The Economics of Online Crime: Difference between revisions

From Cybersecurity Wiki
Jump to navigation Jump to search
No edit summary
 
(7 intermediate revisions by 2 users not shown)
Line 6: Line 6:
Tyler Moore, Richard Clayton and Ross Anderson, ''The Economics of Online Crime'', 23 J. Econ. Persp. 3 (2009).  [http://people.seas.harvard.edu/~tmoore/jep09.pdf  ''Web'']
Tyler Moore, Richard Clayton and Ross Anderson, ''The Economics of Online Crime'', 23 J. Econ. Persp. 3 (2009).  [http://people.seas.harvard.edu/~tmoore/jep09.pdf  ''Web'']


[http://cyber.law.harvard.edu/cybersecurity/?title=Special:Bibliography&view=detailed&startkey=Moore_T:2009&f=wikibiblio.bib ''BibTeX'']
[http://cyber.law.harvard.edu/cybersecurity/Special:Bibliography?f=wikibiblio.bib&title=Special%3ABibliography&view=detailed&action=&keyword=Moore_T%3A2009 ''BibTeX'']


==Categorization==
==Categorization==
 
* Threats and Actors: [[Criminals and Criminal Organizations]]
Issues: [[Economics of Cybersecurity]]
* Issues: [[Economics of Cybersecurity]]; [[Financial Institutions and Networks]]; [[Incentives]]; [[Information Sharing/Disclosure]]; [[Public-Private Cooperation]]; [[Cybercrime]]
 


==Key Words==  
==Key Words==  
[[Keyword_Index_and_Glossary_of_Core_Ideas#Blacklist | Blacklist]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Credit_Card_Fraud | Credit Card Fraud]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Cyber_Crime | Cyber Crime]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Disclosure_Policy | Disclosure Policy]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Identity_Fraud/Theft | Identity Fraud/Theft]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Notice_and_Take-down | Notice and Take-down]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Organized_Crime | Organized Crime]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Phishing | Phishing]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Scareware | Scareware]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#SPAM | Spam]],
[[Keyword_Index_and_Glossary_of_Core_Ideas#Trojan | Trojan]]


''See the article itself for any key words as a starting point''
==Synopsis==


==Synopsis==
This paper will focus on online crime, which has taken off as a serious industry since about 2004. Until then, much of the online nuisance came from amateur hackers who defaced websites and wrote malicious software in pursuit of bragging rights. But now criminal networks have emerged -- online black markets in which the bad guys trade with each other, with criminals taking on specialized roles. Just as in Adam Smith's pin factory, specialization has led to impressive productivity gains, even though the subject is now bank card PINs rather than metal ones. Someone who can collect bank card and PIN data, electronic banking passwords, and the information needed to apply for credit in someone else's name can sell these data online to anonymous brokers. The brokers in turn sell the credentials to specialist cashiers who steal and then launder the money. We will examine the data on online crime; discuss the collective-action aspects of the problem; demonstrate how agile attackers shift across national borders as earlier targets wise up to their tactics; describe ways to improve law-enforcement coordination; and we explore how defenders' incentives affect the outcomes.


This paper will focus on online crime, which has taken off as a serious industry since about 2004. Until then, much of the online nuisance came from amateur hackers who defaced websites and wrote malicious software in pursuit of bragging rights. But now criminal networks have emerged -- online black markets in which the bad guys trade with each other, with criminals taking on specialized roles. Just as in Adam Smith's pin factory, specialization has led to impressive productivity gains, even though the subject is now bank card PINs rather than metal ones. Someone who can collect bank card and PIN data, electronic banking passwords, and the information needed to apply for credit in someone else's name can sell these data online to anonymous brokers. The brokers in turn sell the credentials to specialist cashiers who steal and then launder the money. We will examine the data on online crime; discuss the collective-action aspects of the problem; demonstrate how agile attackers shift across national borders as earlier targets wise up to their tactics; describe ways to improve law-enforcement coordination; and we explore how defenders' incentives affect the outcomes.  
With previous technology-driven crime innovations, from credit card fraud
to the use of getaway cars in bank robbery, it took some time to work out the
optimal combination of public and private security resources. Our analysis in  
this paper suggests that significant improvements are possible in the way we deal
with online fraud. Criminal networks do have particular vulnerabilities—such as  
their money laundering operations. However, individual banks don’t target
money launderers because launderers attack the banking system as a whole, not
any individual bank. Perhaps the banks’ trade associations should target the  
laundrymen. Banks also fail to get their security contractors to share data on
attacks where this could help them directly. This collective action problem is
best dealt with by private-sector information sharing, as it was 15 years ago in the  
world of computer viruses. Finally, we suggest that the police should concen-
trate their efforts on the big phishing gangs.
To control online crime better, we need to understand it better. The key to this
understanding is not so much technology, but gaining an economic perspective of  
the incentives faced by the different players.


==Additional Notes and Highlights==
==Additional Notes and Highlights==
Expertise required: Technology - Low

Latest revision as of 15:04, 28 July 2010

Full Title of Reference

The Economics of Online Crime

Full Citation

Tyler Moore, Richard Clayton and Ross Anderson, The Economics of Online Crime, 23 J. Econ. Persp. 3 (2009). Web

BibTeX

Categorization

Key Words

Blacklist, Credit Card Fraud, Cyber Crime, Disclosure Policy, Identity Fraud/Theft, Notice and Take-down, Organized Crime, Phishing, Scareware, Spam, Trojan

Synopsis

This paper will focus on online crime, which has taken off as a serious industry since about 2004. Until then, much of the online nuisance came from amateur hackers who defaced websites and wrote malicious software in pursuit of bragging rights. But now criminal networks have emerged -- online black markets in which the bad guys trade with each other, with criminals taking on specialized roles. Just as in Adam Smith's pin factory, specialization has led to impressive productivity gains, even though the subject is now bank card PINs rather than metal ones. Someone who can collect bank card and PIN data, electronic banking passwords, and the information needed to apply for credit in someone else's name can sell these data online to anonymous brokers. The brokers in turn sell the credentials to specialist cashiers who steal and then launder the money. We will examine the data on online crime; discuss the collective-action aspects of the problem; demonstrate how agile attackers shift across national borders as earlier targets wise up to their tactics; describe ways to improve law-enforcement coordination; and we explore how defenders' incentives affect the outcomes.

With previous technology-driven crime innovations, from credit card fraud to the use of getaway cars in bank robbery, it took some time to work out the optimal combination of public and private security resources. Our analysis in this paper suggests that significant improvements are possible in the way we deal with online fraud. Criminal networks do have particular vulnerabilities—such as their money laundering operations. However, individual banks don’t target money launderers because launderers attack the banking system as a whole, not any individual bank. Perhaps the banks’ trade associations should target the laundrymen. Banks also fail to get their security contractors to share data on attacks where this could help them directly. This collective action problem is best dealt with by private-sector information sharing, as it was 15 years ago in the world of computer viruses. Finally, we suggest that the police should concen- trate their efforts on the big phishing gangs.

To control online crime better, we need to understand it better. The key to this understanding is not so much technology, but gaining an economic perspective of the incentives faced by the different players.

Additional Notes and Highlights

Expertise required: Technology - Low