Auren Hoffman at Summation has an interesting post on the “black hat tax.”  Essentially, how much do hackers and other online criminals actually cost us?  He estimates it at 25% of time and resources, after taking into account not just hackers but also scammers, phishers, and responding to law enforcement requests.  According to James Currier (who founded a good number of social-networking type sites, some of which are quite substantial), this “tax” is 25-40% for consumer Internet companies, with it being especially high in unexpected places (like online dating sites.)

That’s a lot of money.  More importantly, it’s a lot more money than most managers think we’re spending on security.

Now, the accuracy of these statistics is obviously dubious — even a respected and experienced person’s ad hoc estimate is still just an ad hoc estimate.  But it’s worth thinking about this for your company.  How much time and effort gets spent on problems that are, if not strictly security problems, problems you wouldn’t have were it not for malicious users?  This includes not just the things you do to defend your sites (firewalls, IDS, code reviews, etc.), incident response, and responding to subpoenas.  It also includes having to carefully write & test your emails to make sure they don’t get caught in spam filters, and setting up logging & auditing on your sites so you’ll be capable of responding to a subpoena if you get one in the future, and planning for regulatory compliance, and some of your disaster recovery & backup costs.  Consider not just purchases of security hardware & software and the hours of work by the security team, but also all the time consumed by product development and IT teams planning for or responding to security threats.

This “black hat tax” is your real security budget.  And importantly for security managers, this is a genuine, demonstrated cost, as opposed to the “risk” we spend most of our time talking about.  It’s one thing to say the company might suffer a $10 million loss in the case of a data breach, so we need to spend more on security.  Managers can go on believing that “it won’t happen to us.”  It’s quite another to say that the company already does lose $500,000 every year due to the cost of dealing with malicious users, and that we should spend that same money proactively, on planned security measures, rather than spending it reactively.  Don’t just think of your security budget as simply mitigating risk — think about what your company is already spending, just not on the security team.  Can you prevent some of that cost from being incurred?  Can you centralize some of these effors?  Security spending as a way to reduce cost, rather than as a cost center, may be a lot more appealing to your CIO.

The Today Show has a cover story today entitled “Mom lets 9-year-old take subway home alone.” The controversy over this — that is, the fact that there is any — is a wonderful example of how poorly people assess risk in modern society. What this woman, Lenore Skenazy, has done to stir up trouble is to make a decision about her child based on reason rather than emotion (specifically fear) — something that seems frighteningly uncommon today. As she puts it:

“It’s safe to go on the subway,” Skenazy replied. “It’s safe to be a kid. It’s safe to ride your bike on the streets. We’re brainwashed because of all the stories we hear that it isn’t safe. But those are the exceptions. That’s why they make it to the news. This is like, ‘Boy boils egg.’ He did something that any 9-year-old could do.”

She’s right. Most of us in our 30’s today remember growing up in the 1980’s — and it involved riding your bike across town, visiting neighbors, and being unattended for relatively long periods of time. Of course there were unsafe areas – there were parts of cities where people alone really aren’t safe — but these are the exceptions rather than the rule. Today, most parents seem to live in fear, convinced that there are criminals lying in wait to abduct children everywhere. It simply isn’t the case — it never has been, and crime rates are lower today than they were in the 80’s! We have not gotten any less safe, we have simply become so afraid that we think we’re less safe. And this culture of fear is damaging and contagious:

“Half the people I’ve told this episode to now want to turn me in for child abuse. As if keeping kids under lock and key and helmet and cell phone and nanny and surveillance is the right way to rear kids. It’s not. It’s debilitating — for us and for them.”

There are a variety of reasons that people believe that their children are under constant threat. Among them are:

• Vividness criterion: shocking anecdotes stick in our memory more than statistics, and they attract our attention. This is both why the media reports on every bad thing happening to a child, and why we remember them.
• Availability bias: when determining how frequently something happens, rather than turning to statistics we turn to how many cases of it we can remember. Since the news reports on every plane crash, but almost no auto accidents, we think of air travel as riskier even though we know the statistics show differently. Since in this age of pervasive news reporting we hear about crime more often, crime must be more common, even though the statistics show differently.
• Fundamental attribution error: when something happens, we tend to overestimate behavioral causes. So when a child is hurt, we assume the parents did something wrong, even if the event is random and exceedingly rare.
• We overestimate risks from intentional causes and underestimate risks from natural causes. This is probably related to the vividness criterion — someone deliberately hurting a child is more shocking than the child being hurt in a bike accident. The result is that we expect people to be malicious a lot more often than they are, and we think children are more likely to be hurt by criminals than by illness or car accident, once again despite statistics showing otherwise.

In truth, the violent crime rate today in the United States is less than half of what it was in the 1980’s! Most of our burgeoning prison population consists of nonviolent drug offenders, and most violent crime occurs in geographically delimited areas. Skenazy is right — the streets and subways of New York City are as safe as they were in 1963. Crime against children is even lower — the simple fact is that the overwhelming majority of humanity doesn’t want to hurt kids and is inclined to help and protect them.

It’s sad how many normal childhood experiences have been lost to this obsession with safety from small risks — just try to buy a chemistry set today even as an adult and compare it with what was available to young children 20 years ago (or to what’s in The Golden Book of Chemistry Experiments, now available pretty much only via BitTorrent, which begins by teaching children to use an alcohol burner to shape glass tubing. Today, a children’s chemistry set would never be allowed to contain an alcohol burner… or glass tubing.)

The key is this:

‘The statistics show that this is an incredibly rare event, and you can’t protect people from very rare events. It would be like trying to create a shield against being struck by lightning.’ ”

She said that people ask her how she would feel if one of those terrible and rare events happened to her son. “It would be horrible,” she said. “But you can’t live your life that way; you could slip in the shower.”

When faced by extremely low risks, the rational response is sometimes to disregard them. Sometimes the response to fear of something is, in aggregate, worse than the thing itself. We of course do the same thing with terrorism, and these same biases cause us to misallocate security dollars in industry, too (how many companies have tens of thousands of dollars in firewall and IDS hardware, but no disaster recovery plan?)

During this year’s Christmas shopping season, I made some large in-person transactions at the same time as my wife made an online transaction, and my credit card was suspended by the issuing bank for potential fraudulent activity.  This happens relatively often, whenever someone’s spending patterns are flagged by the neural-network based automated fraud detection used by all the major credit card issuers.  When calling the bank to have the card reactivated, I was told by the customer service representative, “since online transactions are, you know, more dangerous, we tend to notice those.”

This is not an uncommon perception.  Many people who think nothing of handing over their credit card or writing a check when at a store or restaurant hesitate to use the same card online, regardless of communication protections (e.g. SSL/HTTPS), third-party assurances like the preposterously-named HackerSafe, or the size and stability of the vendor.  After all, it’s the Internet, there are bad people out there.

However, the perception just isn’t true.  There are two ways in which the Internet particularly helps thieves, though:

1. Once they’ve stolen an identity or credit card number, thieves often use the card online, as they don’t have to present themselves (and thus show up to witnesses and potentially security cameras) to use the card.  This is actually probably what the credit card company in my experience meant — not that the transactions are more dangerous, but that fraudsters often use stolen cards online.
2. Hackers stealing credit card information online often steal entire databases.  They don’t steal your credit card while you’re buying something online — they break into the online store and steal everybody’s card.

However, they could just as easily have broken into the servers of a brick-and-mortar store — it’s not the fact that you used the card online that makes it possible for them to steal it, it would have been just as at risk handing it to a cashier.

In many ways, it’s a lot more risky to make non-cash payments in person!  When you hand your credit card to a waiter or clerk or cashier, they could easily copy the number, expiration date, and CCv2 code (the three-digit code on the back than an online site often won’t even get.)  With a debit card, they have the opportunity to watch PINs being typed.  Whereas in an online store, only relatively few, well-paid professionals will have access to your data (system administrators, etc.), every $7 per hour sales clerk can see a hundred card numbers per day, and probably has significantly more financial motivation to steal them (although in my experience, the fact that someone doesn’t need money won’t stop them from stealing it if they’re the type to steal — just look at Michael Milken, who defrauded people out of hundreds of millions of dollars at the same time he was making hundreds of millions legitimately.)

Some people — usually those of us who remember the days before debit cards — eschew all these fancy online and electronic forms of payment and instead stick to good old fashioned checks.  After all, no one can possibly steal those!  They’re paper, and have your signature on them.  This is the ultimate in perception differing from reality — it’s hard to imagine a less secure way to make a payment than a paper check.

First of all, there’s the ease of committing fraud with checks.  A thief with a stolen check (or deposit slip) has all they need to take money from your account — the routing number and account number (found at the bottom of the check in MICR letters.)  Note that the thief doesn’t need any kind of ID… or a PIN… or a physical card… or a CCv2 code… or even to know your name.  No, the numbers will do.  What can they do with a stolen check?  There are three basic things:

• Order up a whole book of checks with your information and account numbers on them.  No ID is required to order checkbooks online.  They can then spend these checks anywhere, and the bank will process them — you probably won’t find out until your account is empty and you start getting NSF notices.
• Remove the amount and recipient from the check and write it out to themselves instead.  This is a bigger problem for institutional checks, which are often printed on a laser printer.  It’s really easy to remove laser-printed text from an offset-printed check — just lay some Scotch tape over the laser text, rub it hard with your fingernail, and peel the text off.  Then you can print out a new amount and recipient with your own laser printer, and it looks just like the real thing.  Chemical agents (”check washing”) can do this with ball-point pen ink, too, though it’s not so easy.
• Issue a demand draft (”paperless check.”)  This is what happens when you pay by phone with your checking account number, or use an automated bill pay service, or send money via PayPal.  Using your routing number and account number, money is simply removed from your account and put into someone else’s.  No authorization or authentication is used, your name is not even required.  Yes, really.  Anyone can do this from any account to any other account.  For a while, you used to be able to do this from a web site.

Second, there’s the difficulty in getting your money back or even stopping the fraud!  With a credit card (and to a lesser extent, a debit card), it’s pretty simple — you call the bank, say you did not authorize a charge, and the credit card company removes the charge.  It is then up to them to prove you did make the charge, such as by getting a signed receipt from the merchant and matching your signature.  So long as you report the fraud within 30 days, you are not liable — the worst the card company can do to you is to cancel your card (but you still don’t have to pay for the charge you didn’t make.)  In theory, you’re liable for up to $50, but almost no card issuers really charge this since it’s terrible customer service (”Sorry you were stolen from!  Give us $50!”)

With checks, the money is already gone.  If you report a check as fraudulent, there is no federal law saying the bank is liable — it’s up to the bank’s own policies and in some cases a hodgepodge of state laws whether they have to help you at all.  The bank may get back to you in 60 to 90 days (during which you don’t have the money, even if it was the entire contents of your checking account.)  You have to report the fraud on a paper letter, with a notarized signature, usually by certified mail.  What’s more, you have to prove that the checks were not authorized — the burden of proof is on you, not the bank or merchant — and you have to do it to each party from which you’re trying to reclaim money.  If a thief wrote bad checks in 20 different jurisdictions, you may be dealing with this for years.

Worse yet, you can’t stop the fraud from taking place.  The thief can keep writing checks on your account even after you’ve started reporting them as fraud, and even after you’ve closed the account.  Every time the thief writes a bad check on a closed account (the classic practice known as “paperhanging”, a favorite of Frank Abagnale during his criminal youth), your bank will reopen the account and send you an NSF notice.  You have to dispute all of these, too.  And finally, your account (and possibly your name) will go into ChexSystems (the equivalent of the credit bureaus used to check people’s checking account history) as fraudulent, which will make it difficult or impossible to get new checking accounts for many years.  On the bright side, it will make it harder for the thief to open accounts in your name, but that’s little consolation since he can keep using the closed one he already has.

From a security perspective, checking accounts are horrid.  They come from a day when authentication and authorization were unheard-of, and security came mainly from the idea that no one would figure out how to subvert the system.

What can you do to protect yourself?

• Don’t use checks.  If any method of payment is offered aside from checks, use that.
• Don’t use demand drafts, either — they’re checks.  Don’t pay by phone using a checking account number — use a credit/debit card.
• If you must write paper checks, use them only to pay bills, dealing with relatively trusted merchants.  It doesn’t make you totally safe, of course, but it helps some.  Use gel ink to write checks (it’s harder to wash), or a dot-matrix printer to print them (the impact-printed ink is nigh-impossible to remove.)  According to Abagnale’s The Art of the Steal, this makes check-washing nearly impossible (though ordering up new checks in your name still works.)  Incidentally, The Art of the Steal is a fantastic (and very short) book, and I highly recommend it to anyone interested in security — it gives a great view into the security mindset, looking at all parts of a system and seeing how it can be subverted.
• Don’t store any more money in your checking account than you have to.  You’ll still have to fight every fraudulent transaction to stop the bank trying to collect it from you, but at least you’ll still have your money while you’re doing it.

The sooner we move on from this antiquated and unsafe payment system, the better.

I was reading an article about web scanner coverage and false positives by Larry Suto that RSnake linked to on ha.ckers. Though this is only tangentially related to the actual paper, it reminded me of something interesting — the inevitability of false positives when detecting something rare.

When measuring the error of a detection process, there are three pertinent statistics — Type I error (false positive, detecting something that isn’t really there,) Type II error (false negative, missing something that is there,) and crossover error rate (the error rate at which the rates of Type I and Type II error are equal — essentially, the minimum error of the process.) We normally think of trying to minimize the crossover error rate — after all, we want detection processes that are as accurate as possible — but sometimes one sort of error is objectively worse than the other, so we will choose, say, to minimize false negatives even if this leads to more false positives being detected.

For instance, it is very annoying if the fingerprint scanner used to log onto your laptop fails to recognize you routinely, requiring you to use the reader repeatedly. Thus, too many false negatives annoy the user. Of course, if it let everyone in, that would be even worse, but we’re willing to run the risk that somebody with fingerprints sort of similar to yours might be able to get in if it makes the thing work better. On the other hand, if the fingerprint scanner is on the vault with the nuclear weapons in it, false positives are very bad, while a false negative is really not too terrible — you probably don’t need to access the nuclear weapons very often, so if you need to swipe your finger four times to get in, that’s okay. In this process, you’ll optimize to minimize Type I error, even if this raises your rate of Type II error and your crossover error rate.

However, what people often fail to recognize is that error rates become very oddly skewed when the thing to be detected is exceedingly rare. For instance, we currently have many processes in the country designed, ultimately, to detect terrorists — border guards, profiling, no-fly lists, etc. These all have error rates — sometimes, they would miss a real terrorist, and to the dismay of civil libertarians and air travelers everywhere, sometimes they “catch” innocent people.

A Type I error rate of 0.001% sounds pretty good. Imagine you have a terrorist detector with a Type II error rate of zero — it always detects real terrorists. And its Type I rate is only 0.001% — it generates false alarms only one time in 10,000. Sounds great, doesn’t it? We should make use of them immediately! If this thing points out a terrorist, you’ve got the right guy. The government can proudly advertise that their detector is 99.999% accurate.

But wait… there are 280 million people in the United States. How many are actual terrorists? I hope not very many, but let’s be paranoid and imagine there are 1,000 lying in wait (though I’d wager if there were, we might have seen at least one terrorist attack on U.S. soil sometime within the last 5 years.) This means that we’ll be scanning a real terrorist — and set off the alarm, since our terrorist detector has a false negative rate of zero — 0.000036% of the time. Our false positive rate is 0.001% is actually more than the rate of real terrorists in the population. In fact, while a negative from our terrorist detector is right every time, a positive from it is wrong 97% of the time. In other words, if the alarm goes off, you can be 3% sure that you’ve got the right guy!

Doesn’t sound so good put that way. When the alarm goes off, you can be almost certain (97% certain, at least) that you’ve got an innocent man. The problem of detecting a rare thing without false positives is actually quite difficult.