Richard Kovacs

Micro-transactions, Macro-effects

Richard Kovacs
Richard Kovacs
10 min read
Listen

"Anything free to use is free to abuse."

What do I mean by that? There are many free services in the world. A common saying is that If you are not paying for the product, you are the product. While that is true in many cases, I would like to focus on a different aspect of free services. The fact that they are free for any user means they are also free for abusers. And if they can earn money by abusing the service without any cost, you can be sure they will do it.

What would happen if these services would start charging a small fee? And what does a social media account, a soda bottle, and the way your favorite website stores your password have in common? Let's find out.

Twitter Blue / X Premium

Although they say it was introduced for this exact purpose, the verified badge on X (formerly Twitter) does not prohibit anyone from impersonating another person. If you have a personal vendetta against someone, paying $8.00 monthly for a subscription isn't a large sum. Nothing except the small subscription fee stops you from creating a fake Elon Musk account.

However, it stops you from creating 10,000 such accounts. Before the verified badge, you could easily create multiple accounts. There were probably automated tools for this purpose. But now, it would cost $80k to do the same. And since Elon has the badge, your scam accounts wouldn't stand a chance without it. Anyone could easily differentiate between the real and the fake one.

And in the large scheme of things, this is how the verified badge works. You could argue that the only goal of the badge is to collect some money from us, the users, which is partially correct, although the subscription also provides other benefits. But on a large scale, it definitely lowers the number of fake accounts because creating a new one isn't free anymore.

Of course, you could still create 10k accounts for free, but as mentioned, it won't have the same effect anymore if the original account you want to impersonate has the badge.

This phenomenon is also visible in other parts of the world.

Smart contracts

Hundreds of thousands of scam cryptocurrencies and smart contracts are deployed to the largest blockchains. But there aren't millions of them. While it is arguable that this is still a huge number, and there is a new scam smart contract deployed every 4 minutes, or 15 every hour, my point is that there would be much more if deploying a contract was completely free. And there would probably be less if it cost more.

Although these contracts cost money to deploy, there are still so many of them because they pay well for the scammers. A successful scam can easily bring in millions of dollars. In this case, the cost of deploying a contract is negligible compared to the potential profit. Finding the right spot where the price is still acceptable for the majority of legitimate users, but stops most of the scammers is a challenge.

Let's see a different, but still related, IT security example.

Brute forcing passwords

Although not directly related to microtransactions, brute forcing a single person's password compared to brute forcing everyone's can still fall in this post.

A common method for brute forcing passwords is using a dictionary containing the most common ones. This is called a dictionary attack. Modern security measures prevent this by not storing the plaintext passwords in the database, only their hashes. It's easy to detect websites that violate this rule: if you receive an email after registration with your password in it, it's better to avoid that site. Storing hashes is the norm nowadays.

But IT security is always a cat-and-mouse game. Clever attackers found a way to get around this. They created a table of precomputed hashes for the most common passwords. This table is called a rainbow table. Imagine you have a stolen database with hundreds of thousands of password hashes. It is simply not feasible to go over your dictionary, hash every single password, and then look for matches in the database, especially if the site owner was careful enough to use a slow hashing algorithm like bcrypt or scrypt.

However, if you do this computation once and store the results in a table, you can reuse it for multiple databases. Or even better, you can download one from the internet. This is a rainbow table. It can be used to look up the hashes quickly.

To prevent this, the good guys devised a clever solution: adding a random string to the password before hashing it. This random string is called a salt. This way, even if two users have the same password, their hashes will differ. The attacker's rainbow table is useless now.

The salt can be stored next to the hash. It is not a secret. It just makes the hash unique. To successfully crack a password in this scenario, the attacker would have to recompute their rainbow table for every password and salt combination.

But...

If the attacker has a single, very valuable target, the protections above might not be enough. If they know the salt and have the plaintext dictionary of common passwords, they can still brute force the original.

Salt and pepper

This problem also has a solution called the pepper, which is another secret string added to the password before hashing it. However, the pepper is the same for all passwords and is stored separately and kept secret. Still, if the attacker obtained both the database and the pepper, we would be in the same situation as before.

So, how does this scenario connect to the topic of this post? The answer is the cost.

The salt, pepper, and hashing algorithms protect against mass attacks. They make it very expensive to crack an entire database of hashed passwords. But none of these protections matter if the attacker has a single target. In this case, the cost is usually time and computing power, which can still be converted to money at the end of the day.

Still staying in the IT security world, let's see another example.

Emails and spams

More than 1.4 million spam emails are sent every second. More than half of every email sent in 2022 was spam.

Imagine what would happen if sending an email cost 0.1 cents each. Sending that amount every second would cost $1,400. $1,400 every second. But now, it is entirely free. Let's ignore internet costs for now because that also adds to the cost in the previous examples.

I do not advocate for paid email sending, but let's play with this thought a little more. With the above numbers, sending 1,000 emails a day would cost $1 for a legitimate user. It would be the same for the scammers, of course.

The success of spam emails lies in the large number theory. Spams work because, in large numbers, they return a net positive. And the required investment is ridiculously low right now. To be exact, it is zero. According to the article above, spammers receive one reply for every 12.5 million emails sent. But that one email makes the whole operation profitable. If sending an email costs the above, this campaign would have a price tag of $12,500.

But micro-transactions are not only about penalties and fees. Let's see how they can be used to incentivize good behavior.

Container deposit schemes

It would be great if we lived in cities without litter. Right now, throwing our empty plastic bottles on the street costs nothing. There are places where you receive a fine for doing so, but only if you get discovered during the act or if someone can prove afterward that you threw the bottle in the past. There is no 100% guarantee that your action will have consequences.

Plastic bottles on the street

But there are places where the system works oppositely. Some regions have introduced what is known as a container deposit scheme. A container deposit scheme means you have to pay a little more for each bottle you buy (the deposit), but you get a portion back for returning the empty bottle to the store. This way, only the initial investment costs more (with the price of the deposit), but after that, you can buy the drink for the same price as before since you can reinvest the returned money in the next bottle.

Let's ignore penalties for now. In this system, throwing the bottle on the street has an opportunity cost. You don't get paid for doing so, but you earn some money for returning it. Before deposit schemes, you didn't get paid for throwing it on the street either, but neither did you receive anything for returning it. It wasn't worth it to do the right thing. It actually cost you time and effort to return it. A return policy has the opposite effect. It indirectly costs you money to throw the bottle on the street.

It still does not stop everyone from littering, but it works in large numbers. Most people will consider returning it for the right price. The only challenge is to find the price that works for the majority of the people.

Connecting the dots

The point is not that everything should be made a paid service. In the case of emails, you could argue that spam filters are more or less working correctly. You are not the target group if you are somewhat trained in noticing scams. Still, battling spam costs tremendous money for companies currently.

If email sending costs money, most of this cost would go to the end users. That might not be the best solution since companies already try to push as much cost to us as possible. Although, if you are an employee in this system, your employer would probably pay for your emails.

But without a doubt, it would significantly increase the entry for a successful spam campaign. Sending millions of emails would quickly become expensive.

On the other hand, container deposit schemes are a win-win. End users can get back money, the stores can collect their bottles more efficiently, and there would be less litter on the streets. Nobody loses.

In all of the above topics, the only challenge is finding the correct cost that is still acceptable to the majority of legitimate users, while stopping most scammers/attackers/abusers because of the increased costs of running mass campaigns.

Small changes here and there can have significant macro-effects. You might not feel any difference in your life when the central bank raises interest rates by 0.25%, especially if you don't have any loans. But it has a huge effect on the economy as a whole. This is almost the same concept as all of the above. A "micro-transaction" of raising the interest rate fundamentally changes a country's short-term future.