This is not an "AdSense dropped me, Google is bad" thread. I'm just looking at what Google can do technically to prevent fraud, and I can't see any way that Google is not incredibly vulnerable to a small number of people simply wiping out the value of AdSense.
My overview reasoning is this: spam has reduced the value of email, and has proven unpreventable. But the pain of spam is distributed across a huge population of users. Similar techniques applied to AdSense are likely also unpreventable, but the pain will be stacked up largely on one company: Google.
Most discussion of Google AdSense fraud has been about individuals terminated for alleged "fraudulent clicks". At this level, it seems that Google can protect itself fairly well. In the worst case, Google could simply apply an incredibly simple and unfair algorithm of: "if your clicks and income go up too much too fast, we'll terminate you". I'm sure they can create a better algorithm than that, but still it seems likely they have a technical defense for the individual cheater -- especially if they don't mind incurring some "collateral damage", and terminating a certain percentage of innocent AdSense customers.
But if you look at where the real fraudulent money has been made online, it has been with DDOS extortion. The recent case of Russian hackers (probably controlled by the Russian Mafia) getting arrested was news simply because it is so rare that the extorters get caught. These folks were telling Internet gambling sites to pay them some protection money, or they would start a distributed denial of service attack just before a major sporting/betting event. But hacker extortion has also been used against banks and other companies, with apparent great success, according to some security experts.
Let's say bad guy X is in the online extortion business, and he starts taking a hard look at Google and its upcoming cash infusion. If he's a competent bad guy, then X has at his disposal hundreds, if not thousands of zombie machines waiting to do his bidding.
It's important to understand that these zombies are not "like" real Google users -- they actually are the machines that belong to real Google users. They are at universities and businesses and homes, they have both static and dynamic IP addresses, they are both dial-up and always-on connections, etc. They have virtually no characteristic that distinguish them from the general population of computers that use Google services.
It's also important to understand that access to zombie machines is bought and sold on the black market, and such access is fairly affordable. Thus, bad guy X may only "own" a thousand zombies, but if his previous extortion career has paid at all well, he can afford to "rent" thousands more.
So bad guy X starts sending some anonymous mail to Google, saying "I can provide you with AdSense protection for the affordable price of $100,000 per month, which you need to wire to my bank account. Here's the account number for this month."
Maybe Google doesn't pay, so bad guy X says "Gee, I'm sorry you've decided to leave yourself so unprotected. I've heard on the street that bad guys are going to fraud-click the travel industry this month. I sure hope that doesn't happen to you!" Then he tells his zombies to start attacking Google ads placed by what he guesstimates are the top 10 AdWords customers for travel.
Can Google prevent this attack? I don't think so. A broad enough distribution of attacking machines becomes indistinguishable from real people. When many of them are dynamic IP addresses (e.g., lots of AOL customers) you can't block based on IP address. If the attacking algorithm is at all smart about frequency and click patterns, the attack should be indistinguishable from a remarkable surge of interest in researching travel options -- except that 10 big AdWords clients will find that AdWords has suddenly become a really lousy place to advertise.
If the attacker is really savvy, he'll demonstrate his ability once to Google, then add "I wonder what would happen to your stock price if the press understood such attacks are possible and have already been demonstrated?"
There's the conundrum I propose. I just don't see technically that the Google AdSense/AdWords infrastructure can protect itself from organized crime using distributed attacks. One can try to track down the attacker by following the money (the extortion payments), but that gets difficult when the attacker is in a country that is not particularly lawful and not particularly friendly to the U.S. And, of course, there is always the danger of an attacker whose motivation is not money, in which case there is no money trail to follow, no warning message, and no offer of immunity. It is not just the technical feasibility of this kind of attack that is so worrisome -- it's the affordability.
So, while webmasters talk about how scary it is to have their income reliant on Google AdSense, given that Google can jerk it away at any moment, I am really concerned that Google itself is reliant on income that can be jerked away by anonymous attackers. I hope that Google has some defense against such attacks, but I currently do not believe a defense is technically possible. I hope I'm wrong.