Cybercrime Now Worth $105 Billion, Bypasses Drug Trade

Stony Stevenson writes "Citing recent highly publicized corporate data breaches that have beset major companies like Ameritrade, Citigroup, and Bank of America, McAfee CEO David DeWalt, said that cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide. Despite the increase in government compliance requirements and the proliferation of security tools, companies continue to underestimate the threat from phishing, data loss, and other cyber vulnerabilities, DeWalt said. 'Worldwide data losses now represent US$40 billion in losses to affected companies and individuals each year, DeWalt says. But law enforcement's ability to find, prosecute, and punish criminals in cyberspace has not kept up: "If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online," DeWal remarked. "The cross-border sophistication in tracking and arresting cyber-criminals is just not there."'"

Here's Another Reason: Cybercrime Pays

[patio11]

You know what your hourly wage works out as any dealer not on top of the local pyramid? Check out Freakonomics, its an interesting case study. Using one gang's meticulously kept accounting records, they estimated the average dealer makes a bit more than minimum wage. Oh, and for that he has a 25% chance of death or imprisonment over an N month interval. (I can't remember what N was but, yikes, for 25% it wouldn't matter if it were 120!)

Compare this to cybercrime. I have been, at points in the past, a spam researcher. At the time, I lurked in spammer forums to get an idea of what the enemy is thinking. Ignoring the "I make a million a month and own a fleet of cars and a harem" boasting, and just focusing on the deals that were offered and consumated there, it is clear that cybercrime makes Serious Money especially by the standards of the locales where some criminals hang out. A single script to clean a spam mailing list, which is what, two or three hours of work, costs about a month worth of a legit Russian programmer's wages.

Or take a look at the opportunities for low-level criminals in the US, like "cashers". A casher is the guy at the end of the identity theft chain who gets the only risky job: turning the swiped data into money. (Phisher turns credentials over to casher, casher gets money, pays phisher.) He has a non-zero chance of his photo ending up on camera. For this, he gets perhaps 35% of the take from the scam. 35% of the banking account of say a lower-middle class family is easily thousands of dollars. No drugs in your pocket, no guns in your face, and no dedicated squad of police officers busting into your apartment at 1:00 in the morning if you get sold out by a buddy.

Why would you sell drugs if you weren't using, given these risk-vs-reward scenarios?

Re:This number

[rwyoder]

...sounds like it was pulled out of someone's ass.

Absolutely! When a thief robs a liquor store of $1000, he actually has the money, and the store has really lost the money. Now let me relay something I learned from a lecture I attended by a wekll-know former hacker a few years ago; He had used social engineering to obtain a copy of some cell-phone infrastructure s/w from a large, well-known high-tech company. He later learned that when the cops questioned the mgt of the company, they wanted a dollar amount of the damages. When the mgt hesitated about how to determine the damages, the cops asked: "So what did it cost to develop it?" And that was the number they used! The hacker had done nothing but use social engineering to persuade an employee to FedEx him a copy of the s/w which he kept, but did nothing with it. He never even broke into a single computer, nor ever distributed the s/w, nor did any kind of damage. But in their zeal to pump this up into a big case, the cops used the completely bogus multi-million dollar cost of the project and charged him with that dollar amount of (non-existent) damage.