Security%20Economics%20and%20Public%20Policy - PowerPoint PPT Presentation

About This Presentation
Title:

Security%20Economics%20and%20Public%20Policy

Description:

The link between economics and security atrophied after WW2 ... Widespread card cloning via skimmers at petrol stations, linked to Tamil Tigers ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 15
Provided by: clCa
Category:

less

Transcript and Presenter's Notes

Title: Security%20Economics%20and%20Public%20Policy


1
Security Economics and Public Policy
  • Ross Anderson
  • Cambridge University

2
Economics and Security
  • The link between economics and security atrophied
    after WW2
  • Over the last six years, we have started to apply
    economic analysis to information security
  • Economic analysis often explains security failure
    better then technical analysis!
  • Information security mechanisms are used
    increasingly to support business models (DRM,
    accessory control) rather than to manage risk
  • So economic analysis is vital in several ways for
    the public policy aspects of security

3
Traditional View of Infosec
  • People used to think that the Internet was
    insecure because of lack of features crypto,
    authentication, filtering
  • So engineers worked on providing better, cheaper
    security features AES, PKI, firewalls
  • About 1999, we started to realize that this is
    not enough

4
Incentives and Infosec
  • Electronic banking UK banks were less liable for
    fraud, so ended up suffering more internal fraud
    and more errors
  • Distributed denial of service viruses now dont
    attack the infected machine so much as using it
    to attack others
  • Health records hospitals, not patients, buy IT
    systems, so they protect hospitals interests
    rather than patient privacy
  • Why is Microsoft software so insecure, despite
    market dominance?

5
New View of Infosec
  • Systems are often insecure because the people who
    could fix them have no incentive to
  • Bank customers suffer when bank systems allow
    fraud patients suffer when hospital systems
    break privacy everyone suffers when infected PCs
    spam you
  • In IT markets, firms ship too little security
    when building market share, then add lots (of the
    wrong kind) to lock customers in
  • What about the economics of crime?

6
Chip and PIN fraud
  • In 19924, banks said ATM fraud cant happen
    so their staff got lazy and it did
  • Chip and PIN is now following the same pattern
  • Widespread card cloning via skimmers at petrol
    stations, linked to Tamil Tigers
  • Nice cosy deal between banks and police stops you
    reporting card fraud any more except to your bank
    (crime stats down, bank control up)
  • So terrorist activity in UK is discovered by Thai
    police, not by UK police!

7
If banks control crime reporting
  • Will there be an end to stories like this?

8
Phishing
  • Bank customer lured to bogus website
  • Money transferred from / via her account
  • Losses last year 36m UK, gt 100m USA
  • One gang (Rockphish) does over half!
  • Technical measures arent going to fix this
  • Banks trained customers to click on links
  • IE toolbar was broken before it shipped
  • 2-factor auth will be met by real-time MITM

9
Studying the Phishermen
  • Stolen money gets shipped through 2 or 3 hacked
    accounts, then turned into eGold
  • You might think its because eGold doesnt
    respond to warrants but they now do
  • Its actually about transaction revocability!
  • The typical bank recovers 6095 of phished funds
    (the one that does only 60 gets hit for most of
    the losses)
  • Whats the right regulatory response?

10
The old way of working
  • If someone did a wire fraud, or a cheque fraud,
    the money would be got back
  • When I bought a car, I paid Lloyds 40 for a bank
    draft to insure the dealer against the cheque
    bouncing later
  • In business, you had acceptance of bills,
    factoring without recourse, LCs,
  • The risk of giving a customer an irrevocable
    instrument was recognised and priced

11
The problem and solution
  • There are more and more places to get free bank
    drafts, and theyre attracting the villains
  • eGold, Western Union, Finnish banks
  • Proposed regulatory change any financial
    institution that sells an irrevocable instrument
    (including cash) for stolen funds should be
    liable
  • Time limit maybe 90 days
  • This will be a better way to deal with nonbanks
    than trying to regulate them fully

12
The way forward
  • Phishing, keyloggers, etc are here to stay
  • As well as having a few big bent insiders, well
    have many compromised accounts at any time
  • We must move from payment system integrity to
    payment system resilience
  • Make counterparty risks (payment, fraud, legal,
    data-security) transparent, so the market can
    price them
  • This will benefit banks, customers and the police

13
Regulatory failures
  • Right now, the UK is heading the wrong way
  • Banks TCs dump transaction risk
  • HO agreement undermines reporting
  • Plan to make cheque payments irrevocable after 7
    days from November
  • Pathetic enforcement, dismal forensics
  • Dispersed responsibility Home Office, FSA,
    Treasury, ACPO, APACS with everyone pursuing
    narrow selfish agendas
  • Risk failure of trust in UK financial sector,
    opportunity cost of lack of trust in e-business

14
More
  • Economics and Security Resource Page
    www.cl.cam.ac.uk/rja14/econsec.html (or follow
    link from my home page)
  • Foundation for Information Policy Research
    www.fipr.org
Write a Comment
User Comments (0)
About PowerShow.com