Defending The Kingdom

A friend recently told me about LifeLock, a company that, for a fee, says it will protect you against identity theft. It does this by persistently renewing fraud alerts with the credit bureaus (which means, according to the FTC, that “potential creditors must use what the law calls ‘reasonable policies and procedures’ to verify your identity before they issue credit in your name”), monitoring your credit reports, removing your name from pre-approved credit card lists, watching for your credit card number on websites that peddle stolen cards, and offering up to USD $1,000,000 if you lose money to credit fraud anyway.

Is LifeLock Worth It?

Except for the monetary guarantee, LifeLock doesn’t do anything you couldn’t do on your own, and the company charges $10 per month for its services. If you want this sort of protection and you have more money than time, LifeLock may be a good deal. If you have more time than money, it’s probably a bad deal.

But there’s another way of looking at this. You might ask how much money you stand to lose if you don’t take any precautionary measures, by your own efforts or through a service like LifeLock.

The FTC estimated that there were 8.3 million American victims of identity theft in 2005, the latest year for which survey data are available. That works out to about 3.7% of the adult population. However, the typical victim didn’t suffer any consequences — his or her credit card company or bank soaked up the cost. A smaller group that fell victim to the most serious type of identity theft, new account fraud, had to pay a median of $40 and spend ten hours clearing their names. This smaller group made up 0.8% of the survey respondents.

If the survey was representative of the American population as a whole, it is possible to calculate the risk of identity theft, in dollars, to the typical person. The calculation is as follows:

Expected monetary loss per person, per year = risk * (money loss + monetary time cost)

We already know the risk (0.8%) and monetary loss ($40) components of the formula, so we just need an estimate of the monetary time cost. Median income in the united states is different for men and women, but if we take the mean of the two figures and transform it into an hourly wage, a rough estimate of the value of the typical person’s time is $25 per hour. And if it takes ten hours to deal with the consequences of identity theft, the monetary time cost is $250. Okay, on to the final calculation:

Expected monetary loss per person, per year = 0.008 * (40 + 250) = $2.32

The Bottom Line

If LifeLock were to set its fees to $2.32 per year, or about 20 cents per month, it would be a pretty good deal. Otherwise, you might be better off taking your chances.

Late last year, Consumer Reports determined by survey that one in 81 Americans got phished in 2007. The average phishing victim lost $200.

What does this mean for you?

People who assess risk often talk about “expected costs”, which they calculate by multiplying the probability of an event by its cost. The expected cost, then, of getting phished in a given year is 1/81*200 = $2.50.

How can we make sense of the $2.50 figure? One way to think about it is this: it is the amount you would have to pay an insurance company each year for them to be willing to pay out your losses to phishing, should they occur. If the insurance company covered all Americans at this rate, they would break even on their costs.

Seen this way, the threat of phishing isn’t that great. The danger of identity theft when phishers get your bank account information is perhaps greater, but the actual monetary loss, at least on average, is minimal.

This post is related to Security is not a switch. The point I want to make here is that the security problems we all face will never go away. More specifically, the exact type of threats we face will change, but the underlying problem will remain. The problem is that there are people with things to protect (money, information, privacy), and others who want to get it without permission.

I’ve come to realize more completely what this means only recently: there is no day in the future that has perfectly secure software programs and security techniques, making security concerns irrelevent. This is easy to miss, because it seems that security is something that is always improving, even if just a little bit at a time. It’s tempting to think this progress is aimed at a pinnacle, and we’ll hit it eventually. We won’t.

A more apt analogy for the security problems we all face is that of an arms race. Bruce Schneier has pointed this out again and again about numerous security problems. Here he is explaining the problem of spam:

Anti-spam products block a certain type of spam. Spammers invent a tactic that gets around those products. Then the products block that spam. Then the spammers invent yet another type of spam. And so on.

Blacklisting spammer sites forced the spammers to disguise the origin of spam e-mail. People recognizing e-mail from people they knew, and other anti-spam measures, forced spammers to hack into innocent machines and use them as launching pads. Scanning millions of e-mails looking for identical bulk spam forced spammers to individualize each spam message. Semantic spam detection forced spammers to design even more clever spam. And so on. Each defense is met with yet another attack, and each attack is met with yet another defense.

But wait. Is spam really a security problem? Actually, yes. At least, it has all the characterisitics of one, and it can teach us something about security problems in general.

Security problems arise when some people have something valuable that others want really badly. In the case of spam, people have time and attention that is very valuable, and advertisers want it really badly. Few people willingly sit down to imbibe a session of advertisements, but when advertisers do get someone’s time/attention it is remarkably valuable. Faced with this incentive, some advertisers act unscrupulously. Instead of sweetly requesting your time, they attempt to hijack it by spamming your email inbox. You attempt to stop them, and they adapt their methods. It’s a classic arms race security problem.

The arms race is exactly why security will never be solved. So long as some people have something others want badly, there will those who will try to get it by by force or trickery.

The lesson is not so grim

Let’s not get depressed just yet. That security problems will always be with us is too bad. However, this doesn’t mean that you should stop trying, or, alternatively, spend all your time trying to defend the things you’ve got that others might also want.

What it means is that the software and tactics that are being developed every day to combat the problem are less of a solution than you might otherwise have believed. Keeping you, your time, your money, your privacy, and your information secure is probably better accomplished by thinking about the problem correctly.

What I’ve advocated on this site is making yourself a harder target than most others on the internet, so that, with a high probability, a bad guy faced with cracking your defenses will give up and move on to the many other, less well-defended folks.

You might ask: “Wait! We can’t all be above average in terms of security, can we?” That’s true, of course. But most people don’t do much of anything to protect their security, so it’s really not hard to be better than average. Following some of the advice on this website will put you well ahead of the average. Until 50% or more of the world’s internet users start implementing techniques of the type I’ve been advocating, you don’t have to worry about the difficulty of being above average. And that day is a long way off.

It would be nice if there existed a straightforward security solution for every security problem in the world. Unfortunately, security is not that simple. Managing your security requires that you recognize an important point: security is not a switch that reads either “on” or “off”.

(continue reading…)