The Economics of Online Crime

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

The Economics of Online Crime

Full Citation

Tyler Moore, Richard Clayton and Ross Anderson, The Economics of Online Crime, 23 J. Econ. Persp. 3 (2009). Web



Key Words

Blacklist, Credit Card Fraud, Cyber Crime, Disclosure Policy, Identity Fraud/Theft, Notice and Take-down, Organized Crime, Phishing, Scareware, Spam, Trojan


This paper will focus on online crime, which has taken off as a serious industry since about 2004. Until then, much of the online nuisance came from amateur hackers who defaced websites and wrote malicious software in pursuit of bragging rights. But now criminal networks have emerged -- online black markets in which the bad guys trade with each other, with criminals taking on specialized roles. Just as in Adam Smith's pin factory, specialization has led to impressive productivity gains, even though the subject is now bank card PINs rather than metal ones. Someone who can collect bank card and PIN data, electronic banking passwords, and the information needed to apply for credit in someone else's name can sell these data online to anonymous brokers. The brokers in turn sell the credentials to specialist cashiers who steal and then launder the money. We will examine the data on online crime; discuss the collective-action aspects of the problem; demonstrate how agile attackers shift across national borders as earlier targets wise up to their tactics; describe ways to improve law-enforcement coordination; and we explore how defenders' incentives affect the outcomes.

With previous technology-driven crime innovations, from credit card fraud to the use of getaway cars in bank robbery, it took some time to work out the optimal combination of public and private security resources. Our analysis in this paper suggests that significant improvements are possible in the way we deal with online fraud. Criminal networks do have particular vulnerabilities—such as their money laundering operations. However, individual banks don’t target money launderers because launderers attack the banking system as a whole, not any individual bank. Perhaps the banks’ trade associations should target the laundrymen. Banks also fail to get their security contractors to share data on attacks where this could help them directly. This collective action problem is best dealt with by private-sector information sharing, as it was 15 years ago in the world of computer viruses. Finally, we suggest that the police should concen- trate their efforts on the big phishing gangs.

To control online crime better, we need to understand it better. The key to this understanding is not so much technology, but gaining an economic perspective of the incentives faced by the different players.

Additional Notes and Highlights

Expertise required: Technology - Low