysis of fraudulent cards. There are a variety of other interesting results that could be garnered by corporations and those that might be interested in mapping the card networks. I would suggest this would be an interesting exercise for the new Microsoft Digital Crime Unit to try with their partnerships in Microsoft Research.