12 December 2005

Safety in Numbers?

Cryptography and security guru Bruce Schneier reports that there's a measure of security in mass insecurity:
A new study suggests consumers whose credit cards are lost or stolen or whose personal information is accidentally compromised face little risk of becoming victims of identity theft.

The analysis, released on Wednesday, also found that even in the most dangerous data breaches--where thieves access social security numbers and other sensitive information on consumers they have deliberately targeted--only about 1 in 1,000 victims had their identities stolen.
The reason is that thieves are stealing far more identities than they need. Two years ago, if someone asked me about protecting against identity theft, I would tell them to shred their trash and be careful giving information over the Internet. Today, that advice is obsolete. Criminals are not stealing identity information in ones and twos; they're stealing identity information in blocks of hundreds of thousands and even millions.

If a criminal ring wants a dozen identities for some fraud scam, and they steal a database with 500,000 identities, then -- as a percentage -- almost none of those identities will ever be the victims of fraud.
Well, I feel better -- what about you?

When phenomena are exceedingly rare -- whether natural phenomena, such as lightning strikes, or man-made ones, such as terrorist attacks -- an odds-based argument can be valuable in tempering a natural tendency to panic. However, where the phenomenon in question is prevalent, this kind of analysis is essentially uninformative; the underlying message is not "it probably won't happen to you" but is instead "it will probably happen to you, but probably not today".

I for one cannot believe that the modern electronic economy is sustainable in the longer term unless the overall prevalence of fraud is minimized. Think of a bricks-and-mortar store where thieves wander about freely, stealing merchandise and robbing customers. If the proprietors and patrons of the shop are either unable or unwilling to prevent the thefts, the overall effect of the rampant thievery will be to depress the economy within the store.

This effect will occur whether the costs of the theft are initially or ultimately borne by the shopkeeper or his customers: A shopkeeper absorbing high theft losses will find it unprofitable to continue in business; if the proprietor passes along his losses to his customers, those customers will spend less overall; if customers develop an expectation that they will be robbed in the shop -- perhaps not this visit, but eventually -- they will either avoid coming at all or will minimize their potential losses by risking less.

The cumulative effect of prevalent thievery goes well beyond the losses directly attributable to the individual criminal acts; once consumer confidence is grievously shaken, the economy will fail.

No comments: