Friday, May 27, 2005

Security costs money, it's cheaper for banks to pay the crooks.

PBS | I, Cringely . May 26, 2005 - Phish or Phisher?

Cringely tackles phishing scams, and he's sufficiently impolitic to point out why credit card companies and banks don't fuss about this fraud:
Another problem is that a large group of phishing victims -- banks and credit card companies -- don't want to publicize their losses, which might lead to a loss of business as customers start to worry about being victimized. But it goes even further, because the financial institutions are only on the hook for reported thefts. So by not making a big deal of it, maybe you won't notice that extra $30 charge and won't demand that your credit card company cover the loss. Being upfront about phishing could easily double corporate losses because of it by forcing these outfits to actually assume the risk that they say they'll assume.

So nobody talks about it, and the costs of phishing are generally hidden in the average eight percent that credit card companies figure they'll lose through theft, bankruptcies, etc. In a business with interest charges often going above 20 percent, phishing is tolerable...
This has been true forever. When credit cards started being used outside of brick-and-mortar settings fraud and identity theft exploded -- but the costs of fraud are still much less than the costs of preventing fraud. Especially if the victims don't notice their losses.

It's no different with checks. Check fraud is a very common crime, but in general the banks and police don't bother to bring these cases to court. It's just not worth the hassle -- for them.

Of course we bear the costs, but that's another story. Happily there are plausible solutions:

... Thinking there must be a better solution I contacted Max Levchin, who used to chase phishers for a living as co-founder and CTO of PayPal, a company he left a few months after it was bought by eBay back in 2002.

"The way to nail phishing," says Max, "is for the companies being impersonated to offer cash bounties -- to the first person to report the incident, the first person to call the free host and take down the site, the first person who figures out the identity of the perp. This would mean admitting that the matter is much more serious than most people realize, but that's going to have to happen, sooner than later, if columns like yours continue to give coverage to the matter. On the other hand, it's peanuts, financially, for the companies involved. There is the adverse selection problem -- why not set up phishing sites, report them, and collect the bounties? -- but it's easy to mitigate this by making the pay-outs contingent on all kinds of personal information from the good samaritan, and making the bounties really significant financially only when criminal charges are brought against the perpetrators. In fact, about a year ago, I was thinking of starting a site that would be an independent agency, holding the bounty money in escrow, ensuring the actual payments, and providing the war-room-style up-to-the-second information about what the latest phishing scams were. In the end, I decided this was a project not too different from my PayPal work, and I could do more fun things with my personal time, but still think the idea is sound."

No comments: