Defending The Kingdom

Curious about the web’s most dangerous search terms?

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky.

What makes a webpage dangerous?

• Risky downloads—Downloadable files that contain viruses, spyware, or adware or make unrelated
  changes to the downloading computer
• Browser exploits—Also known as a driveby download, this type of malicious code enables viruses,
  keystroke loggers, or spyware to install on a consumer’s computer without consent and/or knowledge
• Email practices—Registration forms and other sign-ups that result in high volume email, highly
  commercial email or both. We also test for difficultly unsubscribing.
• Phishing—Scam sites that try to trick visitors into believing the site is legitimate
• Excessive popups—Sites that engage in aggressive popup behavior or display large numbers
  of popups
• Linking practices—Sites that aggressively link to other red- or yellow-rated sites

The report, by McAfee, mentions that hacking for profit has overtaken hacking for fame. I suspect that is why we no longer worry about viruses that will wipe our hard drives clean — the tactic is attention-getting, but is unlikely to be profitable to anybody. Today, viruses that collect information about our computing habits and personal lives are the primary threats.

In the previous post, I calculated the cost, in statistical terms, of identity theft for the typical person. But identity theft is not the only danger – what about the risks of phishing?

Consumer Reports, in their 2008 State of The Net report, claims that the likelihood of getting phished this year is 1 in 94, or just over 1%. The total amount lost to phishers nation-wide is estimated to be $2 billion.

Worry or Keep Cool?

If 1 in 94 American adults lost money to phishers, it means that $2 billion in costs were distributed amongst 2.4 million victims. From that statistic, we can figure that the average cost per person was about $835. If your chances of getting phished are 1 in 94, you can expect to lose (in statistical terms) $9 per year to phishers.

Now, knowing that you are likely to lose $9 per year in statistical terms is a bit of strange concept. In any given year, you will either lose a large sum like $835 or nothing at all. It might be easier to think of the $9 per year as something each person should be willing to spend to avoid the consequences of phishing.

For example, everyone in the country could contribute $9 per year into a phishing fund and distribute the money to the victims of phishing. Those who contribute but don’t fall victim to phishing get peace of mind out of the deal. The victims get compensated for what they lose. Everyone wins as long as peace of mind doesn’t cost more than $9 per year. Beyond that, it’s best to take your chances!

A friend recently told me about LifeLock, a company that, for a fee, says it will protect you against identity theft. It does this by persistently renewing fraud alerts with the credit bureaus (which means, according to the FTC, that “potential creditors must use what the law calls ‘reasonable policies and procedures’ to verify your identity before they issue credit in your name”), monitoring your credit reports, removing your name from pre-approved credit card lists, watching for your credit card number on websites that peddle stolen cards, and offering up to USD $1,000,000 if you lose money to credit fraud anyway.

Is LifeLock Worth It?

Except for the monetary guarantee, LifeLock doesn’t do anything you couldn’t do on your own, and the company charges $10 per month for its services. If you want this sort of protection and you have more money than time, LifeLock may be a good deal. If you have more time than money, it’s probably a bad deal.

But there’s another way of looking at this. You might ask how much money you stand to lose if you don’t take any precautionary measures, by your own efforts or through a service like LifeLock.

The FTC estimated that there were 8.3 million American victims of identity theft in 2005, the latest year for which survey data are available. That works out to about 3.7% of the adult population. However, the typical victim didn’t suffer any consequences — his or her credit card company or bank soaked up the cost. A smaller group that fell victim to the most serious type of identity theft, new account fraud, had to pay a median of $40 and spend ten hours clearing their names. This smaller group made up 0.8% of the survey respondents.

If the survey was representative of the American population as a whole, it is possible to calculate the risk of identity theft, in dollars, to the typical person. The calculation is as follows:

Expected monetary loss per person, per year = risk * (money loss + monetary time cost)

We already know the risk (0.8%) and monetary loss ($40) components of the formula, so we just need an estimate of the monetary time cost. Median income in the united states is different for men and women, but if we take the mean of the two figures and transform it into an hourly wage, a rough estimate of the value of the typical person’s time is $25 per hour. And if it takes ten hours to deal with the consequences of identity theft, the monetary time cost is $250. Okay, on to the final calculation:

Expected monetary loss per person, per year = 0.008 * (40 + 250) = $2.32

The Bottom Line

If LifeLock were to set its fees to $2.32 per year, or about 20 cents per month, it would be a pretty good deal. Otherwise, you might be better off taking your chances.