Financial Cryptography

Brit Frauds, the Bezzle, and Signs of Rebellion in Heartland

Payments fraud seems up in Britain:

Matters found that around 26% fell victim to card fraudsters in 2008, up five per cent on the previous year.

Kerry D'Souza, card fraud expert, CPP, says: "The dramatic increase in card fraud shows no sign of abating which isn't surprising given the desperate measures some people will resort to during the recession."

The average sum fraudulently transacted is over £650, with one in 20 victims reporting losses of over £2000. Yet 42% of victims did not know about these transactions and only found out they had been defrauded when alerted by their bank.

Online fraud affected 39% of victims, while card cloning from a cash point or chip and pin device accounted for a fifth of cases. Out of all cards that are physically lost and stolen, one in ten are also being used fraudulently.

One in 4 sounds quite high. That's a lot higher than one would expect. So either fraud has been running high and only now are better figures available, or it is growing? They say it is growing.

While researching origins of failure I came across this interesting snippet the other day from Richard Veryard:

The economist J.K Gailbraith used the term "bezzle" to denote the amount of money siphoned (or "embezzled") from the system. In good times, he remarked, the bezzle rises sharply, because everyone feels good and nobody notices. "In [economic] depression, all this is reversed. Money is watched with a narrow, suspicious eye. The man who handles it is assumed to be dishonest until he proves himself otherwise. Audits are penetrating and meticulous. Commercial morality is enormously improved. The bezzle shrinks." [Galbraith, The Great Crash 1929]

If this is true, then likely people will be waking up and demanding more from the payments infrastructure. No more easy money for them. Signs of this were spotted by Lynn:

"Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Heartland's goal is to turn this event into something positive for the public, the financial institutions which issue credit/debit cards and payments processors.

Carr concluded, "Just as the Tylenol(R) crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data - and therefore businesses and consumers - much more effectively."

For the past year, Carr has been a strong advocate for industry adoption of end-to-end encryption - which protects data at rest as well as data in motion - as an improved and safer standard of payments security. While he believes this technology does not wholly exist on any payments platform today, Heartland has been working to develop this solution and is more committed than ever to deploying it as quickly as possible.

Now, if you've read Lynn's rants on naked transactions, you will know exactly what this person is asking for. And you might even have a fair stab at why the payment providers denied Heartland that protection.

WoW crosses GP: get rich quick in World of Warcraft

SecretSquirrel writes:

it's a "get rich quick" guide for sale ... but actually for the virtual money inside the WoW game

Around a year or two ago I penned a series of rants called "GP" which predicted that the primary success signal of a new money was ... crime! The short summary is that in the battle for mindspace between issuers, users, critics & regulators, the press (who?) the offended and the otherwise religious ... there is no way for the external observer to figure out whether this is worthwhile or not.

But wait, there is one way: if a criminal is willing to put his time, his investment, indeed his very freedom on the line for something, it's got to be worth something! GP is undeniably crossed, I theorise, when criminals steal the value, and therefore provide a most valuable signal to the world that this stuff is worth something.

(it's not a parody!)

it's exactly following the format to the line, of any of the famous get-rich-quick newsletters.

(eg, http://www.landingpagecashmachine.com or hundreds of others) ... even the famous "three-line centered upper-lower case headline"

Call me cynical, but I have seen hundreds of digital cash systems live and die without meriting a second thought. There have been thousands I haven't seen! In my decade++ of time in this field, I've only seen one external signal that is reliable. Even this:

You know they say WoW is over $150 million per month in player fees now!

Is ... well, ya know, could be a fake. Did we see that Satyam, a huge audited IT outsourcing firm in India added some 13,000 jobs ... and nobody noticed?

If I am right, I'll also be blamed for the upsurge in fake crimes :)

We may have risk, but _banking is risk_

Some felt my claim of banking and insurance was too brave:

The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you've got too much to do.

From this I separated out into those that do risk management because because they are risk management, from those who have risk management because it is useful. If you are familiar with object oriented thinking, this is the difference between isARiskManagement and haveARiskManagement.

Banking is risk management because of the term mismatch. Simply put, banks take in deposits, which are payable on demand, and lend it out at term, which means the banks can't get it back. By ordinary business rules, banks are bankrupt, because they cannot pay back what they owe. Anytime you can get a large bunch of depositors together, you can prove this, by starting a "run" on a bank.

This not only makes banking different from all other businesses, it also makes banking, all of banking, at is very core an exercise in managing the risk of those term loans (and those deposits, but there are some easy answers to that side). Insurance is the same, although different in some ways. As Alex has it:

Most security folks (and many in the financial industry) believe that risk analysis is something to *engineer* future state, rather than a tool used in understanding our ability to meet qualitative objectives. As such, when the state of nature changes (as it inevitably does) or when it's determined that the analyst screwed up in accounting for uncertainty or variable measurement - the whole process is demonized.

If banks did that, they would die. When banks muck up their risk management, they fail because that's what they are, they are risk. When the entire sector, banking as an industry, mucks up its risk management, then it fails, as a sector. Finance goes down the tube.

On the other hand, other businesses have risk management. It's an option, it's a nice-to-have, or a told-to-have. As Alex says of public companies:

First, allow me to point you to future earnings guidance statements made by public companies.

Or, as Don wrote in comments over at EC, "Risk management as the basis for information security planning is alive and well in healthcare (required by HIPAA) and for federal systems (required by FISMA)." Some companies are told to do it, but that alone doesn't make it right, nor useful.

What does this is-versus-have differentiation allow us to say? Well, in banking, if you don't do risk management, you are dead. You are expert in this, and maybe nothing else. It is your core competence, it your very being, your essence.

In other businesses, not so. It all depends. Maybe you have a competence in risk management, or maybe you have a department that does this, or maybe your security guys think it's hot stuff. Or maybe not. The point being, risk management is optional, and some firms will be good at it and some not. Or, as Alex puts it:

Chemical and Aerospace engineering, Food Service, and many other industries I'm skipping over do perform rigorous risk analysis, it's just that the system they operate in has much less uncertainty.

Which leads to the rather contrary conclusion that, unless it delivers results, then ... it might not be worth the money, however it is arrived at, whatever you are cooking. And by obvious conclusion, there are options: you can either apply risk management as it is mathematically inspired, or you can choose to eliminate these risks, as was the old 1990s security dogma, or you can choose to manage these risks from a business perspective, incorporating other knowledge.

The point of the first half of that post was to open up the options. Only banks have to do risk management, and cannot choose. Others can choose. Which sets it up for the rest of the post, which suggests that actually, risk management as it is stressed by the "economic" school may not be worthwhile.

the Business of Risk Management in Security -- a Response

Alex writes in comments a response to my "Business" post. As it is comprehensive and detailed, I'll re-post it here for reasons I can't exactly explain. Here goes, rest of words from Alex:

I find that most people with InfoSec backgrounds confuse the purpose of using probability theory in risk analysis (1).

Most security folks (and many in the financial industry) believe that risk analysis is something to *engineer* future state, rather than a tool used in understanding our ability to meet qualitative objectives. As such, when the state of nature changes (as it inevitably does) or when it's determined that the analyst screwed up in accounting for uncertainty or variable measurement - the whole process is demonized.

In reality, a good model for risk analysis can only help rational actors arrive at rational conclusions. It cannot and will not foresee a precise future state, but it rather serves to help remove bias and provide structure to what would otherwise be an ad-hoc decision making process. It is with this in mind, that I often ask the authors of these sorts of articles - "well, how then shall we live?" The best answer I get is "suggested practices"(2). The problem with this concept is that it is, in and of itself, a risk analysis model, just one done as a faith-based initiative rather than one done with any real rigor ("trust me, I'm the auditor, you need these controls").

W/regards to other points:

"The only business that does risk management as a core or essence is banking and insurance"

False on two accounts. First, allow me to point you to future earnings guidance statements made by public companies.

Second, I'd say that FinServ is just a market segment that applies analytical rigor to a product line that has a significant degree of uncertainty. Chemical and Aerospace engineering, Food Service, and many other industries I'm skipping over do perform rigorous risk analysis, it's just that the system they operate in has much less uncertainty.

"risk management is... something...you ignore because you've got too much to do."

Nope, at worst it's just something you don't apply significant rigor to because it's not perceived as necessary. When you walk across the street, decide to hire or not to hire, just about any decision that has the potential for negative consequence, you're creating a belief statement that is "go" or "no go". This is very much a risk analysis, as in a Bayesian sense you're creating a belief statement about what is the most probable wise action.

"ROI in infosec is GIGO"

I think you're confusing the concept of the quality of inputs into a model with a statement about the quality of the model.

With regards to ROI in infosec, I find those who simply state that it "can't be done" categorically to be boorish purveyors of hyperbole. They seem to be obsessed with confidentiality and forget that availability is a significant aspect of the charter for most security departments. ROI for keeping production systems available most certainly can be calculated with some degree of suitability.

Now that said, I don't believe that ROI is applicable when we're concerned with and/or including the probability of losses due to breaches in confidentiality and integrity, as these concepts are not easily tied to incoming cash flow in a direct and obvious manner.

"Risk management is just another word for NPV, so risk management doesn't work."

False premise, false conclusion. NPV necessitates some concept of cash flow: Rt/(1+i)^t where Rt is cash flow in. Risk Analysis, in InfoSec/Engineering at least, is currently based on the Dutch model: probable frequency of loss and probable magnitude of loss (note that ALE is a number of limited value, as risk is a derived number like km/hr). Two totally different concepts.

"a priori, risk management suffers GIGO"

Um, what? If you mean that using deductive reasoning, models about the world require useful inputs to develop useful outputs, OK then. All perceptions of reality have that same limitation. But I see no deduction on your part to achieve a statement of "a priori".

"Consider the famous case of the car-lock. Car locks used to be notoriously weak. Why? Because a car stolen was a car sold. So, no matter what numbers were applied in the above risk management calculation, it always gave the wrong result; better locks made the position worse!"

You seem to be assuming an objective ethical position here and inferring that all actors would desire to achieve it. Rather, the car company most certainly did an analysis and came to the conclusion that it's interests were different than the consumer. It's a great example not because it "proves" risk analysis to be silly in some Popperist sense (3) but rather it highlights the most interesting problem in Risk Management - the problem of multiple perspectives (an example would be where the risk manager's individual compensation is inconsistent with executive risk tolerance).

Finally, in response to your summary, I think you over-complicate the value the CISO/CSO/CRO has to the company. Their value boils down to only two things; Align risk exposure to the tolerance of management or create operational efficiencies. All this other talk of "aligning to business and strategy" is, in my opinion, pure bunk.

(1): note that the concept of risk management isn't necessarily what you're referring to here - risk management has as much to do with understanding capability as it does with arriving at a state of knowledge. Without that capability component, you'll never achieve a state of wisdom.

(2): ironically using the term "best/good practices" implies some sort of analysis and measurement.

(3): In fact, I'd say that the state has changed to the point where the opposite is true, cars probably have too much lock security built in. I wonder what the locksmithing industry would have to say about the 70's vs. now and their ability to retrieve our keys for us.

Royal Bank of Scotland Falls 66% in One Day!

Hasan points to this:

Remember just over one year ago? RBS (Royal Bank of Scotland) paid $100bn for ABN Amro.

For this amount it could now buy:

• Citibank $22.5bn
• Morgan Stanley $10.5bn
• Goldman Sachs $21bn
• Merrill Lynch $12.3bn
• Deutsche Bank $13bn
• Barclays $12.7bn

And still have $8bn in change with which you would be able to pick up:

GM, Ford, Chrysler and the Honda Formula 1 Racing-Team.

Getting the business into security, or is it...

Ian says in comments to the post on "Business":

Your emphasis - exactly. I read Frank's 'paper' yesterday and I read it very differently. You've missed emphasising "security is essentially risk management" in the first sentence. i.e. Frank IS saying that economic risk is the turning point of the whole thing.

yes, clearly risk management is how they link their security model approach to the business. My point however was that this was a "nod" and not necessarily enough.

Let's make this polemic. Risk management is a dead duck. Here's some reasons why:

The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you've got too much to do. So we have a choice: is security like finance, or is it like "the rest of business?"

I would say it is not like finance. So risk management is not the core.

The question then might be whether risk management as an ancillary adds anything that helps? That depends, a lot. It turns out there is a fatal flaw in this approach.

What is the risk management approach? Well, at the detailed level, it generally turns out to be something like two calculations:

risk = (percentage chance of event) * (damage/costs of when it happens.)
defence = (percentage chance of mitigation) * (money saved)
result = comparison_function (set of all risks, set of all defences, costs).

We really don't need to cite a lot of papers (security academics take note) nor get hung up on what the real meaning of the words or variables are here, because this is a well known finance technique. It's called ROI, or more properly NPV. Let's just borrow from the finance people, because they have done this work, won their Nobel prizes and covered the territory.

Frequently, it is pointed out that the financing of security projects should be done on this basis. This is true because we don't have any other cross-business comparison tools, and your CFO demands it.

However, regardless of this truth, it doesn't really satisfy with security projects. The reason NPV doesn't work is that we don't have good numbers to plug in, like those that we have in finance. ROI in infosec is GIGO, whereas for other business areas, all of them, we can actually find those numbers. (There are good reasons why this is the case, and the hint here may be that security is like defence, and they don't do good ROI either.)

So, NPV doesn't work in Security, even though we need it. Risk management is just another word for NPV, so risk management doesn't work. Although the theory is pretty cool, actually, we don't know what those numbers are (a priori, risk management suffers GIGO), and afterwards, as long as we are making profits, we don't care (a posteriori, profits are more important than risks).

What's left? In both cases, the discussion is swamped by business issues, and those issues don't give a hoot for either number. What's left is business. If we haven't seen security as a business problem, first and foremost, no amount of Markovitzian mathematics is going to save us.

Consider the famous case of the car-lock. Car locks used to be notoriously weak. Why? Because a car stolen was a car sold. So, no matter what numbers were applied in the above risk management calculation, it always gave the wrong result; better locks made the position worse!

The simple view of this is "What's your business model?" If you want to put it in a more academic strain of thought, then yes, it is economics, but we have to include liability dumping as a technique, and that is not something that is mathematically pliable. Better to skip the econ approach, and just call it for what it is: business.

What's missing in security: business

Those of us who are impacted by the world of security suffer under a sort of love-hate relationship with the word; so much of it is how we build applications, but so much of what is labelled security out there in the rest of the world is utter garbage.

So we tend to spend a lot of our time reverse-engineering popular security thought and finding the security bugs in it. I think I've found another one. Consider this very concise and clear description from Frank Stajano, who has published a draft book section seeking comments:

The viewpoint we shall adopt here, which I believe is the only one leading to robust system security engineering, is that security is essentially risk management. In the context of an adversarial situation, and from the viewpoint of the defender, we identify assets (things you want to protect, e.g. the collection of magazines under your bed), threats (bad things that might happen, e.g. someone stealing those magazines), vulnerabilities (weaknesses that might facilitate the occurrence of a threat, e.g. the fact that you rarely close the bedroom window when you go out), attacks (ways a threat can be made to happen, e.g. coming in through the open window and stealing the magazines—as well as, for good measure, that nice new four-wheel suitcase of yours to carry them away with) and risks (the expected loss caused by each attack, corresponding to the value of the asset involved times the probability that the attack will occur). Then we identify suitable safeguards (a priori defences, e.g. welding steel bars across the window to prevent break-ins) and countermeasures (a posteriori defences, e.g. welding steel bars to the window after a break-in has actually occurred4 , or calling the police). Finally, we implement the defences that are still worth implementing after evaluating their effectiveness and comparing their (certain) cost with the (uncertain) risk they mitigate5

(my emphasies.) That's a good description of how the classical security world sees it. We start by saying, "What's your threat model?" Then out of that we build a security model to deal with those threats. The security model then incorporates some knowledge of risks to manage the tradeoffs.

The bit that's missing is the business. Instead of asking "What's your threat model?" as the first question, it should be "What's your business model?" Security asks that last, and only partly, by asking questions like "what's are the risks?"

Calling security "risk management" then is a sort of nod to the point that security has a purpose within business; and by focussing on some risks, this allows the security modellists to preserve their existing model while tying it to the business. But it is still backwards; it is still seeking to add risks at the end, and will still result in "security" being just the annoying monkey on the back.

Instead, the first question should be "What's your business model?"

This unfortunately opens Pandora's box, because that implies that we can understand a business model. Assuming it is the case that your CISO understands a business model, it does rather imply that the only security we should be pushing is that which is from within. From inside the business, that is. The job of the security people is not therefore to teach and build security models, but to improve the abilities of the business people to incorporate good security as they are doing their business.

Which perhaps brings us full circle to the popular claim that the best security is that which is built in from the beginning.

Fc'09 Barbados 23-26 February

Call for Participation

Financial Cryptography and Data Security '09

Thirteenth International Conference
February 23-26, 2009
Accra Beach Hotel & Resort
Barbados

Early registration deadline approaching fast! Register by January 21 to receive a discount. Also, reserve your hotel room by January 22 in order to guarantee availability.

Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration and debate regarding information assurance in the context of finance and commerce. We have assembled a vibrant program featuring 21 peer-reviewed research paper presentations, two panels (on the economics of information security and on authentication), and a keynote address by David Dagon. View the complete program.

We look forward to seeing you in Barbados!