Sex, Lies and Cyber-crime Surveys

We often hear extravagantly large numbers tossed around for cyber-crime losses. Mostly, we find in a new paper, these numbers are completely unreliable. They’re based on self-reported numbers, where a single lie or  exaggeration, from a single respondent is all it takes to generate a wildly inaccurate estimate. Errors don’t cancel, and errors to the high side are unbounded.

“You should never trust user input” says one standard text on writing secure code [19]. It is ironic then that our cyber-crime survey estimates rely almost exclusively on unveri ed user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy.

Posted in Uncategorized | Leave a comment

Mules lose money, phishing victims do not lose money

US consumer protections against fraud ensure that irreversible untraceable transactions are hard, and hence mules are necessary. Mules essentially receive bad transfers and initiate good ones. A surprising consequence is that in the series of transfers between victim, mule and attacker it is really the mule’s rather than the bank’s or the victim’s money that is stolen. This means that the size of the online fraud business is determined not by the number of credentials that can be stolen, but by the number of mules who can be recruited, and how much they can send. This suggests an explanation for the fact that stolen credentials sell for small fractions of the underlying account value:  there is shortage of mules. It also suggests that banks find nvestments in back-end fraud detection provides greater return on  investment than front-end schemes such as stronger authentication.

Paper at:

Posted in Uncategorized | Leave a comment

Questions on an Internet kill switch


  • Is such a switch possible? 

Possible, though not easy. The Internet was designed to be robust and has done a pretty good job. To really stop access for a majority of people would really require going after DNS servers or switches en masse.

  • What would it take to put it in place? 

Rather than have every switch and router wired to shut down on receiving a signal from a big red button on POTUS’ desk  it’d probably be easier to do by just ordering major carriers to shut things down. Assuming that they’ll comply with such an order in a time of crisis that would do. I.e. you don’t engineer a disable mechanism into the whole Internet you just tell enough of the critical carriers to shut things down when required. That can be better than trying to engineer a disable mechanism into the infrastructure. The problem with building in a disable mechanism  is that if someone figures how to hack into it you’ve just handed them a way to shut everything down. Talk about a tempting target.

  • Is it a good idea technically? Or more to the point, will it do any good? 

It seems like a solidly bad idea. First, (as above) building a disable function in is adding another poorly understood vulnerability. Second, it’s pretty likely that there’ll be undesired consequences of shutting things down. None of us have an exhaustive picture of stuff that will stop working if we shut things down. For all we know there are babies in ventilators controlled by machines that poll the Internet for something or other. Now it’s a really, really bad idea that babies in ventilators have any such dependency but you don’t know what stops working until you hit the switch.  Third, shutting down communications channels has a mixed history.  It seems to be a tool more used by those who are also happy shutting down TV, newspapers etc.

Posted in Uncategorized | Leave a comment