Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Economics and Public Policy Ross Anderson Cambridge University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Economics and Public Policy Ross Anderson Cambridge University."— Presentation transcript:

1 Security Economics and Public Policy Ross Anderson Cambridge University

2 ecrime congress 27/3/07 Economics and Security The link between economics and security atrophied after WW2 The link between economics and security atrophied after WW2 Over the last six years, we have started to apply economic analysis to information security Over the last six years, we have started to apply economic analysis to information security Economic analysis often explains security failure better then technical analysis! Economic analysis often explains security failure better then technical analysis! Information security mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk Information security mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk So economic analysis is vital in several ways for the public policy aspects of security So economic analysis is vital in several ways for the public policy aspects of security

3 ecrime congress 27/3/07 Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough About 1999, we started to realize that this is not enough

4 ecrime congress 27/3/07 Incentives and Infosec Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoft software so insecure, despite market dominance? Why is Microsoft software so insecure, despite market dominance?

5 ecrime congress 27/3/07 New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; everyone suffers when infected PCs spam you Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; everyone suffers when infected PCs spam you In IT markets, firms ship too little security when building market share, then add lots (of the wrong kind) to lock customers in In IT markets, firms ship too little security when building market share, then add lots (of the wrong kind) to lock customers in What about the economics of crime? What about the economics of crime?

6 ecrime congress 27/3/07 Chip and PIN fraud In 1992–4, banks said ‘ATM fraud can’t happen’ – so their staff got lazy and it did In 1992–4, banks said ‘ATM fraud can’t happen’ – so their staff got lazy and it did Chip and PIN is now following the same pattern Chip and PIN is now following the same pattern Widespread card cloning via skimmers at petrol stations, linked to Tamil Tigers Widespread card cloning via skimmers at petrol stations, linked to Tamil Tigers Nice cosy deal between banks and police stops you reporting card fraud any more except to your bank (crime stats down, bank control up) Nice cosy deal between banks and police stops you reporting card fraud any more except to your bank (crime stats down, bank control up) So terrorist activity in UK is discovered by Thai police, not by UK police! So terrorist activity in UK is discovered by Thai police, not by UK police!

7 ecrime congress 27/3/07 If banks control crime reporting… Will there be an end to stories like this? Will there be an end to stories like this?

8 ecrime congress 27/3/07 Phishing Bank customer lured to bogus website Bank customer lured to bogus website Money transferred from / via her account Money transferred from / via her account Losses last year: £36m UK, > $100m USA Losses last year: £36m UK, > $100m USA One gang (‘Rockphish’) does over half! One gang (‘Rockphish’) does over half! Technical measures aren’t going to fix this Technical measures aren’t going to fix this Banks trained customers to click on links Banks trained customers to click on links IE toolbar was broken before it shipped IE toolbar was broken before it shipped 2-factor auth will be met by real-time MITM 2-factor auth will be met by real-time MITM

9 ecrime congress 27/3/07 Studying the Phishermen Stolen money gets shipped through 2 or 3 hacked accounts, then turned into eGold Stolen money gets shipped through 2 or 3 hacked accounts, then turned into eGold You might think it’s because eGold doesn’t respond to warrants – but they now do You might think it’s because eGold doesn’t respond to warrants – but they now do It’s actually about transaction revocability! It’s actually about transaction revocability! The typical bank recovers 60–95% of phished funds (the one that does only 60% gets hit for most of the losses) The typical bank recovers 60–95% of phished funds (the one that does only 60% gets hit for most of the losses) What’s the right regulatory response? What’s the right regulatory response?

10 ecrime congress 27/3/07 The old way of working If someone did a wire fraud, or a cheque fraud, the money would be got back If someone did a wire fraud, or a cheque fraud, the money would be got back When I bought a car, I paid Lloyds £40 for a bank draft – to insure the dealer against the cheque bouncing later When I bought a car, I paid Lloyds £40 for a bank draft – to insure the dealer against the cheque bouncing later In business, you had acceptance of bills, factoring without recourse, LCs, … In business, you had acceptance of bills, factoring without recourse, LCs, … The risk of giving a customer an irrevocable instrument was recognised and priced The risk of giving a customer an irrevocable instrument was recognised and priced

11 ecrime congress 27/3/07 The problem – and solution There are more and more places to get ‘free’ bank drafts, and they’re attracting the villains There are more and more places to get ‘free’ bank drafts, and they’re attracting the villains eGold, Western Union, Finnish banks … eGold, Western Union, Finnish banks … Proposed regulatory change – any financial institution that sells an irrevocable instrument (including cash) for stolen funds should be liable Proposed regulatory change – any financial institution that sells an irrevocable instrument (including cash) for stolen funds should be liable Time limit – maybe 90 days Time limit – maybe 90 days This will be a better way to deal with nonbanks than trying to regulate them fully This will be a better way to deal with nonbanks than trying to regulate them fully

12 ecrime congress 27/3/07 The way forward Phishing, keyloggers, etc are here to stay Phishing, keyloggers, etc are here to stay As well as having a few big bent insiders, we’ll have many compromised accounts at any time As well as having a few big bent insiders, we’ll have many compromised accounts at any time We must move from payment system integrity to payment system resilience We must move from payment system integrity to payment system resilience Make counterparty risks (payment, fraud, legal, data-security) transparent, so the market can price them Make counterparty risks (payment, fraud, legal, data-security) transparent, so the market can price them This will benefit banks, customers and the police This will benefit banks, customers and the police

13 ecrime congress 27/3/07 Regulatory failures Right now, the UK is heading the wrong way: Right now, the UK is heading the wrong way: Banks’ T&Cs dump transaction risk Banks’ T&Cs dump transaction risk HO agreement undermines reporting HO agreement undermines reporting Plan to make cheque payments irrevocable after 7 days from November Plan to make cheque payments irrevocable after 7 days from November Pathetic enforcement, dismal forensics Pathetic enforcement, dismal forensics Dispersed responsibility – Home Office, FSA, Treasury, ACPO, APACS – with everyone pursuing narrow selfish agendas Dispersed responsibility – Home Office, FSA, Treasury, ACPO, APACS – with everyone pursuing narrow selfish agendas Risk: failure of trust in UK financial sector, opportunity cost of lack of trust in e-business Risk: failure of trust in UK financial sector, opportunity cost of lack of trust in e-business

14 ecrime congress 27/3/07 More … Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) www.cl.cam.ac.uk/~rja14/econsec.html Foundation for Information Policy Research – www.fipr.org Foundation for Information Policy Research – www.fipr.orgwww.fipr.org

Download ppt "Security Economics and Public Policy Ross Anderson Cambridge University."

Similar presentations

Copyright, 1996 © Dale Carnegie & Associates, Inc. BANK ON IT Money Smart Course Indiana Department of Financial Institutions.

Copyright, 1996 © Dale Carnegie & Associates, Inc. BANK ON IT Money Smart Course Indiana Department of Financial Institutions.
© Dr. Michael Levi Professor Of Criminology Cardiff University, CF10 3WT, Wales Responsible Gaming Day European Parliament, 2009 Internet.

© Dr. Michael Levi Professor Of Criminology Cardiff University, CF10 3WT, Wales Responsible Gaming Day European Parliament, 2009 Internet.
Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.
Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.

Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.
Banking. Agenda Start time: ____ Break time: ____ (10 minutes) End time: ____ Please set phones to silent ring and answer outside of the room.

Banking. Agenda Start time: ____ Break time: ____ (10 minutes) End time: ____ Please set phones to silent ring and answer outside of the room.
Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.

Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
The Impact of technology on the delivery of financial services Advancement in technology have had a profound effect on the delivery of financial services.

The Impact of technology on the delivery of financial services Advancement in technology have had a profound effect on the delivery of financial services.
The Future of Phishing Ross Anderson Security Group USEC 2007 15 Feb 2007.

The Future of Phishing Ross Anderson Security Group USEC Feb 2007.
Why is there Concern about the Effect of the Internet in Society? E-Commerce: Jason Logan eBay: Ben King Hacking: Khyle Westmoreland Censorship: Ben King.

Why is there Concern about the Effect of the Internet in Society? E-Commerce: Jason Logan eBay: Ben King Hacking: Khyle Westmoreland Censorship: Ben King.
Making, receiving and recording payments made to or from a business Welsh translation of above.

Making, receiving and recording payments made to or from a business Welsh translation of above.
Electronic Commerce Semester 1 Term 1 Lecture 22.

Electronic Commerce Semester 1 Term 1 Lecture 22.
GCSE ICT Computers and the Law. Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.

GCSE ICT Computers and the Law. Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.

Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
1 Money Transfer in Cyberspace MTRA 16 th Annual Conference November 13 – 15, 2006 Presented by Joseph Cachey III SVP, Global AML Compliance The Western.

1 Money Transfer in Cyberspace MTRA 16 th Annual Conference November 13 – 15, 2006 Presented by Joseph Cachey III SVP, Global AML Compliance The Western.
Chapter 4 Money Management Managing Checking and Savings Accounts –Checking and savings accounts are the foundation of financial asset management –Cash.

Chapter 4 Money Management Managing Checking and Savings Accounts –Checking and savings accounts are the foundation of financial asset management –Cash.

Similar presentations

Ads by Google