Cybercrime sucks (for criminals)

Bruce Schneier comments on an NYT report on cybercrime that shows that there's just not much money to be had in being a ripoff artist. Dinei Florêncio and Cormac Herley wrote:

A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

The authors frame cybercrime as a "tragedy of the commons," where the overfishing (overphishing) by crooks has reduced everyone's margins to nothing, making it hard graft indeed. Meanwhile, cybercrime estimates are subject to the same lobbynomics used to calculate losses from music downloading and profits from drug seizures:

Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can't be canceled.

Cybercrime as a Tragedy of the Commons


  1. It wouldn’t surprise me if the figures are over inflated.  But choosing a random sample and then extrapolating is an accepted statistical technique for estimation.  Choosing a representative sample and asking the right questions is difficult but the approach is sound.
    Also this quote, “… since no one can claim negative losses, the error can’t be canceled.”  People can (and probably do) underreport or fail to report losses. 

  2. Certainly we should be as worried about these phishers as our elders were of dippers, flimps, and mutchers.

Comments are closed.