A report by Lloyds Bank found that romance scams rose by 22% in 2023, with an average of £6,937 stolen. A single fraudster who was found guilty of romance scamming Americans out of more than $2 billion used Bitcoin to move funds co-conspirators in Nigeria, but it’s not all about crypto. While the biggest monetary losses were via cryptocurrency or bank transfers, the scammers were rather fond of gift cards too.
When it comes to thinking about the intersection of money and identity, security and privacy, fintech and Big Tech, romance scams are an interesting case study and while they are not new — scammers have found ways to take advantage of basic human nature from the dawn of time — with the rise in virtual relationships and online dating these scams have proliferated, evolving into sophisticated long cons to win the trust of victims and then “butcher” them.
These scams are not all about money, of course. You may have read the somewhat surprising story of the British Member of Parliament who was lured into some inappropriate behaviour (including the disclosure of personal details about fellow politicians) via a dating app. He was ensnared via unsolicited instant messages that were sent to a number of politicians (both gay and straight, from a sender posing as ‘Abi’ or ‘Charlie’) that soon escalted into the exchange of initimate images. William Wragg, the unfortunate politician in question (who wa vice chairman of the influential 1922 committee of Conservative Party backbenchers) said that “I got chatting to a guy on an app and we exchanged pictures”, which is how a great many of these scams begin, I suppose.
(While you might consider it injudicious of a politically-exposed person to be some profligate with inappropriate selfies, he is hardly the first person to be caught in a honeytrap and cetainly won’t be the last. Indeed, early on my career when I was working at NATO I was given a stern induction lecture by a senior officer who urged me to remain vigiliant when approached by beautiful women in bars in Amsterdam and explained the nature of honeytraps. I was so excited by this possibility that I developed an entirely convincing but fake narrative around my work on secure communications ready to deploy in the bedroom at the right time. Needless to say, this never happened. Well, not quite: I was eventually approached by a beautiful woman in a bar in Amsterdam, but it was Conny Dorestjin and she wanted to know about digital identity.)
Not all bad behaviour on dating apps is down to agents of foreign powers intent on subverting our democracy. Most of it, I am sure, is money scamming although some of the behaviour is malicious indeed, such as that the London corporate lawyer who stalked his ex-girlfriend with fictitious online dating profiles and used them to track her movements.
Now, you would think that internet dating would be a rather obvious place to introduce credentials-based interactions. Indeed adult services of all kinds would benefit greatly from the use of privacy-enhancing credentials-based reputational calculus around transactions. So why aren’t they in the vanguard for digital identity infrastructure?
Looking at the interesting case study of OnlyFans, The Information notes that in order to sign up as a creator, you must prove your identity with a full KYC process which means that there is something “deeply ironic” about the fact a platform for risqué fantasy is the least likely among social networks to have a problem with fake accounts! So why don’t other social media platforms do the same? According to a recent FTC report, the most popular way scammers reached out to their victims last year was through Instagram (29%) and Facebook (28%). Social media is turbocharging the love racketeers and leading to widespread misery. If OnlyFans can do KYC, why can’t Meta? There appear to be three key problems:
First, the friction of going through the validation process for new accounts prevents people from signing up.
Second, it is expensive and time-consuming for services to validate identities.
Third, requiring proof of real-world identity is can be exclusionary, as many people can’t easily make that proof.
Well, in each of these areas incentives may be shifting. Many states are introducing mandatory age verification for adult services. Florida, for example, has enacted a law requiring social media platforms to prevent kids under 14 from creating accounts, and to delete existing accounts belonging to minors on request. For adult content sites requiring users to be over 18, the law also requires that apps and websites offer the option of “anonymous age verification”, verification by a third party that cannot retain identifying information.
Privacy campaigners are rightly concerned that such laws might infringe individual freedoms and create a massive honeypot that will immediately become a target for well-funded adversaries.I agree with them, but I think that it is relatively straightforward to use well-estabilished cryptographic techniques to prevent such attacks. It is one thing for PornHub to ask to see governor De Santis drivers license, quite another to demand a strongly-autheticated vertifiable IS-OVER-18 credential that contains no personally-identifiable information at all.
Never mind internet dating, gambling and porn, as far as I am concerned we should be shifting to an environment based on reputation, not identity, for the overhwlming majority of online transactions on the internet, in the Metaverse and beyond. Generally speaking, it is no-one’s business who you are or what you are doing unless and until you break the law.
Snippings 