
Hard evidence: how much is cybercrime really costing us?
- Select a language for the TTS:
- UK English Female
- UK English Male
- US English Female
- US English Male
- Australian Female
- Australian Male
- Language selected: (auto detect) - EN
Play all audios:
In the wake of the latest high-profile hack of Sony and claims of “cyber-vandalism” being thrown about, it’s normal to feel a sense of unease. Just this week, yet another proposal for new
cybersecurity legislation has been made, and by the president no less. Yes, cybercrime is rising and does result in losses. However, successfully committing cybercrime isn’t as easy as one
might think. The direct losses from data stolen through hacking, online card fraud and online scams are actually relatively low when compared with the direct losses from welfare fraud or tax
evasion. Moreover, current federal spending on cybersecurity dwarfs the losses suffered by victims of online scams, fraud and other crimes, by at least three or four times. And yet we have
very little idea how this money is being spent, so it’s hard to judge how effective it is. As we ponder how much to spend and what to do about so-called cyber-vandalism and cyber-warfare, we
need to keep these figures in mind. It’s usually the most low-tech, low-cost and simplest remedies that are actually the most effective in deterring crime online. INTERNET CRIME ISN’T AS
EASY AS IT SOUNDS When a big data breach or “hack” takes place, we’re told about millions and millions of credit card numbers, social security numbers and all kinds of other personal data
being stolen then spilled onto “darknet” markets for sale. It’s easy to imagine thieves practically printing money based on the sales of these data, giving them access to bank accounts and
credit cards. The reality is, it isn’t that easy to make money from stolen data. There are two reasons for this. First of all, the stolen data themselves aren’t terribly valuable. Stolen
credit card and other credentials typically sell for pennies on the dollar – numbers for credit card accounts with thousands of dollars go for 50 cents to $12 on average. One reason is this
is that the black markets where these data are bought and sold don’t function well. There is very little trust between buyers and sellers. The incentives for sellers to cheat buyers are huge
because it’s hard for buyers to determine whether a stash of credit card numbers for sale is any good. This huge uncertainty makes them akin to a “market for lemons,” which is a situation
in which the seller knows more about a product than the buyer. A large “tax” is essentially imposed on every transaction to compensate for this massive uncertainty – hence the low selling
prices. Secondly, it’s surprisingly hard to successfully commit online card fraud. Say you buy thousands of credit card numbers for a few bucks: how would you know which ones will work and
which ones won’t? You’d have to do some pretty detailed research to find out. Those with a lot of money to defraud have got to be found. Doing this for thousands of accounts would take such
a long time that you’d run out of time before the stolen cards are reported. Even if you get one successful transaction, the bank’s anti-fraud system is likely to pick up multiple fraud
attempts. You see, it’s really hard to make a profit through this kind of fraud _at scale_. In other words, it is really hard to steal large amounts of money from large numbers of people
through online card fraud. For all the fear that we may have as consumers due to huge data breaches at Target, JP Morgan or Home Depot, the actual threat to the average person of being
targeted and suffering huge losses is relatively small. THE REAL COSTS OF ONLINE CARD FRAUD We see this difficulty in the statistics. Approximately $1.5 billion was lost in 2012 to online
credit and debit card fraud in the US. That might sound like a lot but consider that this is less than 0.1% of all card transactions that year. This translates to a loss of about $4.70 per
person a year. In the same year, the “old-fashioned” way of committing fraud, using fake cards (sometimes with stolen data) to make fraudulent purchases usually at stores and in-person, was
more than $2.2 billion. Despite the relative ubiquity of the internet in our lives, card fraud still happens more offline than online. EVEN LESS FOR ONLINE SCAMS A variety of frauds and
scams are perpetrated each year over the internet. These range from emails purporting to be from the FBI to fake property or car sale listings. In 2013, the minimum losses from all reported
online scams in the US amounted to $574 million (these are self-reported figures). Many of these internet-related scams happened before the Internet though – the classified section of the
newspaper was used instead of Craigslist. That Nigerian prince would send a letter rather than an email. Compare these crime figures with traditional crimes that are becoming “cyber”(by
virtue of them being filed increasingly online), including welfare fraud, tax filing fraud and tax evasion. In 2013, the US Department of Labor estimated welfare fraud to be $4 billion. In
2010 the IRS lost $5.2 billion to fraudulent refunds. Tax evasion alone results in $385 billion of lost revenue every year. Put together, _every year_ we lose more than 100 times more from
welfare fraud, tax filing fraud and tax evasion than we do from cyber-crimes. A LOOK AT THE CYBER-WARFARE BUDGET Calls are rising for the government to do something about the spate of recent
cyber-attacks. The US already spends a lot on enhancing cybersecurity. In fact, in 2013, $4.2 billion was spent for precisely this reason through the National Intelligence Program. The US
Cyber Command’s budget was $447 million in 2014, four times more than in 2010. All in all, we spend about $10 billion on federal cybersecurity each year. It’s reassuring to know so much is
spent on “enhancing cybersecurity,” except that we know very little about what this money is actually spent on and thus how effective these measures have been. As a result, we have trouble
knowing whether this is an appropriate amount of money to be spending or whether this money might be spent in a better way. THE BEST SOLUTIONS ARE THE SIMPLEST This doesn’t imply that we
shouldn’t spend any money on cybersecurity. What it does imply, though, is that if the plan is to spend more taxpayer funds on on this, we need more transparency about how that money is
used. As it stands, very little information has been revealed about where that $10 billion-plus is going, whether for more effective defenses or for offensive capabilities, as alleged by NSA
whistleblower Edward Snowden. In the end, the measures that will actually be the most effective don’t cost a lot and if widely adopted would greatly improve cybersecurity. Widespread use of
simple two-factor authentication is one (a system that confirms the identity of a user by sending a code to another device that the account holder will have immediate access to, such as a
phone). The recent hackers of JP Morgan took advantage of a server that didn’t have two-factor authentication enabled. Basic encryption of sensitive information is another. The hacked Sony
passwords were stored in a plain-text spreadsheet called “passwords” after all. Keeping critical networks separate from one another (i.e not centralizing all networks in search of cost
savings) is another option. The German steel mill that suffered a damaging cyber-attack last week could have avoided this were the business and production networks separated. Better yet, the
production network could have not been hooked up to the Internet at all. There are numerous competing budgetary priorities at any one time and limited funds to spend on meeting all these
needs. How much money does it make sense to invest in bolstering cybersecurity, relative to the losses? In the hysteria created in the wake of the hacks of 2014, we risk making the wrong
choice simply because we don’t know what the current sums of money are being spent on.