In 2008 researchers from the University of California at Berkeley and San Diego posed as spammers, infiltrated a botnet and measured its success rate. The investigation confirmed only 28 “sales” on 350m e-mail messages sent, a conversion rate under .00001%. Since then, says Mr Peterson, the numbers have got worse.

Given how good my Gmail account is at filtering out spam and assuming that other email software is rising to that standard, I’m not surprised that the conversion rate is so low. So what are spammers doing now?

Well, Twitter seems to be a breeding ground in rude health:

…researchers from the University of California at Berkeley and the University of Illinois at Champaign-Urbana show that 8% of links published [on Twitter] were shady, with most of them leading to scams and the rest to Trojans.

And I suspect we’ll see Facebook become an increasingly important launching pad for similar threats. The security arms race continues.

Happy holidays, dear readers!

I believe that the majority of e-commerce websites deliver what they say they will, but you need to know how to avoid the few that won’t. Interestingly, the huckster who runs the site described in the NYTimes article provides the answer:

Selling on the Internet, Mr. Borker says, attracts a new horde of potential customers every day. For the most part, they don’t know anything about DecorMyEyes, and the ones who bother to research the company — well, he doesn’t want their money. If you’re the type of person who reads consumer reviews, Mr. Borker would rather you shop elsewhere.

Mr. Borker doesn’t want cautious, conscientious customers because those customers reduce his hourly wage. Why bother selling to these people when there are plenty of shoppers who will give up trying to get their money back without much fuss? That is why, amazingly, the owner of this scam website isn’t troubled by the bad publicity that makes it easy to protect yourself.

Before clicking “Buy”

Just as changing your password to something marginally more complex than the typical internet user’s password makes you an undesirable target, doing a bit of research on the net makes you vastly less likely to fall victim to an e-commerce scam.

When I say “a bit”, I really mean it. It takes two seconds to type “decormyeyes fraud” into Google’s search engine. Every search result I got when I did that clued me in to the fact that this website is bad news:

A Better Business Bureau search piles on the evidence:

So that’s it. The next time you are thinking of buying from an online retailer, just do a quick Google search like “companyname fraud” or “companyname scam” and then check out the Better Business Bureau rating. Most people spend a good amount of time researching their internet purchases — allocating just a couple of seconds to protecting yourself from fraud should not be too much of a burden.

Who among us doesn’t love a good hack? After putting forth a $10,000 come-and-get-us challenge, it’s possible that StrongWebmail CEO Darren Berkovitz is rethinking his stance on that. The company, which makes voice-based authentication software, dared hackers to break into Mr. Berkovitz’s Web-mail account and report back details from an upcoming date on his calendar. A week later, a team of high-profile security researchers contacted a reporter with precisely that information.

Once again, it’s worth pointing out that there is no such thing as perfect security. You have to choose a level that is good enough. It can be uncomfortable to know and accept that your email address could get hacked, but there’s no way around it. All you can do is decrease the chances in a way that doesn’t cramp your style too much.

I advocate cramping your style a bit more than others in your category of “target juiciness”. If you have typical assets to protect, put just a bit more effort into security than the typical person. If you are atypical, put just a bit more effort into security than those with your level of assets.

Strong passwords are important, and I recommend using eight or nine digits whenever you can. Sometimes, however, you can’t avoid using a short password. For example, many ATMs outside North America will not accept long passwords, so you have to use a short ATM password if you live or travel outside of North America. In such an instance, is using a four digit password unsafe?

The answer, as far as I can tell, is no. A longer password would be better, but a four digit password for your ATM card is good enough.

Why is a four digit password okay for your ATM card, but not for other accounts? Many ATMs limit the number of failed entries for a given card, eating the card if a user enters an incorrect password four times in a row. This reduces the chance that someone would be able to guess your password.

What are the chances, exactly?

Suppose an ATM limits the number of failed password entries to four, after which it will eat the card. Let’s calculate the probability of guessing a four digit password in four tries.

First, we need to know the number of four digit passwords that can be created from a keypad that includes numbers from 0-9. There are ten usable numbers, each of which can be used as the first, second, third, and fourth digits. That means there are ten ways you can choose the first digit of your password, ten ways to choose the second, ten ways to choose the third, and ten ways to choose the fourth.

These ways multiply to give us 10*10*10*10 = 10,000 different four digit passwords that can be made from ten numbers. Your password is one of those 10,000 passwords. The probability, then, that someone could guess your password in one try is 1/10,000 = 0.0001. The probability that someone could guess your password in four tries is additive: 0.0001+0.0001+0.0001+0.0001 = 0.0004.

Some perspective

If you’re like me, you need some way to interpret this risk. We know 0.0004 is a small number, but can we do better than that? To put that figure into perspective, we can calculate the expected loss (a term that describes the probability of an event multiplied by its cost). Consider the following events: you lose your ATM card, your card is found by someone who tries to extract cash from your savings account, and you don’t notice that your card is missing for a week. What is your expected loss in this case?

We start by calculating your maximum possible loss. Someone who correctly guesses your ATM card password would be able to withdraw or spend up to your daily limit on each of the seven days you are unaware of your missing card. Let’s say this limit is $3,000 and the person who has your ATM card knows it (perhaps he learned it by starting with an attempt to withdraw $5,000, then trying smaller and smaller amounts until the machine capitulated). Your maximum loss in this instance is 7*3,000 = $21,000.

Now all we have to do is multiply the maximum loss by the probability of experiencing that loss. We get 21,000*0.0004 = $8.40. You will probably agree with me that this is no big deal compared to the other threats you face. It’s too bad that you are sometimes forced to use shorter passwords than you would like, but at least in this instance, it’s not worth worrying about.

The Economist, reporting research by Symantec, has an interesting chart of the most common goods and services offered by cybercriminals.

You can use the prices on the right of the chart as a sort of risk indicator: if a criminal steals your bank account details, you can expect to lose the amount another criminal is willing to pay (plus the value of the second criminal’s time) to get those details. Keep in mind that these values represent the average (mean) amounts victims will lose and criminals will gain – in reality, some victims will lose a lot more and some a lot less.

Most interesting feature of the chart: email passwords sell for more than full identities. If you think your email password isn’t very valuable, you should know that cybercriminals think otherwise!

What Should You Pay to Avoid Viruses and Spyware?

In Consumer Reports’ 2008 State of the Net summary, the odds of contracting a serious computer virus problems are given to be 1 in 7, the yearly costs $2.9 billion. The odds of a serious spyware problem are 1 in 14, with a yearly cost of $3.6 billion. (Note that these figures are for both businesses and consumers.)

From these statistics, it is possible to calculate the amount that the typical person ought to be willing to pay, yearly, in the form of insurance or a preventative product or service, to avoid the consequences of viruses and spyware.

If 1 in 7 computer users had major virus problems, it means that 26 million people suffered expenses of about $110 each. If 1 in 14 computer users had a major spyware problem, it means that about 13 million people took a hit of $275.

Using these numbers and a formula for expected costs (expected cost = average cost per incident multiplied by probability of incidence) we can conclude that the expected yearly loss per person from virus and spyware threats totals $35. Put another way, each of us should be willing to spend up to $35 per year on insurance, services, or products that would shield us from the costs of viruses and spyware.

The Value of Anti-Virus Software

Of course, my calculations could be wrong. But it’s interesting to note that McAfee and Symantec, two of the most popular anti-virus and anti-spyware providers, price their mainstay products at $40, $5 more than our calculation says is reasonable.

Is that extra $5 per year for peace of mind or is it down to overpricing? Or maybe the cost figures that Consumer Reports noted do not include the psychological cost of annoyance and time spent getting rid of viruses and spyware, which could bring the total cost per person higher than what was reported. I’m inclined to give the benefit of the doubt to the millions of consumers who indicate, by their willingness to pay, that a $40 anti-virus solution is worth it to them, but I could be off the mark.

Consumer Reports, in their 2008 State of The Net report, claims that the likelihood of getting phished this year is 1 in 94, or just over 1%. The total amount lost to phishers nation-wide is estimated to be $2 billion.

Worry or Keep Cool?

If 1 in 94 American adults lost money to phishers, it means that $2 billion in costs were distributed amongst 2.4 million victims. From that statistic, we can figure that the average cost per person was about $835. If your chances of getting phished are 1 in 94, you can expect to lose (in statistical terms) $9 per year to phishers.

Now, knowing that you are likely to lose $9 per year in statistical terms is a bit of strange concept. In any given year, you will either lose a large sum like $835 or nothing at all. It might be easier to think of the $9 per year as something each person should be willing to spend to avoid the consequences of phishing.

For example, everyone in the country could contribute $9 per year into a phishing fund and distribute the money to the victims of phishing. Those who contribute but don’t fall victim to phishing get peace of mind out of the deal. The victims get compensated for what they lose. Everyone wins as long as peace of mind doesn’t cost more than $9 per year. Beyond that, it’s best to take your chances!

Is LifeLock Worth It?

Except for the monetary guarantee, LifeLock doesn’t do anything you couldn’t do on your own, and the company charges $10 per month for its services. If you want this sort of protection and you have more money than time, LifeLock may be a good deal. If you have more time than money, it’s probably a bad deal.

But there’s another way of looking at this. You might ask how much money you stand to lose if you don’t take any precautionary measures, by your own efforts or through a service like LifeLock.

The FTC estimated that there were 8.3 million American victims of identity theft in 2005, the latest year for which survey data are available. That works out to about 3.7% of the adult population. However, the typical victim didn’t suffer any consequences — his or her credit card company or bank soaked up the cost. A smaller group that fell victim to the most serious type of identity theft, new account fraud, had to pay a median of $40 and spend ten hours clearing their names. This smaller group made up 0.8% of the survey respondents.

If the survey was representative of the American population as a whole, it is possible to calculate the risk of identity theft, in dollars, to the typical person. The calculation is as follows:

Expected monetary loss per person, per year = risk * (money loss + monetary time cost)

We already know the risk (0.8%) and monetary loss ($40) components of the formula, so we just need an estimate of the monetary time cost. Median income in the united states is different for men and women, but if we take the mean of the two figures and transform it into an hourly wage, a rough estimate of the value of the typical person’s time is $25 per hour. And if it takes ten hours to deal with the consequences of identity theft, the monetary time cost is $250. Okay, on to the final calculation:

Expected monetary loss per person, per year = 0.008 * (40 + 250) = $2.32

The Bottom Line

If LifeLock were to set its fees to $2.32 per year, or about 20 cents per month, it would be a pretty good deal. Otherwise, you might be better off taking your chances.

What does this mean for you?

People who assess risk often talk about “expected costs”, which they calculate by multiplying the probability of an event by its cost. The expected cost, then, of getting phished in a given year is 1/81*200 = $2.50.

How can we make sense of the $2.50 figure? One way to think about it is this: it is the amount you would have to pay an insurance company each year for them to be willing to pay out your losses to phishing, should they occur. If the insurance company covered all Americans at this rate, they would break even on their costs.

Seen this way, the threat of phishing isn’t that great. The danger of identity theft when phishers get your bank account information is perhaps greater, but the actual monetary loss, at least on average, is minimal.

I’ve come to realize more completely what this means only recently: there is no day in the future that has perfectly secure software programs and security techniques, making security concerns irrelevent. This is easy to miss, because it seems that security is something that is always improving, even if just a little bit at a time. It’s tempting to think this progress is aimed at a pinnacle, and we’ll hit it eventually. We won’t.

A more apt analogy for the security problems we all face is that of an arms race. Bruce Schneier has pointed this out again and again about numerous security problems. Here he is explaining the problem of spam:

Anti-spam products block a certain type of spam. Spammers invent a tactic that gets around those products. Then the products block that spam. Then the spammers invent yet another type of spam. And so on.

Blacklisting spammer sites forced the spammers to disguise the origin of spam e-mail. People recognizing e-mail from people they knew, and other anti-spam measures, forced spammers to hack into innocent machines and use them as launching pads. Scanning millions of e-mails looking for identical bulk spam forced spammers to individualize each spam message. Semantic spam detection forced spammers to design even more clever spam. And so on. Each defense is met with yet another attack, and each attack is met with yet another defense.

But wait. Is spam really a security problem? Actually, yes. At least, it has all the characterisitics of one, and it can teach us something about security problems in general.

Security problems arise when some people have something valuable that others want really badly. In the case of spam, people have time and attention that is very valuable, and advertisers want it really badly. Few people willingly sit down to imbibe a session of advertisements, but when advertisers do get someone’s time/attention it is remarkably valuable. Faced with this incentive, some advertisers act unscrupulously. Instead of sweetly requesting your time, they attempt to hijack it by spamming your email inbox. You attempt to stop them, and they adapt their methods. It’s a classic arms race security problem.

The arms race is exactly why security will never be solved. So long as some people have something others want badly, there will those who will try to get it by by force or trickery.

The lesson is not so grim

Let’s not get depressed just yet. That security problems will always be with us is too bad. However, this doesn’t mean that you should stop trying, or, alternatively, spend all your time trying to defend the things you’ve got that others might also want.

What it means is that the software and tactics that are being developed every day to combat the problem are less of a solution than you might otherwise have believed. Keeping you, your time, your money, your privacy, and your information secure is probably better accomplished by thinking about the problem correctly.

What I’ve advocated on this site is making yourself a harder target than most others on the internet, so that, with a high probability, a bad guy faced with cracking your defenses will give up and move on to the many other, less well-defended folks.

You might ask: “Wait! We can’t all be above average in terms of security, can we?” That’s true, of course. But most people don’t do much of anything to protect their security, so it’s really not hard to be better than average. Following some of the advice on this website will put you well ahead of the average. Until 50% or more of the world’s internet users start implementing techniques of the type I’ve been advocating, you don’t have to worry about the difficulty of being above average. And that day is a long way off.