Every year, the Workshop on the Economics of Information Security
WEIS) gathers renowned social and computer scientists (both from and
outside academia). In
WEIS, the economic implications of information
security are discussed. It’s a fantastic interdisciplinary event: it
covers topics like Vulnerability discovery, disclosure, and patching
(classical, technical), as well as Models and analysis of online crime
and Behavioral security and privacy (newer stuff).
This year, the
WEIS will be held in Brussels, Belgium, in the summer.
You can find more information here
if you’d like to attend.
A group of researchers led by Ross Anderson (University of Cambridge)
presented a paper in
WEIS 2019 (available
which updates and expands findings from a 2012 study. That first study
focused on measuring costs of cybercrime and highlighted the costs
society has to incur from different angles, using available data from
government reports and other reliable sources. The data from which these
scientists make their analyses are mostly from the UK and the US. The
most recent study depicts how the costs of cybersecurity have changed
for the last seven years.
The following table shows a summary of the findings of the paper.
Figure 1. Summarizing table from Anderson et al. (2019)
In this post, we will focus on some of these, which are described in section three of the paper (What We Know).
What has changed
The researchers mention, as most of us know, that changes at the technological and societal levels might help us to understand how cybercrime is evolving. Mobile devices have replaced PCs and laptops. Social networks are widespread. Many services have migrated to the cloud, as well as a lot of corporate and personal data. There are plenty of Uber-like services (this is obviously linked with the proliferation of mobile devices). Cryptocurrencies grew enormously. The authors also indicate that we have seen denial of service (DoS) attacks perpetrated by state actors.
From the article, it’s worth mentioning what they mean by cybercrime (Anderson et al., 2019, p.3):
1. Traditional forms of crime such as fraud or forgery, though committed over electronic communication networks and information systems.
2. Publication of illegal content over electronic media (child sexual abuse material or incitement to racial hatred).
3. Crimes unique to electronic networks, e.g., attacks against information systems, denial of service and hacking.
The following sections summarize some of the findings that captured our attention.
Online card and banking fraud
Payment fraud has doubled since 2012, but it also has fallen slightly as a proportion of turnover. Online payment systems have gotten much bigger and more efficient worldwide, the authors explain. In the UK in 2010, it’s estimated that this type of fraud accounted for losses of ￡441m. In 2017, the figure jumped to ￡731.8m. In contrast, officials have estimated that potential losses for ￡1.4bn were properly avoided.
It’s also estimated that 55% of card-not-present fraud losses are from e-commerce. Around 11.2 million credit cards were compromised, and the cost of reissuing them is around $98m. For 2017, there were 4 million cards exposed, representing $35m.
Online banking of fraud also increased. In 2011, online banking fraud was estimated at ￡51.1m in the UK, whereas in 2017, it grew to ￡121.4m (more than doubled). In the case of phone banking fraud, in the same period, the losses are accounted to have moved from ￡22.2m to ￡28.4m.
In other European countries, the online card frauds between 2012 and 2016 are estimated at €1.8bn. Of that figure, the largest portion pertains to the card-not-present scams, up to €1.32bn, and, it’s worth mentioning, it’s the only component growing (ATM and POS fraud fell at a quick pace).
A newer cybercrime is Authorized push payments (
happens when fraudsters deceive consumers or individuals at a business
to make payments under pretenses to a bank account controlled by the
fraudster. As payments made using real-time payment schemes are
irrevocable, the victims cannot reverse a payment once they realize they
have been conned. The researchers referred to an estimate of ￡236m over
more than 43.000 incidents only in the UK.
Ransomware and cryptocurrencies
Ransomware has been around since the 2000s; with the emergence of cryptocurrency, it has intensified. Estimates in the first three-quarters of 2012 show losses between ￡1.9m and ￡3.8m. Other researchers (which Anderson et al. cited) later found that CryptoLocker, a ransomware program requesting bitcoin payments, could have caused losses between $300m to $1100m in five months in 2013-2014. Another piece of research found criminal revenues between 2015 and 2017 near $16m employing ransomware.
Cryptojacking is another cybercrime. It involves compromising computers so their resources can be used to mine cryptocurrency silently. One study found that more than 4% of the Monero digital currency was mined by criminals, with an estimated profit of $56m.
The alleged attacks against cryptocurrency exchanges have been prominent in the news. Mt. Gox and Youbit are clear examples of cybercrimes creating significant losses for digital currency owners. Only in 2018, a report from ChainAnalysis showed that these exchanges lost $1bn, and remarkably, most of the attacks came from two groups of criminals.
Finally, the researchers also mention two events worth noting. First,
cryptocurrency markets had been manipulated, making this type of
cybercrime bigger and more complex. Second, Initial Coin Offerings
ICOs) is another relevant story involving cryptocurrency and losses
Where are we headed?
The picture Anderson et al. provide is genuinely insightful, albeit partial. What is the situation in other countries? Are they better or worse compared to these figures? The changing environment in the last seven years eclipsed some crimes but allowed others to grow. Criminals do evolve, too; there is no doubt there will always exist incentives for this. In a concluding statement, the researchers call for more investment in reacting to crimes, and to cut it for prevention and defenses. We respect this view and acknowledge that part of it is not an oxymoron from a public policy perspective. We don’t think investments should be cut, but resources should be better allocated.
Fluid Attacks, we’re committed to contributing to improving the
safety of organizations by putting some pressure (testing by attacking)
on their mission-critical systems. How do we do it? Check our hacking
services, as well as our
solutions. We can provide
IT and risk management
insights continuously and, thus, properly prioritize your resources,
closing open holes to bad guys.
In an upcoming post, we will continue discussing some other frauds studied by this remarkable group of cybersecurity researchers.
We hope you enjoy reading this post! Want to say something? Do get in touch with us!
Recommended blog posts
You might be interested in the following related posts.
Definition, implementation, importance and alternatives
Keep tabs on this proposal from the Biden-Harris Admin
Vulnerability scanning and pentesting for a safer web
Definitions, classifications and pros and cons
Is your security testing covering the right risks?
How this process works and what benefits come with it
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting