Microsoft Researchers say cybercrime loss estimates are a bunch of bunk

Microsoft Researchers Cormac Herley and Dinei Florêncio wrote about 'The Cybercrime Wave That Wasn't' and 'Sex, Lies and Cybercrime Surveys.' Do you actually know any cybercrime billionaires? The researchers say you should have no faith whatsoever in the bloated billions to a trillion figures quoted about cybercrime losses. As for the password problem, they asked ‘Is everything we know about password stealing wrong?’

I get a real kick out of people who are unafraid to buck the system with their unconventional wisdom such as Microsoft Researchers Cormac Herley and Dinei Florêncio. These two researchers remind me of the people who try to show the real cost of piracy and even have monetary figures and statistics to show it may actually help artists. No, I'm not promoting piracy; I'm not a really big fan of either the MPAA or the RIAA; their bloated figures on the cost of piracy are either written when high or the numbers are just flat-out made up. While we're on the subject of fictional high dollar losses and folks not afraid to say so, enter Microsoft researchers.

The cybercrime wave, with all those scary numbers claiming cybercriminals are costing industries somewhere between "billions to $1 trillion," is a bunch of bunk. Or so Florêncio and Herley wrote more eloquently in a New York Times article. "Cybercrime billionaires are hard to locate because there aren't any," they wrote in "The Cybercrime Wave That Wasn't." Nevertheless, the cybercrime stats floating around in the fear-factor stratosphere make cybercrime sound like a booming business.

How do we reconcile this view with stories that cybercrime rivals the global drug trade in size? One recent estimate placed annual direct consumer losses at $114 billion worldwide. It turns out, however, that such widely circulated cybercrime estimates are generated using absurdly bad statistical methods, making them wholly unreliable.

The cybercrime loss figures come from unverified reports. The researchers suggested, "Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can't be canceled."

In "Sex, Lies and Cybercrime Surveys" [PDF], the Microsoft Researchers wrote, "Cyber-crime, like sexual behavior, defies large-scale direct observation and the estimates we have of it are derived almost exclusively from surveys." The research paper [PDF] concludes:

The importance of input validation has long been recognized in security. Code injection and buffer overflow attacks account for an enormous range of vulnerabilities. "You should never trust user input" says one standard text on writing secure code. It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input.


Are we really producing cyber-crime estimates where 75% of the estimate comes from the unverified self-reported answers of one or two people? Unfortunately, it appears so. Can any faith whatever be placed in the surveys we have? No, it appears not.

But this was not the first time Florêncio and Herley have come up with research that potentially could tick off a goodly number of security experts. They also wrote "Is everything we know about password stealing wrong?" It concluded with [PDF]:

Many suggest that the switch in recent years from hacking-for-sport to hacking for financial gain represents an extremely serious escalation. This is sometimes offered as evidence that users must finally get serious about security, passwords must be done away with, etc. We offer the somewhat provocative thought that this switch is good news, not bad. The banking system has been hardened by centuries of exposure to fraud and money laundering. In spite of the enormous effort devoted to password-stealing, banks offer zero liability guarantees to customers and keep losses manageable. A fixed population of hackers will almost certainly do less harm by attacking hardened targets like banks than if they applied the same energy elsewhere. Getting in and getting out with money is a far harder problem than simply causing destruction. If the goal were mayhem and destruction rather than money-making we might be a great deal worse off.

Although the Microsoft researchers call into question if the real answer to the password problem is not to use impossible to recall passwords, an article on Wired Enterprise suggested that some websites "take a cruel delight in forcing us to come up with impossible-to-guess (or remember) passwords." So who do we blame for the password problem? According to that article, "Blame it on Bill Gates" who predicted nearly a decade ago that "There's no doubt that over time people are going to rely less and less on passwords."

Of course passwords didn't die and now millions upon millions of users have weak and easy to hack passwords on social networking sites. The answer to the password problem may be even more research, although in another paper Herley estimated that "the time spent managing complex passwords could cost U.S. businesses billions of dollars in lost productivity each year."

Steven Bellovin, professor of computer science at Columbia engineering school, told Bob McMillian that Herley is "upsetting some people with his positions that go against the conventional wisdom, but in general I think he's right." Wired added, "Without giving any explanation, Microsoft wouldn't allow Herley to be interviewed for this article." Imagine that.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline