Slashdot Mirror
The Cybercrime Wave That Wasn't
retroworks writes "Dinei Florencio and Cormac Herley write that cybercrime depleted gullible and unprotected users, producing diminishing returns (over-phishing). They argue that the statistics on the extent of losses from cybercrime are flawed because there is never an under-estimation reported. Do they underestimate the number of suckers gaining internet access born every minute? Or has cybercrime become the 'shark attack' that gets reported more often than it occurs?"
Ever notice how when there is a notorious crime reported suddenly lots of other similar crimes start happening? Well, they don't suddenly start, they were happening before, just not being reported. It isn't over or under reporting in the sense that our stats are wrong, only in the sense that the mass media does a shit job of conveying factual information to the public.
Defences are improving, people are getting more savvy. Obviously crime levels will go down. Back in 2002 XP didn't even have its firewall enabled by default. Everyone hated Vista for being locked down and hurling UAC prompts at the screen all the time, but it definitely worked.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I think every generation will get more computer savvy, making it harder for 2-bit phishers or lazy hackers to cause any real damage.
Let's continue using the phishing analogy
Fly-phishing: Phishing involving air travel
Saltwater Phishing - Phishing from overseas
Weekend Phishing - A leisure time activity that's used more as an excuse to drink beer than to scam people
Phishing Boat - A scammer's base of operations located on a vessel in international waters
Phishing Rod - Viagra scams
Phishing Line - Like a pick-up line, but for money instead of sex.
and two to take em. Its not easy out there you know.
considering i've had to have a new credit card sent out every year due to fraud tells me there's a problem (my bank is really good at detecting fraud - i never see the charge - it's caught as it happens)
Imagine the backlash and financial damages for a company under any compliance regulation. The IT engineer/admin(s) will face tribal council and one will be blamed for it. They probably won't have a career in IT again.
Now imagine of the IT dept keeps their mouth shut and brushes it under the rug. No one will know, no one will need to know.
Cybercrime is the new terrorisim! The new war on drugs!
Something we can 'fight' forever and spread alot of money around. (most of it to ourselves and business partners)
Why do you hate america? Do you wan't the evil cyberterrorist criminals to steal your identity and rape your dog?
I work in a place that gets many calls related to phishing scams. You would not believe how many people argue with you on the legitness of the letter, they just don't understand why the money hasn't come to them yet. I don't believe in the past 5 years I've been here, the volume has decreased. Hasn't increased either, it tends to be steady every year.
My own parents were hit with a rental scam (even though I had told them always ask me first about anything fishy). It was hey we'll sign contract, here's money order, oh crap we sent you too much, can you send the difference back. Lost $500, but learned a lesson and changed how they do rental agreements as a result.
So 1 fish is out of the sea, but unfortunately with billions of people on the planet, there are plenty suckers out there. Also, many of these scams appeal to the get rich quick mentality of people. I mean how come other scams can keep working unless people have this need that "maybe this is the time this works and I can stop working or afford ".
To people thinking that every generation will get more computer savvy and this will go away, i tend to disagree. Just because a generation is tech savvy doesn't mean they won't fall for the temptation to make money quick, even if it does sound too good to be true.
Anyway, just my 2 cents.
So we need to fix the surveys! If you get asked about how much you lost to cybercrime, claim to be a cybercriminal and give negative numbers. "I made $2 million in my Nigerian Prince scam. Would you help me smuggle money out of my country before my usurper cousin recovers it?"
Just like there will always be too much offline crime. Why?
(1) More crime means bigger budgets for MANY administrative agencies ....(i) it's easier for certain groups to sell their bullshit antivirus products that do nothing ....(ii) it's easier for certain groups to push through restrictive legislation ostensibly aimed at curbing "cybercrime"
(2) More crime means more people are scared
(3) More crime means more "news"
Crime is too profitable to fight too hard!
Over reported? Possibly. Is it still a problem that is a long way from being solved? Yes.
Just last week the university that I work at suffered a significant phishing attack that compromised a large number of email accounts (we don't have a complete count yet - the phisher turned around and used those accounts to send out spam and he didn't use all of them at one time). How did it work? Well, it wasn't very sophisticated - a dupe of our webmail login page (at a different URL) and an email that said "dear {university} account user...blah...account being locked...blah...go to this page {link to copy of page with fugly URL}...blah" from a Yahoo address. And the students (arguably an intelligent bunch, and most young enough to know how computers and phishers work) drank the kool-aid, clicked on the link and, in the end, made quite a mess.
I've actually been in the room when people have said "hey, this Nigerian prince thing looks like a good idea" . I've spoke with people who let a phone caller from "Microsoft" take control of their PC. And it comes from both sides. I've received legitimate emails from my bank that l could've sworn up and down were from a spammer (unsolicited, from someone I've never met, from a branch that I don't go to, poorly formatted and offering me a free credit card) but which were upon further review (checked the email address and the phone number provided in the email with the bank's fraud division) were legit. That irks me the most because it just encourages people to accept stuff that doesn't pass the smell test.
The more press this kind of thing gets the better. I'm not saying it should take headlines and mindspace from other, worthy causes but the fact is that people - including me - are stupid. If you don't hit us over the head every once in awhile to remind us why we ought not to do this than we probably will.
That is all.
If you are a member of a non-profit that exists to educate and information about specific harm X, you should make sure to inflate your figures so that it seems there's a Biblical plague of X out there. Job security is guaranteed this way. If you just leave it up to X to manifest itself, you could be out of a job real quick. The biggest user of this theory is government itself, which is going to invent waves of drug dealers, Nazis, terrorists, fundamentalists, pedophiles and corporate men in black in order to justify the 30% of your paycheck that it appropriates.
...there is never an under-estimation reported.
Say what again?
I'm a good cook. I'm a fantastic eater. - Steven Brust
Having dug into some of the statistics publicized for the drug war, I would say that merely having "absurdly bad statistical methods" could be an improvement. In the drug war, statistics are frequently more or less made up. Remember, the people funding this research have a vested interest and a strong desire to have the numbers come out the way they want them to and, no surprise, they generally do. There are whole institutes, such as the Center on Addiction and Substance Abuse at Columbia University, whose statistics I regard as consistently untrustworthy.
I would not be too surprised to see the same dynamic, and even the same people, involved in the cybercrime statistics game.
It is not just that we are a long way from solving the problem of computer crime; we are not even trying to solve it. We are still sluggish on deploying digital cash (no, not Bitcoin, more like Chaum), relying on traditional systems of banking that have been translated into electronic forms (debit cards, credit cards, PayPal, etc.). We are still relying on passwords to protect money, personal information, and so forth. We are still relying on the From: field in an email to determine who the email came from. When things go wrong, we just call up the police and do nothing to fix the inherent security problems that made the attack possible.
Is it any wonder computer crime remains a serious problem? Society has not yet adjusted its thinking to align with the computer age. People have no concept of how easily emails can be forged -- one of my favorite demos to give people is to send them an email that has their own email address in the "From" field. There is also a general lack of technical knowledge that creates problems for people; a friend once told me that by password-protecting her BIOS, she could ensure that a thief would not be able to read her hard drive (she was shocked when I made her aware that a thief could just remove her laptop's hard drive and insert it into a different computer).
Eventually society will catch up. People eventually learned that traditional sword fighting tactics need to be dropped when you are dealing with firearms. In a few decades, computer security will improve out of necessity. Unfortunately, the time between now and then will be painful.
Palm trees and 8
Oh noes, he said something true that I don't like. Quick, mod it down! If you just mod hard enough eventually 2+2 will equal 5.
You were modded down because you're an asshole, posting off-topic. I humbly request anyone with a spare mod point to make this troll's day:
2+2 = 5
Boot Windows, Linux, and ESX over the network for free.
are going to be high by default. If all the compromised information was to be used to its fullest extent without regard for protecting the identity of the attacker, it would be the equivalent of X dollars lost, so report X to be the loss. If someone gets at your data, odds are good they won't be foolish enough to use it themselves, which means they need to take the time to track down a market for whatever data was stolen, and even then some of what was compromised may not be used for one reason or another. It's very rare for 100% of the projected cost of a cyberattack against you to come to fruition. Even with a DoS type attack, not all of the customers that appear during the time your down will go elsewhere for their goods or services, some will be return customers who will wait and check back later, so your number is still going to be high.
I once had a student who constantly made reports to the police (and any other authority figure, regardless of their relevance) about the Cyberterrorists (who have his password) that kept doing things to him, because they were evil Cyberterrorists (who have his password!). Seriously. Every time he used the word Cyberterrorists, it was immediately followed by "(who have my password!)". Apparently it never occurred to him to just change his password. He used them as an excuse for _everything_.
He filed an appeal on his grade of F- in my course on the grounds that Cyberterrorists (who have his password!) kept stealing and/or vandalizing his car. He also blamed them for his car being smashed into the side of a parked transport truck while he was driving it (the car, not the truck), and was very angry that the police hadn't arrested them yet.
He also felt that the person next to him during the exam was one of them, and also copied answers from his test, so he wanted their identity information so he could sue them for copyright infringement (yes, on test answers, most of which were multiple choice), so I'm not sure how much credit I can give his claims.
I'm pretty sure that in my city, he accounts for at least 50% of the "reported" cybercrime, but by now the police probably don't even include his reports in the statistics.