# Phishing As Tragedy of the Commons

100 %
0 %
Information about Phishing As Tragedy of the Commons
Technology

Published on January 7, 2009

Author: amiable_indian

Source: slideshare.net

ing, some institutions may have extremely tight restric- a given X, the sustainable harvest is tions on wiring money from accounts. Much as Gordon 1 H(X, E) = · f (X). [15] makes no attempt to estimate the number or total m weight of ﬁsh in a ﬁshing ground, we won’t attempt to At this sustained level of harvesting the pool neither place a numeric value on X; what matters is that it is increases nor decreases. ﬁnite. The analysis seeks to reveal the economic fac- Now, in equilibrium, the pool of phishable dollars X tors that cause equilibrium to be reached rather than depends on the eﬀort E. When there is no phishing ef- estimate quantities. Let E be the total eﬀort of all fort (E = 0) X achieves its maximum. For some large phishers; if the main resource a phisher has is his time enough eﬀort we will have X = 0 (e.g. if everyone is we can measure E in hours. Let H(X, E) be the total phished every day the pool of phishable dollars will be dollar harvest per unit time (which depends on the pool zero). In between those extremes X is inversely related of available dollars and the total eﬀort). to E. Following [15] we depict this as a linear relation- Unchecked the pool of phishable dollars grows over ship in Figure 2 (b), but it doesn’t signiﬁcantly change time. The growth is dependent on X itself. That is the analysis if it deviates from this. What matters is dX dt = f (X). This is the expected behavior of any quan- that the number of phishable dollars is a function of tity that has an exponential growth pattern, but is con- eﬀort (i.e. X = X(E)) and decreases as E increases tained in a bounded resource pool. Thus dX growsdt (Note in Figure 2 (b) X(E) is the dependent variable). as depicted in Figure 2 (a). The number of dollars Now the harvest that phishers extract from the pool added per unit time gets larger as X gets larger, but is a function of eﬀort E and the size of the pool: H = the growth slows and ﬁnally drops to zero when X has H(X, E). But in steady state, as we have seen, X can reached the resource limit and no further growth is pos- be expressed as a function of eﬀort. So H(X, E) = sible. For example, as X approaches the total number H(X(E), E) = H(E) and the sustainable harvest can of dollars in all online accounts dX must approach zero. dt be expressed as a function of eﬀort alone. This is done in But, of course, our pool of phishable dollars does not Figure 2 (c). For example, at eﬀort E0 we can determine grow unchecked: every dollar that is harvested by a the sustainable harvest H(E0 ) by ﬁnding the phishable phisher is removed from the pool. Thus the true growth dollars for that level of eﬀort X0 = X(E0 ) and then rate of the pool is the unchecked rate minus the harvest: equating H(E0 ) = 1/m · f (X0 ) (since we know that the dX harvest and the growth must be equal in equilibrium). = f (X) − m · H(X, E). Thus we end up with a curve that shows the sustainable dt harvest for any particular level of eﬀort in Figure 2 (a). Actually, the phishable dollars are reduced at least by For convenience, this is reproduced in Figure 1. H(X, E). Dollars stolen are removed from the pool, however, there is a possibility that each dollar stolen 2.2 Summary so far: Sustainable Harvest at causes more than one dollar to leave the pool. This is Sustained Effort so since a victim who has his PayPal credentials stolen While, there was some analysis involved in its deriva- (and loses money as a consequence) is likely to be espe- tion Figure 1 represents what common sense suggests. cially careful with any remaining money (e.g. change the The sustainable harvest depends on the phishing eﬀort. password if the account has not yet been emptied) and When E = 0 the harvest is also zero. As sustained ef- to be more alert with respect to any other accounts. We fort increases so does the sustainable harvest. However, account for this factor by removing m · H(X, E) rather at some level of phishing eﬀort, the sustainable harvest than H(X, E) from the pool; clearly m ≥ 1. Again, the peaks and returns to zero. This must be so since, at actual value of m will not aﬀect the analysis much, we some level of harvesting eﬀort (e.g. everyone is phished can assume m = 1 if we choose. every day), the pool of phishable dollars drops to zero The phishers can only sustainably harvest the growth (and hence so also must the harvest). rate at any X. That is, in equilibrium dX = 0 and hence dt The curves used to derive this graph are for example only. The key assumptions are that the growth as a f (X) = m · H(X, E). function of the pool of phishable (i.e. dX/dt vs. X) as in Figure 2 (a) falls to zero for some large enough X. If m · H(X, E) > f (X) then the pool of phishable And that the pool of phishable dollars against eﬀort dollars shrinks to zero (i.e. phishers consistently har- (i.e. X(E) vs. E) as in Figure 2 (b) is monotonically vest more than the replacement rate of the dollars). If decreasing. m · H(X, E) < f (X) the dollar pool grows; however, as X increases at some point f (X) begins to fall (as 2.3 Independent Proﬁt Maximizing Actors depicted in Figure 2 (a)). So if m · H(X, E) < f (X) then X will increase until m · H(X, E) = f (X). Thus, Figure 1 shows the sustainable harvest achievable as a in equilibrium we have dX = 0, which implies that, for function of eﬀort. Any point on the curve is achievable dt

whole would be losing money. While amusing, this situ- seldom pays well even when it is illegal and dangerous ation is bad, in the sense that reducing the money stolen [26]. through phishing is not our only goal, which brings us It is certainly the case that phishers costs are not lin- to our ﬁnal point. early related to eﬀorts, and there can be a large diﬀer- Phishing is not solely (or perhaps even mainly) a ence between the eﬃciency with which diﬀerent phishers problem of stolen dollars. If it were, and we wish to pursue their victims. The straight line relation between reduce Rtot (E) we might simply encourage as many costs and eﬀorts Ctot (E) = a · E is a simpliﬁcation, people as possible to phish. As each of them seeks to but a more complex relation doesn’t change the out- maximize their revenue they will drive the total return come. The two key assumptions of the model are that from the commons down. This isn’t an interesting solu- revenue Rtot (E) eventually falls with increasing eﬀort, tion however. In reality the erosion of trust in email andwhile costs Ctot (E) are monotonically increasing with web commerce is more signiﬁcant than the lost dollars. eﬀort. It does not matter whether eﬀort E is measured in hours or any other units: the eﬀort expended keeps 4. OBJECTIONS AND POSSIBLE PROBLEMS increasing so long as it is proﬁtable, and the the revenue keeps falling. Equilibrium is reached when incentives A number of objections can be raised to this analysis. to leave and incentives to enter the pool are in balance Chief among them are objections to the economic model (cost and revenue are equal). and claims that reports show that there is a lot of money The argument that phishers have eﬃcient automatic in phishing. We examine these in turn. operations that require little eﬀort merely argues that costs are very low. 4.1 Objection: “The economic Model is too Simple, Phishing isn’t like Fishing” Numerous objections can be made to the economic 4.1.1 Maybe we’re just on the early part of the curve? model we have used. It can be argued that A natural objection is to question if we are really on the right part of the sustainable harvest curve in • This is an equilibrium analysis, phishing is too new Figure 1. The tragedy of the commons (whereby in- to be in equilibrium creasing eﬀort results in decreasing harvest) happens • Phishing is an illegal activity and this aﬀects entry only when E > Ex . Is it not possible that we have not and exits from the ﬁeld reached optimal yield yet (i.e. E < Ex )? It is impos- sible to reach equilibrium at E < Ex unless the whole • Phishers’ costs are not linearly related to eﬀort endeavor is impossible. This is so, since increasing eﬀort gives increasing return; so new arrivals will continue to • Some phishers have very sophisticated operations ﬁnd the opportunity proﬁtable. Thus equilibrium is not that require little eﬀort. achievable at any E < Ex unless Rtot (Ex ) < Ctot (Ex ) Each of these objections has merit, but none aﬀects or there is a barrier to new entrants. Since Gartner the analysis. The overall point is that when an activity [13] estimates that 66% of the population had received oﬀers returns superior to the alternatives it continues to phishing emails it is hard to argue that there’s a large attract newcomers until the returns are no longer supe- uncontacted population that represents a proﬁtable op- rior. Unless phishing is governed by a set of Economic portunity. laws diﬀerent from other human endeavors the invisible hand of the market drives the average earning to the 4.1.2 What about the Sinusoidal Predator-Prey Pop- opportunity cost. ulation Dynamics Model? The case of piracy [7] indicates that equilibrium can be reached in only a few years, even when information The population dynamics of interacting predator prey ﬂow is poor, and greater danger and risk are involved. species is sometimes modeled using the Lotka-Volterra Indeed history teaches that lucrative opportunities do equations. The solution gives that both populations os- not lie unexploited long. News of a gold strike in the cillate sinusoidally, but with the predator population lagging the prey by 90o . Why does this model not ap- Klondike reached Seattle on July 17, 1897 and more than 100000 attempted the diﬃcult trek to Dawson City ply? The reason essentially is that the Lotka-Volterra in the following six months. By the Summer of 1899 the solution assumes a closed ecosystem and that the preda- gold was substantially exhausted and the rush over. tor population grows and shrinks with births and deaths The illegality of the activity certainly makes some only. A large increase in available prey results in an reluctant to become involved, but this has no inﬂuence increase in predators, but only slowly. By contrast the on earnings so long as there is a suﬃcient supply of tragedy of the commons model assumes that new preda- recruits willing to exploit the opportunity. The case tors enter the system when the opportunities are good of low-level drug dealers conﬁrms that unskilled work and leave when they are bad.

and non-victims respectively respond we estimate the 4.2 Objection: “What About all the Data Show- rate as ing that Phishing Losses are Huge?” V · Vr V · (Vr /Nr ) The short answer is that data showing that phishing = . V · Vr + N · Nr V · (Vr /Nr ) + N losses are huge crumble upon inspection. We review the main surveys and technical studies of phishing rate When the overall victimization rate is low (i.e. V ·(Vr /Nr )+ and losses in Section 5. We examine diﬀerent estimates N ≈ V + N ≈ N ) any diﬀerence in the victim and of the phishing rate (i.e. percent of the population who non-victim response rates enormously inﬂuences the es- are phished each year) and the loss (i.e. the amount lost timate. This can be very pronounced when the response per victim). rate is low; e.g. if Vr = 5Nr (victims are 5× more likely to respond) then the estimated victimization rate is al- Estimating Rate: Surveys versus Measurements 4.2.1 most 5× the true rate. This eﬀect can be so large that Most of the data are from victim surveys [12, 13, 14, it is regarded as good practice in victim surveys to fol- 8, 9, 18, 29]. While surveys are a very valuable source of low up with non-respondents (i.e. those who refuse to data, crime researchers have known for some time that participate) and ask whether they were victims or not, victim surveys have several sources of bias: even if they do not answer more detailed questions. This makes it possible to estimate whether victims and non- • Selection bias (i.e. failure to contact a representa- victims are responding at diﬀerent rates, and if so, ad- tive sample of the overall population) just for the bias. The response rate for the FTC phone survey [9] was 26%, and the response rates on email • Refusal rate (i.e. rate at which contacted popula- surveys can be an order of magnitude lower. Thus all tion refuse to respond to the survey) of the ingredients for a very biased estimate are present • Telescoping (i.e. tendency of respondents to “throw in each of the surveys: diﬃculty contacting a random in” incidents that do not fall within the time frame sample, high refusal rate, low victimization rate and of the survey) greater likelihood that victims respond. Rather obviously, the phishing victimization rate is • Forgetting (i.e. tendency to omit crimes that do small. In fact, in all of the victim surveys except [14] fall in the time frame or have been forgotten) the margin of errors for the 95% conﬁdence interval is larger than the estimated phishing rate. We tabulate • Exaggeration of losses (i.e. tendency of victims to the margins of error in Table 1. Observe that even overstate rather than understate the magnitude of though the Javelin 2005 [18] and Gartner 2005 [12] pro- the wrong they have suﬀered). duce phishing estimates for the same period that diﬀer Each of these can have signiﬁcant eﬀects on the out- by almost an order of magnitude (i.e. 0.07% and 0.5%) come of a survey. Selection bias is potentially a very that is still well within the margin of error. It is very large factor. First, there is no registry of online users, misleading to state (as Gartner does [14]) that “phish- so contacting a random subset of online users is exceed- ing attacks in the United States soared in 2007” on the ingly diﬃcult. Phone surveys generally randomly select basis of an increase (from 2006) that is less than the from registries of landline numbers and thus miss the margin of error. cellphone-only population. Postal mail surveys tend to Being free of these biases the rate measurements per- miss those who move often. Email is worst of all for per- formed by Florˆncio and Herley [10] and Moore and e forming a phishing survey since it would appear neces- Clayton [28] are likely far more accurate than any of sary to use the same technique that phishers use: send the surveys. The fact that their estimates of the phish- bulk mail to lots of addresses and hope for responses. ing victimization rate, using entirely diﬀerent measure- The FTC [8, 9] and Javelin [18] surveys were done by ments, agree so well (0.4% and 0.34%) encourages us to phone. Gartner [12, 13, 14] does not specify their con- suggest that the true rate is somewhere in this neigh- tact methodology. borhood. The surveys biases mentioned can comfort- Survey scientists have long known that achieving a ably account for diﬀerence with the rate estimated by low refusal rate among those contacted is vitally impor- Gartner. tant to ensure that randomness in the contacted sample Estimating Dollar Losses and Mean vs. Median 4.2.2 is carried over into the achieved sample. This is vitally important, since a high refusal rate ampliﬁes any diﬀer- In all of the surveys examined in Section 5 victims ence in response rates between victims and non-victims. are self-reporting losses. This is problematic. Indeed a For example, a contacted representative population con- few sanity checks reveal that the self-reported \$47bn in tains victims and non-victims: C = V + N. If everyone ID theft losses [8] is almost certainly enormously exag- responded we would estimate the victimization rate as gerated. By way of benchmarking, the total reported V /(V + N ). But if only a fraction Vr and Nr of victims 2003 proﬁts of the top ﬁve banks in the US (Citi, BoA,

 User name: Comment:

## Related presentations

#### Neuquén y el Gobierno Abierto

October 30, 2014

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

#### Decision CAMP 2014 - Erik Marutian - Using rules-b...

October 16, 2014

In this presentation we will describe our experience developing with a highly dyna...

#### Schema.org: What It Means For You and Your Library

November 7, 2014

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

#### WearableTech: Una transformación social de los p...

November 3, 2014

Un recorrido por los cambios que nos generará el wearabletech en el futuro

#### O Impacto de Wearable Computers na vida das pessoa...

November 5, 2014

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

#### All you need to know about the Microsoft Band

November 6, 2014

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

## Related pages

### A Proﬁtless Endeavor: Phishing as Tragedy of the Commons

A Proﬁtless Endeavor: Phishing as Tragedy of the Commons Cormac Herley and Dinei Florencioˆ Microsoft Research One Microsoft Way Redmond, WA, USA

### A Profitless Endeavor: Phishing as Tragedy of the Commons ...

By the same authors. Can the sample being transmitted be used to refine its own PDF estimate? Improved Spread Spectrum: A New Modulation Technique for ...

### Microsoft study debunks phishing profitability | ZDNet

Microsoft study debunks phishing profitability. ... Phishing as Tragedy of the Commons), states that phishing isn't as profitable as originally thought. ...

### A profitless endeavor: phishing as tragedy of the commons

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only ...

### A profitless endeavor: phishing as tragedy of the commons

A profitless endeavor: phishing as tragedy of the commons on ResearchGate, the professional network for scientists.

### A Profitless Endeavor: Phishing as Tragedy of the Commons

Abstract. Conventional wisdom is that phishing represents easy money. In this paper we examine the economics that underly the phenomenon, and find a very ...

### Phishing As Tragedy of the Commons - Technology

Share Phishing As Tragedy of the Commons. ... This tragedy of the commons causes overgrazing and means that new entrants are not attracted, ...