Security Economics and Public Policy Ross Anderson Cambridge University.

Slides:



Advertisements
Similar presentations
Copyright, 1996 © Dale Carnegie & Associates, Inc. BANK ON IT Money Smart Course Indiana Department of Financial Institutions.
Advertisements

© Dr. Michael Levi Professor Of Criminology Cardiff University, CF10 3WT, Wales Responsible Gaming Day European Parliament, 2009 Internet.
Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.
Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.
Banking. Agenda Start time: ____ Break time: ____ (10 minutes) End time: ____ Please set phones to silent ring and answer outside of the room.
Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
The Impact of technology on the delivery of financial services Advancement in technology have had a profound effect on the delivery of financial services.
The Future of Phishing Ross Anderson Security Group USEC Feb 2007.
Why is there Concern about the Effect of the Internet in Society? E-Commerce: Jason Logan eBay: Ben King Hacking: Khyle Westmoreland Censorship: Ben King.
Making, receiving and recording payments made to or from a business Welsh translation of above.
Electronic Commerce Semester 1 Term 1 Lecture 22.
GCSE ICT Computers and the Law. Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
Security Economics Ross Anderson Cambridge University.
Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
1 Money Transfer in Cyberspace MTRA 16 th Annual Conference November 13 – 15, 2006 Presented by Joseph Cachey III SVP, Global AML Compliance The Western.
Chapter 4 Money Management Managing Checking and Savings Accounts –Checking and savings accounts are the foundation of financial asset management –Cash.
Electronic Payment By: El Panda. What is an electronic payment? Electronic money (also known as e-currency, e-money, electronic cash, electronic currency,
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
BANKING/CHECKING ACCOUNTS. Banking/Checking Accounts How Banks Work Using a checking account Balancing your checking account Electronic banking Other.
XML AND THE LEGAL FOUNDATIONS FOR ELECTRONIC COMMERCE: Making XML Pay: Revising Existing Electronic Payments Law to Accommodate Innovation Copyright (c)
EPS (Electronic payment system) is an online business process used for fund transfer using electronic means, i.e  Personal computers  services  Mobile.
Electronic Payment Systems University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot March 2010 March 2010 ITSS 4201 Internet.
Social impacts of the use of it By: Mohamed Abdalla.
ICA on-line shopping & on-line banking. On-line shopping In early days of internet this was limited due to concerns over security of personal and bank.
Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
Information Systems Today, 2/C/e ©2008 Pearson Education Canada Lecture Outline eCommerce Highlights of Electronic Business 2-1.
Objectives  Explore ways to prevent identity theft.  Determine the differences between identity theft and consumer fraud.  Examine how media and technological.
Scams & Schemes Common Sense Media.
ICT in Banking.
Identity Theft What is Identity Theft?  Identity theft is a serious crime. Identity theft happens when someone uses information about you without your.
Basic Accounting 2 Please log on to:
Who’s Who Despositary Bank – the first to take check. Payor Bank – the bank that pays the issuer’s check. Intermediary Bank – any bank that handles a.
Innovations in Modern Banking
Indiana Department of Financial Institutions BANK ON IT Money Smart Course.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
Ch. 7: Banking Services 7.1 How Banks Work
WHAT IS MONEY?. Money and Monetary Systems Money is everywhere in the world. All economic activity is linked to money. What is Money? How did it develop.
Credit and Credit Cards Good Credit Bad Credit No Credit Good Credit Bad Credit No Credit.
COPYRIGHT © 2010 South-Western/Cengage Learning..
1 Click your mouse anywhere on the screen to advance the text in each slide. After the starburst appears, click a blue triangle to move to the next slide.
Chapter 17 Financial Services 1 ©2008 Thomson/South-Western.
ANS(Prepared by: Mazhar Javed )1 Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.
Society & Computers PowerPoint
1 Slide 1 - Electronic Bank Service But unlike some businesses, banks don’t manufacture products or extract natural resources from the earth. Banks sell.
Stop cybercrime, protect privacy, save world. Chris Monteiro Cybercrime, dark web and internet security researcher Systems administrator Pirate / Digital.
1.7.2.G1 © Family Economics & Financial Education – Revised May 2005 – Financial Institutions Unit – Electronic Banking Funded by a grant from Take Charge.
External Threats Internal Threats Nation States Cyber Terrorists Hacktivists Organised criminal networks Independent insider Insider planted by external.
Banking Procedures and Services
Online Shopping. Introduction Online shopping is a form of electronic commerce whereby consumers directly buy goods or services from a seller over the.
PD 21 Mrs. Biegel. NPR Podcast Banks are a business, they: Provide a safe place for people to deposit money Lend funds to people & businesses in temporary.
INTRODUCTION TO FINANCIAL MANAGEMENT Chapter 1. WHAT IS FINANCE? Finance can be defined as science and art of managing money. KEYWORDS FINANCIAL MANAGEMENT.
Wire Fraud Prevention Training: Setting Your Organizational Structure to Mitigate Fraud Risk and Comply with Regulatory Expectations Presented by: Terri.
Outline of this module By the end of this module, you will be able to: Understand the benefits that internet banking provides; Name the different dangers.
A Brief Introduction Radiant Pay, a global provider of payment processing services to all kinds of business, Radiant Pay Services.
Lesson 5.2 Banking Services and Fees
Banking.
Information on Types of Electronic Banking
Andy Hall – Cyber & Tech INSURANCE Specialist
Richard Purcell Corporate Privacy Officer Microsoft Corporation
Shopping experience! Avoiding online fraud Ian Ramsey C of E School
Lesson 4.2 Banking Services and Fees
Presentation transcript:

Security Economics and Public Policy Ross Anderson Cambridge University

ecrime congress 27/3/07 Economics and Security The link between economics and security atrophied after WW2 The link between economics and security atrophied after WW2 Over the last six years, we have started to apply economic analysis to information security Over the last six years, we have started to apply economic analysis to information security Economic analysis often explains security failure better then technical analysis! Economic analysis often explains security failure better then technical analysis! Information security mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk Information security mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk So economic analysis is vital in several ways for the public policy aspects of security So economic analysis is vital in several ways for the public policy aspects of security

ecrime congress 27/3/07 Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough About 1999, we started to realize that this is not enough

ecrime congress 27/3/07 Incentives and Infosec Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoft software so insecure, despite market dominance? Why is Microsoft software so insecure, despite market dominance?

ecrime congress 27/3/07 New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; everyone suffers when infected PCs spam you Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; everyone suffers when infected PCs spam you In IT markets, firms ship too little security when building market share, then add lots (of the wrong kind) to lock customers in In IT markets, firms ship too little security when building market share, then add lots (of the wrong kind) to lock customers in What about the economics of crime? What about the economics of crime?

ecrime congress 27/3/07 Chip and PIN fraud In 1992–4, banks said ‘ATM fraud can’t happen’ – so their staff got lazy and it did In 1992–4, banks said ‘ATM fraud can’t happen’ – so their staff got lazy and it did Chip and PIN is now following the same pattern Chip and PIN is now following the same pattern Widespread card cloning via skimmers at petrol stations, linked to Tamil Tigers Widespread card cloning via skimmers at petrol stations, linked to Tamil Tigers Nice cosy deal between banks and police stops you reporting card fraud any more except to your bank (crime stats down, bank control up) Nice cosy deal between banks and police stops you reporting card fraud any more except to your bank (crime stats down, bank control up) So terrorist activity in UK is discovered by Thai police, not by UK police! So terrorist activity in UK is discovered by Thai police, not by UK police!

ecrime congress 27/3/07 If banks control crime reporting… Will there be an end to stories like this? Will there be an end to stories like this?

ecrime congress 27/3/07 Phishing Bank customer lured to bogus website Bank customer lured to bogus website Money transferred from / via her account Money transferred from / via her account Losses last year: £36m UK, > $100m USA Losses last year: £36m UK, > $100m USA One gang (‘Rockphish’) does over half! One gang (‘Rockphish’) does over half! Technical measures aren’t going to fix this Technical measures aren’t going to fix this Banks trained customers to click on links Banks trained customers to click on links IE toolbar was broken before it shipped IE toolbar was broken before it shipped 2-factor auth will be met by real-time MITM 2-factor auth will be met by real-time MITM

ecrime congress 27/3/07 Studying the Phishermen Stolen money gets shipped through 2 or 3 hacked accounts, then turned into eGold Stolen money gets shipped through 2 or 3 hacked accounts, then turned into eGold You might think it’s because eGold doesn’t respond to warrants – but they now do You might think it’s because eGold doesn’t respond to warrants – but they now do It’s actually about transaction revocability! It’s actually about transaction revocability! The typical bank recovers 60–95% of phished funds (the one that does only 60% gets hit for most of the losses) The typical bank recovers 60–95% of phished funds (the one that does only 60% gets hit for most of the losses) What’s the right regulatory response? What’s the right regulatory response?

ecrime congress 27/3/07 The old way of working If someone did a wire fraud, or a cheque fraud, the money would be got back If someone did a wire fraud, or a cheque fraud, the money would be got back When I bought a car, I paid Lloyds £40 for a bank draft – to insure the dealer against the cheque bouncing later When I bought a car, I paid Lloyds £40 for a bank draft – to insure the dealer against the cheque bouncing later In business, you had acceptance of bills, factoring without recourse, LCs, … In business, you had acceptance of bills, factoring without recourse, LCs, … The risk of giving a customer an irrevocable instrument was recognised and priced The risk of giving a customer an irrevocable instrument was recognised and priced

ecrime congress 27/3/07 The problem – and solution There are more and more places to get ‘free’ bank drafts, and they’re attracting the villains There are more and more places to get ‘free’ bank drafts, and they’re attracting the villains eGold, Western Union, Finnish banks … eGold, Western Union, Finnish banks … Proposed regulatory change – any financial institution that sells an irrevocable instrument (including cash) for stolen funds should be liable Proposed regulatory change – any financial institution that sells an irrevocable instrument (including cash) for stolen funds should be liable Time limit – maybe 90 days Time limit – maybe 90 days This will be a better way to deal with nonbanks than trying to regulate them fully This will be a better way to deal with nonbanks than trying to regulate them fully

ecrime congress 27/3/07 The way forward Phishing, keyloggers, etc are here to stay Phishing, keyloggers, etc are here to stay As well as having a few big bent insiders, we’ll have many compromised accounts at any time As well as having a few big bent insiders, we’ll have many compromised accounts at any time We must move from payment system integrity to payment system resilience We must move from payment system integrity to payment system resilience Make counterparty risks (payment, fraud, legal, data-security) transparent, so the market can price them Make counterparty risks (payment, fraud, legal, data-security) transparent, so the market can price them This will benefit banks, customers and the police This will benefit banks, customers and the police

ecrime congress 27/3/07 Regulatory failures Right now, the UK is heading the wrong way: Right now, the UK is heading the wrong way: Banks’ T&Cs dump transaction risk Banks’ T&Cs dump transaction risk HO agreement undermines reporting HO agreement undermines reporting Plan to make cheque payments irrevocable after 7 days from November Plan to make cheque payments irrevocable after 7 days from November Pathetic enforcement, dismal forensics Pathetic enforcement, dismal forensics Dispersed responsibility – Home Office, FSA, Treasury, ACPO, APACS – with everyone pursuing narrow selfish agendas Dispersed responsibility – Home Office, FSA, Treasury, ACPO, APACS – with everyone pursuing narrow selfish agendas Risk: failure of trust in UK financial sector, opportunity cost of lack of trust in e-business Risk: failure of trust in UK financial sector, opportunity cost of lack of trust in e-business

ecrime congress 27/3/07 More … Economics and Security Resource Page – (or follow link from my home page) Economics and Security Resource Page – (or follow link from my home page) Foundation for Information Policy Research – Foundation for Information Policy Research –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.