net.wars: The numbers game
by Wendy M Grossman | posted on 22 June 2012
Sometime around mid-May I discovered a couple of thousand pounds were missing from my bank account. This was the result of a more haste, less speed situation: faced with an upcoming overseas trip, when someone said to me, "We can pay you electronically next week or send you a check today," I opted for the check, thinking it would be quicker.
What actually happened: somewhere in transit from me to my bank account the check was intercepted, the name of the payee was altered, and the check was paid to someone else. It took several weeks to establish this, of course. I had to get my bank's call center to call my bank to find someone who could say they'd never seen the check. Then *their* bank had to request a copy of the microfilm and then a second, higher-resolution image to establish whether the payee's name had been altered (in which case the bank was at fault for paying it) or left blank (in which case the payer goofed).
Through the whole thing, I imagined Mr Cashless Society, David Birch, smirking. My solution for the future, however, is not to insist that everything be paid electronically - when electronic payments go wrong, the results can be even more difficult to trace and unwind - but to digitally photograph every check, both incoming and outgoing. If I had done that in this case, our end of the investigation would have taken a minute, not a month.
There are some things about this theft that are striking. First is that it's very low-tech, even quaintly old-fashioned. While we spend so much time worrying about the strength of cryptography algorithms and the One True Way to devise good passwords, the postal and physical banking systems are supposed to be safe. I imagine our thief carefully working on the cheque like Lane Pryce in Mad Men. Second is that it's dumb, because it's enough money that people will notice it's missing and investigate when they do, and the likelihood is that the thief will be successfully traced. Had this guy instead run a small eBay scam and stolen £200 from ten different people - or £20 from 100 different people - he'd be enjoying his freedom and their money. Theft of physical pieces of paper doesn't pay even as well as the relatively low-profit crime of physical bank robbery.
Last year, Detica estimated the annual cost to the UK at £27 billion, a figure that was almost immediately (and rightly) questioned by both the press and security experts. Now, Ross Anderson and a team of co-authors has analyzed that number in detail. in a paper for the annual Workshop on the Economics of Information Security.
Unlike the Detica paper, Anderson and company fully expose their methodology and reasoning. Also unlike Detica, they don't provide a single big number. As they write, a lot depends on the assumptions you make and the types of crime you want to include. Welfare fraud has been with us as long as welfare has; should it be added to the cybercrime figures when the UK shifts all claims for welfare payments online next year? In any event, the authors estimate that traditional frauds cost each UK citizen a few hundred pounds a year; transitional frauds (fraud such as online payment card fraud that is moving online alongside the relevant infrastructure) cost each of us a few tens of pounds per year, and new cyber-frauds cost perhaps tens of pence per year. However, the cost of defending against those cyber-frauds - patching, anti-virus software, the opportunity costs of loss of trust - are something like ten times the cost of the frauds themselves. The authors wind up arguing for better policing: throwing the relatively small number of gangs in jail would do more to stop cybercrime than telling people to run anti-virus software.
I have my doubts about this part of the proposition. While clearly better - and better-resourced - policing would be a very good thing, I imagine that there are plenty of other criminals waiting for their chance. I liken the situation to what would happen if, say, 90 percent of the pregnancies on the planet were the work of just ten guys and you put them all in jail and took away their nookie privileges: smart women would still use birth control. It is not clear how much computer defense we could actually afford to do away with.
But what is very clear from the paper is the cost of getting our numbers wrong, and not just because when you spray around figures like £27 billion in losses to consumers (£3 billion), government (£3 billion), and companies (£21 billion) someone may start paying you large sums of public money to fix the problem. The consistent over-reporting of the number of phishing Web sites, types of malware, and attackers, Anderson et. al write, leads "some police forces to believe that the problem is too large and diffuse for them to tackle…This is part of a much wider problem of attributing risks to patterns of offending". Right. So instead of focusing on the technology by which crime is committed, focus instead on…yep, the people. Ain't it always the way?
Technorati tags: Detica Ross Anderson cybercrime
Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).