Hard evidence: how much is cybercrime really costing us?

Hard evidence: how much is cybercrime really costing us?


Play all audios:

Loading...

In the wake of the latest high-profile hack of Sony and claims of “cyber-vandalism” being thrown about, it’s normal to feel a sense of unease. Just this week, yet another proposal for new


cybersecurity legislation has been made, and by the president no less. Yes, cybercrime is rising and does result in losses. However, successfully committing cybercrime isn’t as easy as one


might think. The direct losses from data stolen through hacking, online card fraud and online scams are actually relatively low when compared with the direct losses from welfare fraud or tax


evasion. Moreover, current federal spending on cybersecurity dwarfs the losses suffered by victims of online scams, fraud and other crimes, by at least three or four times. And yet we have


very little idea how this money is being spent, so it’s hard to judge how effective it is. As we ponder how much to spend and what to do about so-called cyber-vandalism and cyber-warfare, we


need to keep these figures in mind. It’s usually the most low-tech, low-cost and simplest remedies that are actually the most effective in deterring crime online. INTERNET CRIME ISN’T AS


EASY AS IT SOUNDS When a big data breach or “hack” takes place, we’re told about millions and millions of credit card numbers, social security numbers and all kinds of other personal data


being stolen then spilled onto “darknet” markets for sale. It’s easy to imagine thieves practically printing money based on the sales of these data, giving them access to bank accounts and


credit cards. The reality is, it isn’t that easy to make money from stolen data. There are two reasons for this. First of all, the stolen data themselves aren’t terribly valuable. Stolen


credit card and other credentials typically sell for pennies on the dollar – numbers for credit card accounts with thousands of dollars go for 50 cents to $12 on average. One reason is this


is that the black markets where these data are bought and sold don’t function well. There is very little trust between buyers and sellers. The incentives for sellers to cheat buyers are huge


because it’s hard for buyers to determine whether a stash of credit card numbers for sale is any good. This huge uncertainty makes them akin to a “market for lemons,” which is a situation


in which the seller knows more about a product than the buyer. A large “tax” is essentially imposed on every transaction to compensate for this massive uncertainty – hence the low selling


prices. Secondly, it’s surprisingly hard to successfully commit online card fraud. Say you buy thousands of credit card numbers for a few bucks: how would you know which ones will work and


which ones won’t? You’d have to do some pretty detailed research to find out. Those with a lot of money to defraud have got to be found. Doing this for thousands of accounts would take such


a long time that you’d run out of time before the stolen cards are reported. Even if you get one successful transaction, the bank’s anti-fraud system is likely to pick up multiple fraud


attempts. You see, it’s really hard to make a profit through this kind of fraud _at scale_. In other words, it is really hard to steal large amounts of money from large numbers of people


through online card fraud. For all the fear that we may have as consumers due to huge data breaches at Target, JP Morgan or Home Depot, the actual threat to the average person of being


targeted and suffering huge losses is relatively small. THE REAL COSTS OF ONLINE CARD FRAUD We see this difficulty in the statistics. Approximately $1.5 billion was lost in 2012 to online


credit and debit card fraud in the US. That might sound like a lot but consider that this is less than 0.1% of all card transactions that year. This translates to a loss of about $4.70 per


person a year. In the same year, the “old-fashioned” way of committing fraud, using fake cards (sometimes with stolen data) to make fraudulent purchases usually at stores and in-person, was


more than $2.2 billion. Despite the relative ubiquity of the internet in our lives, card fraud still happens more offline than online. EVEN LESS FOR ONLINE SCAMS A variety of frauds and


scams are perpetrated each year over the internet. These range from emails purporting to be from the FBI to fake property or car sale listings. In 2013, the minimum losses from all reported


online scams in the US amounted to $574 million (these are self-reported figures). Many of these internet-related scams happened before the Internet though – the classified section of the


newspaper was used instead of Craigslist. That Nigerian prince would send a letter rather than an email. Compare these crime figures with traditional crimes that are becoming “cyber”(by


virtue of them being filed increasingly online), including welfare fraud, tax filing fraud and tax evasion. In 2013, the US Department of Labor estimated welfare fraud to be $4 billion. In


2010 the IRS lost $5.2 billion to fraudulent refunds. Tax evasion alone results in $385 billion of lost revenue every year. Put together, _every year_ we lose more than 100 times more from


welfare fraud, tax filing fraud and tax evasion than we do from cyber-crimes. A LOOK AT THE CYBER-WARFARE BUDGET Calls are rising for the government to do something about the spate of recent


cyber-attacks. The US already spends a lot on enhancing cybersecurity. In fact, in 2013, $4.2 billion was spent for precisely this reason through the National Intelligence Program. The US


Cyber Command’s budget was $447 million in 2014, four times more than in 2010. All in all, we spend about $10 billion on federal cybersecurity each year. It’s reassuring to know so much is


spent on “enhancing cybersecurity,” except that we know very little about what this money is actually spent on and thus how effective these measures have been. As a result, we have trouble


knowing whether this is an appropriate amount of money to be spending or whether this money might be spent in a better way. THE BEST SOLUTIONS ARE THE SIMPLEST This doesn’t imply that we


shouldn’t spend any money on cybersecurity. What it does imply, though, is that if the plan is to spend more taxpayer funds on on this, we need more transparency about how that money is


used. As it stands, very little information has been revealed about where that $10 billion-plus is going, whether for more effective defenses or for offensive capabilities, as alleged by NSA


whistleblower Edward Snowden. In the end, the measures that will actually be the most effective don’t cost a lot and if widely adopted would greatly improve cybersecurity. Widespread use of


simple two-factor authentication is one (a system that confirms the identity of a user by sending a code to another device that the account holder will have immediate access to, such as a


phone). The recent hackers of JP Morgan took advantage of a server that didn’t have two-factor authentication enabled. Basic encryption of sensitive information is another. The hacked Sony


passwords were stored in a plain-text spreadsheet called “passwords” after all. Keeping critical networks separate from one another (i.e not centralizing all networks in search of cost


savings) is another option. The German steel mill that suffered a damaging cyber-attack last week could have avoided this were the business and production networks separated. Better yet, the


production network could have not been hooked up to the Internet at all. There are numerous competing budgetary priorities at any one time and limited funds to spend on meeting all these


needs. How much money does it make sense to invest in bolstering cybersecurity, relative to the losses? In the hysteria created in the wake of the hacks of 2014, we risk making the wrong


choice simply because we don’t know what the current sums of money are being spent on.