14
Security Economics Security Economics and Public Policy and Public Policy Ross Anderson Ross Anderson Cambridge University Cambridge University
| Date post: | 22-Dec-2015 |
| Category: |
Documents |
| View: | 215 times |
| Download: | 2 times |
Security Economics Security Economics and Public Policyand Public Policy
Ross AndersonRoss Anderson
Cambridge UniversityCambridge University
ecrime congress 27/3/07
Economics and SecurityEconomics and Security The link between economics and security The link between economics and security
atrophied after WW2atrophied after WW2 Over the last six years, we have started to apply Over the last six years, we have started to apply
economic analysis to information securityeconomic analysis to information security Economic analysis often explains security failure Economic analysis often explains security failure
better then technical analysis!better then technical analysis! Information security mechanisms are used Information security mechanisms are used
increasingly to support business models (DRM, increasingly to support business models (DRM, accessory control) rather than to manage riskaccessory control) rather than to manage risk
So economic analysis is vital in several ways for So economic analysis is vital in several ways for the public policy aspects of securitythe public policy aspects of security
ecrime congress 27/3/07
Traditional View of InfosecTraditional View of Infosec
People used to think that the Internet was People used to think that the Internet was insecure because of lack of features – insecure because of lack of features – crypto, authentication, filteringcrypto, authentication, filtering
So engineers worked on providing better, So engineers worked on providing better, cheaper security features – AES, PKI, cheaper security features – AES, PKI, firewalls …firewalls …
About 1999, we started to realize that this About 1999, we started to realize that this is not enoughis not enough
ecrime congress 27/3/07
Incentives and InfosecIncentives and Infosec
Electronic banking: UK banks were less liable for Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud fraud, so ended up suffering more internal fraud and more errorsand more errors
Distributed denial of service: viruses now don’t Distributed denial of service: viruses now don’t attack the infected machine so much as using it attack the infected machine so much as using it to attack othersto attack others
Health records: hospitals, not patients, buy IT Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests systems, so they protect hospitals’ interests rather than patient privacyrather than patient privacy
Why is Microsoft software so insecure, despite Why is Microsoft software so insecure, despite market dominance?market dominance?
ecrime congress 27/3/07
New View of InfosecNew View of Infosec
Systems are often insecure because the people Systems are often insecure because the people who could fix them have no incentive towho could fix them have no incentive to
Bank customers suffer when bank systems allow Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems fraud; patients suffer when hospital systems break privacy; everyone suffers when infected break privacy; everyone suffers when infected PCs spam youPCs spam you
In IT markets, firms ship too little security when In IT markets, firms ship too little security when building market share, then add lots (of the building market share, then add lots (of the wrong kind) to lock customers inwrong kind) to lock customers in
What about the economics of crime?What about the economics of crime?
ecrime congress 27/3/07
Chip and PIN fraudChip and PIN fraud
In 1992–4, banks said ‘ATM fraud can’t happen’ In 1992–4, banks said ‘ATM fraud can’t happen’ – so their staff got lazy and it did– so their staff got lazy and it did
Chip and PIN is now following the same patternChip and PIN is now following the same pattern Widespread card cloning via skimmers at petrol Widespread card cloning via skimmers at petrol
stations, linked to Tamil Tigersstations, linked to Tamil Tigers Nice cosy deal between banks and police stops Nice cosy deal between banks and police stops
you reporting card fraud any more except to your you reporting card fraud any more except to your bank (crime stats down, bank control up)bank (crime stats down, bank control up)
So terrorist activity in UK is discovered by Thai So terrorist activity in UK is discovered by Thai police, not by UK police! police, not by UK police!
ecrime congress 27/3/07
If banks control crime If banks control crime reporting…reporting…
Will there be an end to stories like this?Will there be an end to stories like this?
ecrime congress 27/3/07
PhishingPhishing
Bank customer lured to bogus websiteBank customer lured to bogus website Money transferred from / via her accountMoney transferred from / via her account Losses last year: £36m UK, > $100m USALosses last year: £36m UK, > $100m USA One gang (‘Rockphish’) does over half!One gang (‘Rockphish’) does over half! Technical measures aren’t going to fix thisTechnical measures aren’t going to fix this
Banks trained customers to click on linksBanks trained customers to click on links IE toolbar was broken before it shippedIE toolbar was broken before it shipped 2-factor auth will be met by real-time MITM2-factor auth will be met by real-time MITM
ecrime congress 27/3/07
Studying the PhishermenStudying the Phishermen
Stolen money gets shipped through 2 or 3 Stolen money gets shipped through 2 or 3 hacked accounts, then turned into eGoldhacked accounts, then turned into eGold
You might think it’s because eGold doesn’t You might think it’s because eGold doesn’t respond to warrants – but they now dorespond to warrants – but they now do
It’s actually about transaction revocability!It’s actually about transaction revocability! The typical bank recovers 60–95% of The typical bank recovers 60–95% of
phished funds (the one that does only 60% phished funds (the one that does only 60% gets hit for most of the losses)gets hit for most of the losses)
What’s the right regulatory response?What’s the right regulatory response?
ecrime congress 27/3/07
The old way of workingThe old way of working
If someone did a wire fraud, or a cheque fraud, If someone did a wire fraud, or a cheque fraud, the money would be got backthe money would be got back
When I bought a car, I paid Lloyds £40 for a When I bought a car, I paid Lloyds £40 for a bank draft – to insure the dealer against the bank draft – to insure the dealer against the cheque bouncing latercheque bouncing later
In business, you had acceptance of bills, In business, you had acceptance of bills, factoring without recourse, LCs, …factoring without recourse, LCs, …
The risk of giving a customer an irrevocable The risk of giving a customer an irrevocable instrument was recognised and pricedinstrument was recognised and priced
ecrime congress 27/3/07
The problem – and solutionThe problem – and solution
There are more and more places to get ‘free’ There are more and more places to get ‘free’ bank drafts, and they’re attracting the villainsbank drafts, and they’re attracting the villains
eGold, Western Union, Finnish banks …eGold, Western Union, Finnish banks … Proposed regulatory change – any financial Proposed regulatory change – any financial
institution that sells an irrevocable instrument institution that sells an irrevocable instrument (including cash) for stolen funds should be liable(including cash) for stolen funds should be liable
Time limit – maybe 90 days Time limit – maybe 90 days This will be a better way to deal with nonbanks This will be a better way to deal with nonbanks
than trying to regulate them fullythan trying to regulate them fully
ecrime congress 27/3/07
The way forwardThe way forward
Phishing, keyloggers, etc are here to stayPhishing, keyloggers, etc are here to stay As well as having a few big bent insiders, we’ll As well as having a few big bent insiders, we’ll
have many compromised accounts at any timehave many compromised accounts at any time We must move from payment system integrity to We must move from payment system integrity to
payment system resiliencepayment system resilience Make counterparty risks (payment, fraud, legal, Make counterparty risks (payment, fraud, legal,
data-security) transparent, so the market can data-security) transparent, so the market can price themprice them
This will benefit banks, customers and the policeThis will benefit banks, customers and the police
ecrime congress 27/3/07
Regulatory failuresRegulatory failures
Right now, the UK is heading the wrong way:Right now, the UK is heading the wrong way: Banks’ T&Cs dump transaction riskBanks’ T&Cs dump transaction risk HO agreement undermines reportingHO agreement undermines reporting Plan to make cheque payments irrevocable after 7 Plan to make cheque payments irrevocable after 7
days from Novemberdays from November Pathetic enforcement, dismal forensicsPathetic enforcement, dismal forensics
Dispersed responsibility – Home Office, FSA, Dispersed responsibility – Home Office, FSA, Treasury, ACPO, APACS – with everyone Treasury, ACPO, APACS – with everyone pursuing narrow selfish agendaspursuing narrow selfish agendas
Risk: failure of trust in UK financial sector, Risk: failure of trust in UK financial sector, opportunity cost of lack of trust in e-businessopportunity cost of lack of trust in e-business
ecrime congress 27/3/07
More …More …
Economics and Security Resource Page – Economics and Security Resource Page – www.www.clcl.cam.ac..cam.ac.ukuk/~rja14//~rja14/econsececonsec.html.html (or (or follow link from my home page) follow link from my home page)
Foundation for Information Policy Foundation for Information Policy Research – Research – www.www.fiprfipr.org.org
