Defending The Kingdom

If spam emails didn’t sometimes encourage people to click through and make a purchase, it wouldn’t exist as a business. The fact that we all get spam means that, despite the costs of doing so, somebody still finds it profitable to send out all of those emails. The truly amazing thing, though, is the number of emails spammers have to send in order to capture a single customer. The Economist had an article a few weeks ago that provided some data:

In 2008 researchers from the University of California at Berkeley and San Diego posed as spammers, infiltrated a botnet and measured its success rate. The investigation confirmed only 28 “sales” on 350m e-mail messages sent, a conversion rate under .00001%. Since then, says Mr Peterson, the numbers have got worse.

Given how good my Gmail account is at filtering out spam and assuming that other email software is rising to that standard, I’m not surprised that the conversion rate is so low. So what are spammers doing now?

Well, Twitter seems to be a breeding ground in rude health:

…researchers from the University of California at Berkeley and the University of Illinois at Champaign-Urbana show that 8% of links published [on Twitter] were shady, with most of them leading to scams and the rest to Trojans.

And I suspect we’ll see Facebook become an increasingly important launching pad for similar threats. The security arms race continues.

Happy holidays, dear readers!

I’ve heard of and personally encountered a number of e-commerce websites like the one described in this NYTimes article. The proprietor of DecorMyEyes.com promises the cheapest designer eyewear on the net, intentionally delivers something other than what customers order (a cheaper or counterfeit model, for example), and then stalls, threatens, cajoles, and harasses people who try to get their money back. He makes money when customers give up trying to get a refund, allowing him to pocket the difference in the amount he charged their credit cards and the value of the goods he shipped.

I believe that the majority of e-commerce websites deliver what they say they will, but you need to know how to avoid the few that won’t. Interestingly, the huckster who runs the site described in the NYTimes article provides the answer:

Selling on the Internet, Mr. Borker says, attracts a new horde of potential customers every day. For the most part, they don’t know anything about DecorMyEyes, and the ones who bother to research the company — well, he doesn’t want their money. If you’re the type of person who reads consumer reviews, Mr. Borker would rather you shop elsewhere.

Mr. Borker doesn’t want cautious, conscientious customers because those customers reduce his hourly wage. Why bother selling to these people when there are plenty of shoppers who will give up trying to get their money back without much fuss? That is why, amazingly, the owner of this scam website isn’t troubled by the bad publicity that makes it easy to protect yourself.

Before clicking “Buy”

Just as changing your password to something marginally more complex than the typical internet user’s password makes you an undesirable target, doing a bit of research on the net makes you vastly less likely to fall victim to an e-commerce scam.

When I say “a bit”, I really mean it. It takes two seconds to type “decormyeyes fraud” into Google’s search engine. Every search result I got when I did that clued me in to the fact that this website is bad news:

A Better Business Bureau search piles on the evidence:

So that’s it. The next time you are thinking of buying from an online retailer, just do a quick Google search like “companyname fraud” or “companyname scam” and then check out the Better Business Bureau rating. Most people spend a good amount of time researching their internet purchases — allocating just a couple of seconds to protecting yourself from fraud should not be too much of a burden.

Here’s the story:

Who among us doesn’t love a good hack? After putting forth a $10,000 come-and-get-us challenge, it’s possible that StrongWebmail CEO Darren Berkovitz is rethinking his stance on that. The company, which makes voice-based authentication software, dared hackers to break into Mr. Berkovitz’s Web-mail account and report back details from an upcoming date on his calendar. A week later, a team of high-profile security researchers contacted a reporter with precisely that information.

Once again, it’s worth pointing out that there is no such thing as perfect security. You have to choose a level that is good enough. It can be uncomfortable to know and accept that your email address could get hacked, but there’s no way around it. All you can do is decrease the chances in a way that doesn’t cramp your style too much.

I advocate cramping your style a bit more than others in your category of “target juiciness”. If you have typical assets to protect, put just a bit more effort into security than the typical person. If you are atypical, put just a bit more effort into security than those with your level of assets.

Strong passwords are important, and I recommend using eight or nine digits whenever you can. Sometimes, however, you can’t avoid using a short password. For example, many ATMs outside North America will not accept long passwords, so you have to use a short ATM password if you live or travel outside of North America. In such an instance, is using a four digit password unsafe?

The answer, as far as I can tell, is no. A longer password would be better, but a four digit password for your ATM card is good enough.

Why is a four digit password okay for your ATM card, but not for other accounts? Many ATMs limit the number of failed entries for a given card, eating the card if a user enters an incorrect password four times in a row. This reduces the chance that someone would be able to guess your password.

What are the chances, exactly?

Suppose an ATM limits the number of failed password entries to four, after which it will eat the card. Let’s calculate the probability of guessing a four digit password in four tries.

First, we need to know the number of four digit passwords that can be created from a keypad that includes numbers from 0-9. There are ten usable numbers, each of which can be used as the first, second, third, and fourth digits. That means there are ten ways you can choose the first digit of your password, ten ways to choose the second, ten ways to choose the third, and ten ways to choose the fourth.

These ways multiply to give us 10*10*10*10 = 10,000 different four digit passwords that can be made from ten numbers. Your password is one of those 10,000 passwords. The probability, then, that someone could guess your password in one try is 1/10,000 = 0.0001. The probability that someone could guess your password in four tries is additive: 0.0001+0.0001+0.0001+0.0001 = 0.0004.

Some perspective

If you’re like me, you need some way to interpret this risk. We know 0.0004 is a small number, but can we do better than that? To put that figure into perspective, we can calculate the expected loss (a term that describes the probability of an event multiplied by its cost). Consider the following events: you lose your ATM card, your card is found by someone who tries to extract cash from your savings account, and you don’t notice that your card is missing for a week. What is your expected loss in this case?

We start by calculating your maximum possible loss. Someone who correctly guesses your ATM card password would be able to withdraw or spend up to your daily limit on each of the seven days you are unaware of your missing card. Let’s say this limit is $3,000 and the person who has your ATM card knows it (perhaps he learned it by starting with an attempt to withdraw $5,000, then trying smaller and smaller amounts until the machine capitulated). Your maximum loss in this instance is 7*3,000 = $21,000.

Now all we have to do is multiply the maximum loss by the probability of experiencing that loss. We get 21,000*0.0004 = $8.40. You will probably agree with me that this is no big deal compared to the other threats you face. It’s too bad that you are sometimes forced to use shorter passwords than you would like, but at least in this instance, it’s not worth worrying about.

The Economist, reporting research by Symantec, has an interesting chart of the most common goods and services offered by cybercriminals.

You can use the prices on the right of the chart as a sort of risk indicator: if a criminal steals your bank account details, you can expect to lose the amount another criminal is willing to pay (plus the value of the second criminal’s time) to get those details. Keep in mind that these values represent the average (mean) amounts victims will lose and criminals will gain – in reality, some victims will lose a lot more and some a lot less.

Most interesting feature of the chart: email passwords sell for more than full identities. If you think your email password isn’t very valuable, you should know that cybercriminals think otherwise!