Evolution of Cybercrime Costs (I)Impact of cybercrime today portrays a new landscape
Every year, the Workshop on the Economics of Information Security (WEIS) gathers renowned social and computer scientists (both from and outside academia). In WEIS, the economic implications of information security are discussed. It’s a fantastic interdisciplinary event: it covers topics like Vulnerability discovery, disclosure, and patching (classical, technical), as well as Models and analysis of online crime and Behavioral security and privacy (newer stuff).
This year, the WEIS will be held in Brussels, Belgium, in the summer. You can find more information here if you’d like to attend.
A group of researchers led by Ross Anderson (University of Cambridge) presented a paper in WEIS 2019 (available here) which updates and expands findings from a 2012 study. That first study focused on measuring costs of cybercrime and highlighted the costs society has to incur from different angles, using available data from government reports and other reliable sources. The data from which these scientists make their analyses are mostly from the UK and the US. The most recent study depicts how the costs of cybersecurity have changed for the last seven years.
The following table shows a summary of the findings of the paper.
In this post, we will focus on some of these, which are described in section three of the paper (What We Know).
What has changed
The researchers mention, as most of us know, that changes at the technological and societal levels might help us to understand how cybercrime is evolving. Mobile devices have replaced PCs and laptops. Social networks are widespread. Many services have migrated to the cloud, as well as a lot of corporate and personal data. There are plenty of Uber-like services (this is obviously linked with the proliferation of mobile devices). Cryptocurrencies grew enormously. The authors also indicate that we have seen denial of service (DoS) attacks perpetrated by state actors.
From the article, it’s worth mentioning what they mean by cybercrime (Anderson et al., 2019, p.3):
1. Traditional forms of crime such as fraud or forgery, though committed over electronic communication networks and information systems.
2. Publication of illegal content over electronic media (child sexual abuse material or incitement to racial hatred).
3. Crimes unique to electronic networks, e.g., attacks against information systems, denial of service and hacking.
The following sections summarize some of the findings that captured our attention.
Online card and banking fraud
Payment fraud has doubled since 2012, but it also has fallen slightly as a proportion of turnover. Online payment systems have gotten much bigger and more efficient worldwide, the authors explain. In the UK in 2010, it’s estimated that this type of fraud accounted for losses of ￡441m. In 2017, the figure jumped to ￡731.8m. In contrast, officials have estimated that potential losses for ￡1.4bn were properly avoided.
It’s also estimated that 55% of card-not-present fraud losses are from e-commerce. Around 11.2 million credit cards were compromised, and the cost of reissuing them is around $98m. For 2017, there were 4 million cards exposed, representing $35m.
Online banking of fraud also increased. In 2011, online banking fraud was estimated at ￡51.1m in the UK, whereas in 2017, it grew to ￡121.4m (more than doubled). In the case of phone banking fraud, in the same period, the losses are accounted to have moved from ￡22.2m to ￡28.4m.
In other European countries, the online card frauds between 2012 and 2016 are estimated at €1.8bn. Of that figure, the largest portion pertains to the card-not-present scams, up to €1.32bn, and, it’s worth mentioning, it’s the only component growing (ATM and POS fraud fell at a quick pace).
A newer cybercrime is Authorized push payments (APP). APP fraud happens when fraudsters deceive consumers or individuals at a business to make payments under pretenses to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realize they have been conned. The researchers referred to an estimate of ￡236m over more than 43.000 incidents only in the UK.
Ransomware and cryptocurrencies
Ransomware has been around since the 2000s; with the emergence of cryptocurrency, it has intensified. Estimates in the first three-quarters of 2012 show losses between ￡1.9m and ￡3.8m. Other researchers (which Anderson et al. cited) later found that CryptoLocker, a ransomware program requesting bitcoin payments, could have caused losses between $300m to $1100m in five months in 2013-2014. Another piece of research found criminal revenues between 2015 and 2017 near $16m employing ransomware.
Cryptojacking is another cybercrime. It involves compromising computers so their resources can be used to mine cryptocurrency silently. One study found that more than 4% of the Monero digital currency was mined by criminals, with an estimated profit of $56m.
The alleged attacks against cryptocurrency exchanges have been prominent in the news. Mt. Gox and Youbit are clear examples of cybercrimes creating significant losses for digital currency owners. Only in 2018, a report from ChainAnalysis showed that these exchanges lost $1bn, and remarkably, most of the attacks came from two groups of criminals.
Finally, the researchers also mention two events worth noting. First, cryptocurrency markets had been manipulated, making this type of cybercrime bigger and more complex. Second, Initial Coin Offerings (ICOs) is another relevant story involving cryptocurrency and losses to consumers.
Where are we headed?
The picture Anderson et al. provide is genuinely insightful, albeit partial. What is the situation in other countries? Are they better or worse compared to these figures? The changing environment in the last seven years eclipsed some crimes but allowed others to grow. Criminals do evolve, too; there is no doubt there will always exist incentives for this. In a concluding statement, the researchers call for more investment in reacting to crimes, and to cut it for prevention and defenses. We respect this view and acknowledge that part of it is not an oxymoron from a public policy perspective. We don’t think investments should be cut, but resources should be better allocated.
At Fluid Attacks, we’re committed to contributing to improving the safety of organizations by putting some pressure (testing by attacking) on their mission-critical systems. How do we do it? Check our hacking services, as well as our products. We can provide IT and risk management insights continuously and, thus, properly prioritize your resources, closing open holes to bad guys.
In an upcoming post, we will continue discussing some other frauds studied by this remarkable group of cybersecurity researchers.
We hope you enjoy reading this post! Want to say something? Do get in touch with us!
Data scientist in training.