Security%20Economics%20and%20Public%20Policy

1
Security Economics and Public Policy

• Ross Anderson
• Cambridge University

2
Economics and Security

• The link between economics and security atrophied
  after WW2
• Over the last six years, we have started to apply
  economic analysis to information security
• Economic analysis often explains security failure
  better then technical analysis!
• Information security mechanisms are used
  increasingly to support business models (DRM,
  accessory control) rather than to manage risk
• So economic analysis is vital in several ways for
  the public policy aspects of security

3
Traditional View of Infosec

• People used to think that the Internet was
  insecure because of lack of features crypto,
  authentication, filtering
• So engineers worked on providing better, cheaper
  security features AES, PKI, firewalls
• About 1999, we started to realize that this is
  not enough

4
Incentives and Infosec

• Electronic banking UK banks were less liable for
  fraud, so ended up suffering more internal fraud
  and more errors
• Distributed denial of service viruses now dont
  attack the infected machine so much as using it
  to attack others
• Health records hospitals, not patients, buy IT
  systems, so they protect hospitals interests
  rather than patient privacy
• Why is Microsoft software so insecure, despite
  market dominance?

5
New View of Infosec

• Systems are often insecure because the people who
  could fix them have no incentive to
• Bank customers suffer when bank systems allow
  fraud patients suffer when hospital systems
  break privacy everyone suffers when infected PCs
  spam you
• In IT markets, firms ship too little security
  when building market share, then add lots (of the
  wrong kind) to lock customers in
• What about the economics of crime?

6
Chip and PIN fraud

• In 19924, banks said ATM fraud cant happen
  so their staff got lazy and it did
• Chip and PIN is now following the same pattern
• Widespread card cloning via skimmers at petrol
  stations, linked to Tamil Tigers
• Nice cosy deal between banks and police stops you
  reporting card fraud any more except to your bank
  (crime stats down, bank control up)
• So terrorist activity in UK is discovered by Thai
  police, not by UK police!

7
If banks control crime reporting

• Will there be an end to stories like this?

8
Phishing

• Bank customer lured to bogus website
• Money transferred from / via her account
• Losses last year 36m UK, gt 100m USA
• One gang (Rockphish) does over half!
• Technical measures arent going to fix this
• Banks trained customers to click on links
• IE toolbar was broken before it shipped
• 2-factor auth will be met by real-time MITM

9
Studying the Phishermen

• Stolen money gets shipped through 2 or 3 hacked
  accounts, then turned into eGold
• You might think its because eGold doesnt
  respond to warrants but they now do
• Its actually about transaction revocability!
• The typical bank recovers 6095 of phished funds
  (the one that does only 60 gets hit for most of
  the losses)
• Whats the right regulatory response?

10
The old way of working

• If someone did a wire fraud, or a cheque fraud,
  the money would be got back
• When I bought a car, I paid Lloyds 40 for a bank
  draft to insure the dealer against the cheque
  bouncing later
• In business, you had acceptance of bills,
  factoring without recourse, LCs,
• The risk of giving a customer an irrevocable
  instrument was recognised and priced

11
The problem and solution

• There are more and more places to get free bank
  drafts, and theyre attracting the villains
• eGold, Western Union, Finnish banks
• Proposed regulatory change any financial
  institution that sells an irrevocable instrument
  (including cash) for stolen funds should be
  liable
• Time limit maybe 90 days
• This will be a better way to deal with nonbanks
  than trying to regulate them fully

12
The way forward

• Phishing, keyloggers, etc are here to stay
• As well as having a few big bent insiders, well
  have many compromised accounts at any time
• We must move from payment system integrity to
  payment system resilience
• Make counterparty risks (payment, fraud, legal,
  data-security) transparent, so the market can
  price them
• This will benefit banks, customers and the police

13
Regulatory failures

• Right now, the UK is heading the wrong way
• Banks TCs dump transaction risk
• HO agreement undermines reporting
• Plan to make cheque payments irrevocable after 7
  days from November
• Pathetic enforcement, dismal forensics
• Dispersed responsibility Home Office, FSA,
  Treasury, ACPO, APACS with everyone pursuing
  narrow selfish agendas
• Risk failure of trust in UK financial sector,
  opportunity cost of lack of trust in e-business

14
More

• Economics and Security Resource Page
  www.cl.cam.ac.uk/rja14/econsec.html (or follow
  link from my home page)
• Foundation for Information Policy Research
  www.fipr.org