Evolution of Cybercrime Costs (I)
Every year, the Workshop on the Economics of Information Security
(WEIS) gathers renowned social and computer scientists (both from and
outside academia). In WEIS, the economic implications of information
security are discussed. It’s a fantastic interdisciplinary event: it
covers topics like Vulnerability discovery, disclosure, and patching
(classical, technical), as well as Models and analysis of online crime
and Behavioral security and privacy (newer stuff).
This year, the WEIS will be held in Brussels, Belgium, in the summer.
You can find more information here
if you’d like to attend.
A group of researchers led by Ross Anderson (University of Cambridge)
presented a paper in WEIS 2019 (available
here)
which updates and expands findings from a 2012 study. That first study
focused on measuring costs of cybercrime and highlighted the costs
society has to incur from different angles, using available data from
government reports and other reliable sources. The data from which these
scientists make their analyses are mostly from the UK and the US. The
most recent study depicts how the costs of cybersecurity have changed
for the last seven years.
The following table shows a summary of the findings of the paper.
Figure 1. Summarizing table from Anderson et al. (2019)
In this post, we will focus on some of these, which are described in
section three of the paper (What We Know).
What has changed
The researchers mention, as most of us know, that changes at the
technological and societal levels might help us to understand how
cybercrime is evolving. Mobile devices have replaced PCs and laptops.
Social networks are widespread. Many services have migrated to the
cloud, as well as a lot of corporate and personal data. There are plenty
of Uber-like services (this is obviously linked with the proliferation
of mobile devices). Cryptocurrencies grew enormously. The authors also
indicate that we have seen denial of service (DoS) attacks perpetrated
by state actors.
From the article, it’s worth mentioning what they mean by cybercrime
(Anderson et al., 2019, p.3):
1. Traditional forms of crime such as fraud or forgery, though
committed over electronic communication networks and information
systems.2. Publication of illegal content over electronic media (child
sexual abuse material or incitement to racial hatred).3. Crimes unique to electronic networks, e.g., attacks against
information systems, denial of service and hacking.
The following sections summarize some of the findings that captured our
attention.
Online card and banking fraud
Figure 2. from pxfuel
Payment fraud has doubled since 2012, but it also has fallen slightly as
a proportion of turnover. Online payment systems have gotten much bigger
and more efficient worldwide, the authors explain. In the UK in 2010,
it’s estimated that this type of fraud accounted for losses of £441m.
In 2017, the figure jumped to £731.8m. In contrast, officials have
estimated that potential losses for £1.4bn were properly avoided.
It’s also estimated that 55% of card-not-present fraud losses are from
e-commerce. Around 11.2 million credit cards were compromised, and the
cost of reissuing them is around $98m. For 2017, there were 4 million
cards exposed, representing $35m.
Online banking of fraud also increased. In 2011, online banking fraud
was estimated at £51.1m in the UK, whereas in 2017, it grew to £121.4m
(more than doubled). In the case of phone banking fraud, in the same
period, the losses are accounted to have moved from £22.2m to £28.4m.
In other European countries, the online card frauds between 2012 and
2016 are estimated at €1.8bn. Of that figure, the largest portion
pertains to the card-not-present scams, up to €1.32bn, and, it’s worth
mentioning, it’s the only component growing (ATM and POS fraud fell at a
quick pace).
A newer cybercrime is Authorized push payments (APP). APP fraud
happens when fraudsters deceive consumers or individuals at a business
to make payments under pretenses to a bank account controlled by the
fraudster. As payments made using real-time payment schemes are
irrevocable, the victims cannot reverse a payment once they realize they
have been conned. The researchers referred to an estimate of £236m over
more than 43.000 incidents only in the UK.
Ransomware and cryptocurrencies
Figure 3. from flickr
Ransomware has been around since the 2000s; with the emergence of
cryptocurrency, it has intensified. Estimates in the first
three-quarters of 2012 show losses between £1.9m and £3.8m. Other
researchers (which Anderson et al. cited) later found that
CryptoLocker, a ransomware program requesting bitcoin payments, could
have caused losses between $300m to $1100m in five months in 2013-2014.
Another piece of research found criminal revenues between 2015 and 2017
near $16m employing ransomware.
Cryptojacking is another cybercrime. It involves compromising
computers so their resources can be used to mine cryptocurrency
silently. One study found that more than 4% of the Monero digital
currency was mined by criminals, with an estimated profit of $56m.
The alleged attacks against cryptocurrency exchanges have been prominent
in the news. Mt. Gox and Youbit are clear examples of cybercrimes
creating significant losses for digital currency owners. Only in 2018, a
report from ChainAnalysis showed that these exchanges lost $1bn, and
remarkably, most of the attacks came from two groups of criminals.
Finally, the researchers also mention two events worth noting. First,
cryptocurrency markets had been manipulated, making this type of
cybercrime bigger and more complex. Second, Initial Coin Offerings
(ICOs) is another relevant story involving cryptocurrency and losses
to consumers.
Where are we headed?
The picture Anderson et al. provide is genuinely insightful, albeit
partial. What is the situation in other countries? Are they better or
worse compared to these figures? The changing environment in the last
seven years eclipsed some crimes but allowed others to grow. Criminals
do evolve, too; there is no doubt there will always exist incentives for
this. In a concluding statement, the researchers call for more
investment in reacting to crimes, and to cut it for prevention and
defenses. We respect this view and acknowledge that part of it is not an
oxymoron from a public policy perspective. We don’t think investments
should be cut, but resources should be better allocated.
At Fluid Attacks, we’re committed to contributing to improving the
safety of organizations by putting some pressure (testing by attacking)
on their mission-critical systems. How do we do it? Check our hacking
services, as well as our
solutions. We can provide IT and risk management
insights continuously and, thus, properly prioritize your resources,
closing open holes to bad guys.
In an upcoming post, we will continue discussing some other frauds
studied by this remarkable group of cybersecurity researchers.
We hope you enjoy reading this post! Want to say something? Do get in
touch with us!
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Julian Arango. Read the original post at: https://fluidattacks.com/blog/cost-cybercrime-i/
