Financial Cryptography

Cost of an identity

Some figures on the cost to build a new identity:

In all, seven defendants pleaded guilty in Corpus Christi this past week to charges of selling their birth certificates and Social Security cards for $100 each. Seven other defendants pleaded guilty to buying or reselling those documents as part of a ring that sold documents to illegal immigrants seeking jobs in Dodge City, Kan.

One other figure:

Tim Counts, an Immigration and Customs Enforcement spokesman in Bloomington, Minn., said that investigation revealed documents were available for a price in places as open as Kmart parking lots. He said genuine documents were the most expensive, costing up to $1,500, and the most effective against detection.

That remark looks suspicious, I'd guess he's talking about something else than SS cards and birth certificates.

Also over in that center of expertise in identity theft, USA, a blog entry by Spire says:

1. For as long as we continue to pretend that SSNs are secret and therefore may be used as authenticators, they will be.
2. There are over 150,000 people (my estimate) with "defendable" access to your SSN right now. They aren't secret.
3. You are more likely by a factor of 10 to be a victim of identity fraud via one of these "authorized" folks.
4. The real problem is not how easy it is to get your SSN, but how creditors et.al. allow the SSN to be used as an authenticator (See #1).
5. The SSN is fine as an identifier. No, it is not perfect, but its main benefit is that it is already used in so many places.

Right. That's a number we wanted: 150k people in that country have access (legal, he says defendable) to the SSN. Presumably they have access to all the other PII as well.

Finally, someone gets done for Money Laundering....

Money Laundering (ML) was once tightly defined as washing the proceeds of (very) serious crime through an organised cycle.

How you could tell was supposed to be that there was (a) an awful lot of it, (b) there was a hot-button crime like drugs, and (c) an organisation that processed the cash. That's what the big drugs rings did; in effect, they outsourced the money problem to the professionals.

This is "real" money laundering:

Three members of a money laundering gang were jailed for a total of 15 years at Ipswich Crown Court today. Between June 2003 and September 2005 the gang laundered more than £100 million in cash for criminal organisations and individuals throughout the United Kingdom.

The court heard that this large scale money laundering operation was centred around a Money Services Bureau (MSB) on the London Road in Croydon, called Deans Exchange. This was run by Zaka Ud Din, with the assistance of Sabz Ali Khojo. As well as offering legitimate money services to the local community, Deans Exchange was being used as a front for a much larger operation, offering the laundering of cash.

My hat off to the guys who busted that ring.

These days, however, ML is a catch-all crime of no semantic meaning, given the massive preponderance of convictions where the only relationship was that it was a crime of some trivial amount of value. ML these days is more likely to mean a well-off professional goes down for one count of slapping his wife and 6 counts of ML.

Technically, this is the best it gets:

BRITAIN'S biggest and most feared gangster got away with murder yesterday when he was jailed for just seven years. Terry Adams, linked by police to 25 unsolved killings, was finally brought to justice after running a £200million crime empire for more than 25 years.

Like Al Capone, police were unable to make any serious charges stick against the crime kingpin and it was a financial scam that proved his downfall. Adams pleaded guilty to a single charge of money laundering - but was told he will be eligible for parole in three and a half years.

More public applaud to the British criminal authorities (and MI5 apparently). That was the case that AML (anti-money laundering) was designed for: get a notorious crime boss on the financials, because he killed all the witnesses (25 in the above case). You can't kill the flow of money, so the theory goes.

La Procuraduría General de la República investiga los vínculos internacionales de la compañía Unimed Pharm Chem de México, la cual fue fachada para que por lo menos desde 2004 un grupo de presuntos productores de drogas sintéticas acumulara en una residencia de las Lomas de Chapultepec más de 205 millones de dólares en efectivo, así como unos 200 mil euros y 157 mil pesos FOTO Ap /PGR

(Sorry about the spanish, haven't found an english article yet.) Which is why there was a rationale that if you could seize the cash, you did the crimeboss harm. The $205 million in cash in the photo above was seized this week in Mexico in some sort of financing deal for a complete factory to produce drugs.

When cash like that gets seized from MLers, this helps. Nobody can object to that!

But the more popular meaning of ML seizures is "police need money to finance more ML seizures." When someone you know gets accused of 5 counts of ML and 1 count of using the postal service, all because he rubbed the local FBI agent up the wrong way, AML becomes the enemy of civil society.

Relevance to FC: as we design systems of value, we must protect our users from illegal ML and from immoral AML. No easy task, given the lack of discrimination in the tools. Above, all the cases are clearly bad guys being caught by the good guys, and we applaud. Indeed, an honest ML bust is so rare that it's worth posting about.

An ordinary crime: stock manipulation

Sometimes when we can't seem to get anywhere on analysing our own sector of criminal activity, it helps to look at some ordinary stuff. Here's one:

According to the Commission's complaint, between July and November 2006, the Defendants repeatedly hijacked the online brokerage accounts of unwitting investors using stolen usernames and passwords. Prior to intruding into these accounts, the Defendants acquired positions in the securities of at least fourteen securities, including Sun Microsystems, Inc., and "out of the money" put options on shares of Google, Inc. Then, without the accountholders' knowledge, and using the victims' own accounts and funds, the Defendants placed scores of unauthorized buy orders at above-market prices. After these unauthorized buy orders were placed, the Defendants sold the positions held in their own accounts at the artificially inflated prices, realizing profits of over $121,500.

To achieve this benefit, the prosecution alleges that $875,000 of damage was done.

It's a point worth underscoring: a criminal attack in our world often involves doing much more damage than the gain to the criminal. For that reason, we must focus on the overall result and not on the headline number. Here's a more aggressive damages number:

The pump and dump scheme, which occured between July and November 2006, has cost one brokerage firm at least $2m in losses. An estimated 60 customers and nine US brokerage firms were identified as victims.

Also, funds seized.

Feelings about Security

In the ongoing saga of "what is security?" and more importantly, "why is it such a crock?" Bruce Schneier weighs in with some ruminations on "feelings" or perceptions, leading to an investigation of psychology.

I think the perceptional face of security is a useful area to investigate, and the essay shines as a compendium of archtypical heuristics, backed up by experiments, and written for a security audience. These ideas can all be fed in to our security thinking, not to be taken for granted, but rather as potential explanations to be further tested. Recommended reading, albeit very long...

I would however urge some caution. I claim that buyers and sellers do not know enough about security to make rational decisions, the essay suggests a perceptional deviation as a second uncertainty. Can we extrapolate strongly from these two biases?

As it is a draft, requesting comment, here are three criticisms, which suggest that the introduction of essay seems unsustainable:

THE PSYCHOLOGY OF SECURITY -- DRAFT

Security is both a feeling and a reality. And they're not the same.

The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures.

Firstly, I'd suggest that "what security is" is not yet well defined, and has defied our efforts to come to terms with it. I say a bit about that in Pareto-secure but I'm only really looking at one singular aspect of why cryptographers are so focussed on no-risk security.

Secondly, both maths and feelings are approximations, not the reality. Maths is just another model, based on some numeric logic as opposed to intuition.

What one could better say is that security can be viewed through a perceptional lens, and it can be viewed through a mathematical lens, and we can probably show that the two views look entirely different. Why is this?

Neither is reality though, as both take limited facts and interpolate a rough approximation, and until we can define security, we can't even begin to understand how far from the true picture we are.

We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door-locking habits. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or in your home by a family member. Or how likely you are to be the victim of identity theft. Given a large enough set of statistics on criminal acts, it's not even hard; insurance companies do it all the time.

Thirdly, insurance is sold, not bought. Actuarial calculations do not measure security to the user but instead estimate risk and cost to the insurer, or more pertinently, insurer's profit. Yes, the approximation gets better for large numbers, but it is still an approximation of the very limited metric of profitability -- a single number -- not the reality of security.

What's more, these calculations cannot be used to measure security. The insurance company is very confident in its actuarial calculations because it is focussed on profit; for the purpose of this one result, large sets of statistics work fine, as well as large margins (life insurance can pay out 50% to the sales agent...).

In contrast, security -- as the victim sees it -- is far harder to work out. Even if we stick to the mathematical treatment, risks and losses include factors that aren't amenable to measurement, nor accurate dollar figures. E.g., if an individual is a member of the local hard drugs distribution chain, not only might his risks go up, and his losses down (life expectancy is generally lowered in that profession) but also, how would we find out when and how to introduce this skewed factor into his security measurement?

While we can show that people can be sold insurance and security products, we can also show that the security they gain from those products has no particular closeness to the losses they incur (if it was close, then there would be more "insurance jobs").

We can also calculate how much more secure a burglar alarm will make your home, or how well a credit freeze will protect you from identity theft. Again, given enough data, it's easy.

It's easy to calculate some upper and lower bounds for a product, but again these calculations are strictly limited to the purpose of actuarial cover, or insurer's profit.

They say little about the security of the user, and they probably play as much to the feelings of buyer as any mathematical model of seller's risks and losses.

It's my contention that these irrational trade-offs can be explained by psychology.

I think that's a tough call, on several levels. Here's some contrary plays:

• Peer pressure explains a lot, and while that might feel like psychology; I'd suggest it is simple game theory.
• Ignorance is a big factor (c.f., insufficient information theory).
• Fear of being blamed also plays its part, which is more about agent/principal theory and incentives. It may matter less whether you judge the risk well than if you lose your job!
• Transaction cost economics (c.f., Coase, Williamson) has a lot to say about some of the experiments (footnotes 16,17,51,52).
• Marketing feeds into security, although perhaps marketing simply uses psychology -- and other tools -- to do its deeds.

If we put all those things together, a complex pattern emerges. I look at a lot of these elements in the market for silver bullets, and, leaning heavily on the Spencarian theory of symmetrically insufficient information, I show that best practices may emerge naturally as a response to costs of public exposure, and not the needs for security. Some of the experiments listed (24,38) may actually augment that pattern, but I wouldn't go so far as to say that the heuristics described are the dominating factor.

Still, in conclusion, irrationality is a sort of code word in economics for "our models don't explain it, yet." I've read the (original) literature of insufficient information (Spence, Akerlof, etc) and found a lot of good explanations. Psychology is probably an equally rewarding place to look, and I found the rest of the article very interesting.

Random stats on instant messaging (IM/chat) ...

(cleaning up old stats from the Times ... there must be money here, as otherwise, why didn't I publish these months ago?)

ONLINE, ON THE PHONE, ON THE UP

50 billion the number of e-mails dispatched every day wordwide; in 2001 the traffic was less than 12 billion

88 per cent of e-mails are junk including about 1 per cent which are virus-infected

32 The average number of e-mail messages received per person per day. This is rising by 84 per cent each year

440 million the number of electronic mailboxes in use, including 170 million corporate ones, growing by 32 per cent per year

1,035 million the total number of mobile phone text messages sent each month in Britain

37 The average number of texts a user sends per month compared with 21 in 2001 1 million the number of children aged under 10 in Britain - one in three - who own a phone

8 The average age at which a child gets a mobile phone in Britain

Copyright 2006 Times Newspapers Ltd.