Practical Avoidance of Cybercrime

As with anyone who works in cybersecurity I have been asked countless times for some advice on what they can do to reduce their risk. The reality is, that with a basic understanding of the dynamics of cybercrime you can do a lot with little effort. If you want to jump to the cheatsheet at the end feel free, but to get the most out of this and to adopt the advice as the world changes, I would encourage you to read through a bit of the discussion on the economics of cybercrime.

Basic Economics of Cybercrime

The first and most critical concept is to recognize that cybersecurity is not just a technical problem, it is the problem of crime simply moved to a technical arena. There are substantial advantages to committing a crime over the internet opposed to in real life — in fact they are similar to doing anything over the internet, it is easier, more convenient and often provides more opportunity.

To understand cybercrime the basic economics of crime come into play. Crime pays when the rewards are greater than the costs (note this is not violent crime, but robbery, fraud, etc).

Crime works when the reward is greater then the costs

Robbing a bank does not make sense if breaking into a safe holding $300,000 is going to require a machine that costs $400,000. Of course there are three core costs to a crime — risk of punishment, opportunity cost, and material costs.

“Cost” of Crime

The risk of punishment relates to the chance of getting caught and nature of the punishment. Opportunity cost is the difference between the time to plan and commit the crime compared to the otherwise gainful employment of the perpetrator. Material costs are any materials needed to actually commit the crime — in our example above the safe-breaking machine is a material cost. In cybercrime these costs are fundamentally skewed for a number of reasons not so apparent at first glance.

Risk of Punishment

As anyone who has watched a TV crime show knows, even in the relatively simple world of the united states jurisdictional issues complicate the investigation and persecution of a crime. Local, county, state, federal entities have overlapping jurisdictional authority based on the location and nature of the crime. When looking at cybercrime this is vastly more complicated as it is feasible (and in fact quite common) for the crime to be spread across multiple countries. To aggravate this, many countries have varying definitions of cybercrime and have drastically different priorities on the prosecution of such crime — particularly if the victim is not of the same country (see this article for an interesting discussion of the state of affairs in Ukraine).

Spreading the crime over countries with divergent definitions and enforcement priorities for cybercrime dramatically reduces the risk of prosecution.

As discussed in the paper “An Economic Analysis of Crimes Punishable by Imprisonment” the ‘probability of conviction’ is found to be the deterrent factor in crime, not necessarily the punishment. If a conviction would require the coordination of multiple law enforcement agencies across multiple countries the probability drops precipitously and emboldens criminals.

Opportunity Cost

Many real world crimes are prevented by the opportunity cost of the criminal. In any country with reasonably high employment rates and a functional justice system a would-be criminals time is better spent in gainful employment.

Economic disparity is not geographically limited

However, this falls apart on the internet where there is a virtual proximity of economically disparate populations. A cybercriminal in a country with the GDP per capita being a couple thousand dollars a year (for example Nigeria) can easily target their internet ‘neighbor’ in the United States where the GDP per capita is almost 30x. An analysis of a campaign that targeted high net worth individuals in 2012 (ancient history!) showed that the average victim had around $7,200 stolen — you would only have to comprise 5–6 victims a year to get to the average salary of a Ukrainian software engineer.

Material Costs

In cybercrime there are three core material costs — sourcing a victim, the exploit used to compromise them and the ‘malware’ (malicious software) used to make money off of them. Specialization of the labor working in the criminal underground has enabled economies of scale and drastically reduced these costs. Each of the costs above can be sourced independently and stitched together by a criminal at a commoditized cost. For example in order to source a victim, ‘Exploit Kits’ are sold providing the latest techniques for tricking computers into installing software from untrusted sources. These are then hosted on seemingly benign websites or compromised websites where thousands of unsuspecting visitors are then victimized (one high profile attack where forbes[.]com was hosting an exploit kit is described here). To make things even easier you can simply provide your malware to services which run these exploit kits and just pay per victim that installs the malware. In a similar vein you can buy various forms of malware from developers specializing in ransomware (victim pays to recover files made unreadable by the malware) or banking trojans (malware intercepts victims online banking activity and steals money). All of this is being done for rock bottom prices by capable cybercriminals all over the world.

Nature of Cyber-Attacks

With an understanding of the costs of cybercrime it is now important to understand the nature of these attacks — who is targeted, how, and what the objectives are. While it would be impossible to categorize every single attack there are four broad categories of cybercrime worth understanding.

• Nation States — these are not relevant to most individuals. For the most part the activity that has been attributed to nation states has been related to IP theft, tactical advantage in military operations, intelligence gathering and political interference. Few campaigns attributed to nation state actors have been targeting individuals unless they are high profile or employed by an organization that is the ultimate target of the attack. Some high profile examples of nation state attacks in the last few years include the Sony breach, Stuxnet (Olympic Games) and the Russian influence campaign of the 2016 US Presidential Election.
• Corporate Attacks — these are attacks against corporations with the intention of stealing assets from the organization. For the most part these do not directly affect individuals with the exception of the cases below described as ‘indirect attacks.’
• Broad Based Campaigns — these are indiscriminate attacks based on volume. The intention of these campaigns is a return on scale, a relatively small success rate across a massive set of victims — primarily individuals. Classic examples of these attacks would be the spam campaigns of years past as well as the modern ransomware attacks. It is important to note there have been some notable cases of nation state actors engaging in broad based campaigns with the implicit or explicit endorsement of their employers.
• Indirect Corporate Attacks — these are attacks against corporations (or other organizations) which have large databases of information on consumers. Some high profile examples of such attacks in recent history include breaches of Home Depot, Ebay, Anthem, and Equifax. In each case the customer information was the target of the attack. For these attacks the customer data that is stolen is sold on the dark-web where cybercriminals specializing in fraud can piece together enough to perform identity theft.

Understanding the nature of these attacks gives an understanding of the basic economics of each and starts to provide some insight into how those economics can be altered to your advantage.

Using the Economics of Cybercrime to your Advantage

As a quick review crime is worthwhile when the economic reward is greater than the costs, and there are three basic costs of cybercrime — the risk of punishment, the opportunity cost and the material costs. As individuals we can really only affect the material costs, these we broke down into three areas — the cost of sourcing the victim, the exploit and the malware. Within these costs we have direct control over how difficult it is for someone to make us a victim. As individuals we are most concerned with indirect corporate attacks and broad based attacks. Both of these attacks are based on a small return in a large target base, or a small cost per victim as the returns are diluted by a broad base of targets. To protect ourselves from such an attack we must increase the cost for us as a target in a way that makes our inclusion in such an attack economically infeasible.

Increasing our Cost as a Target

We can increase the cost of us as a target by changing the what technology we use, the behaviors we have online and by taking some precautionary measures in the real world.

• Stay Updated — this is one of the simplest things we can all do to increase the difficulty of hacking us. Cybercriminals pay good money for exploits- ways of tricking your computer into installing software without your approval. Exploits cost more for the latest versions of software as they have had less time to develop them and as a result are scarcer. Keeping all of your software on the latest versions means that it will cost the hacker more to exploit you. To do this you can easily enable auto-update (already done on the latest versions of Mac OS X, Windows, and iOS), but you should also do so for all commonly use programs — web browsers, email clients, the Microsoft office suite, etc.
• Use a Mac or Chromebook — as we are largely dealing with broad based campaigns they are targeted for the largest populations of users on the internet. Today this still means that using an operating system other than windows is a major step to protecting yourself. Windows still has a 87% market share meaning that any campaign is going to focus primarily on this audience as the target. Using a Mac, an iPad, Android tablet, or Chromebook puts you in the minority of users on the internet, making you a less popular target (more expensive). As an added bonus if you use an iPad as your primary device it automatically updates your software covering the point above.
• Use a web-based email client — we have all gotten good at filtering out unsolicited emails advertising rock bottom prices on illicit medications, but most of the SPAM you deal with these days are far more sophisticated. Often it is targeted and moderately customized with information harvested from social media sights or crafted to look like a common business interaction (“HR Update” or “Payroll.xls”). However, these emails still rely on you to either click the link contained (to go to a website with an exploit kit) or open the attachment (to ‘exploit’ software installed on your machine). Web-based email clients (gmail, office365, hotmail, etc) provide two benefits for you. First, they aggressively filter SPAM and scan attachments for known exploits. But more importantly clients like gmail use their built in tools (like google docs) to preview the attachments. The exploits in these attachments are crafted to target software on your computer — like Microsoft word. Even a malicious attachment opened with google docs will act benign.
• Use checkout services when available — one of the main reasons we sprinkle our personal information all over the internet is for buying strange things from strange websites. Put this in the context of the real world — imagine walking into a gas station on a road trip in the middle of nowhere. Once you finish paying for your gas and snacks, the attendant smiles at you and asks if you want to give them your home address so they can store your credit card for the next time you come through. We answer yes to this question far too often online. To minimize the number of sites that have your personal information, use a check out service — paypal, google checkout, amazon checkout, shopify, apple pay — when buying things online. This makes it more difficult for a hacker to build a complete profile of you from data stolen in indirect attacks.
• Use a password manager — as we sign up for our various accounts across the internet far too often we use the same password. While you may not be too concerned about the information you just left with knittingworld[.]com the fact that you just used the same password there as with your bank is a big problem. Hackers use information from compromised accounts on smaller sites to try and break into accounts on sites that are more valuable. While setting up the password manager across all your devices can be a bit of a chore, once done it provides substantial protection against these types of attacks.
• Freeze your credit — our credit system is almost designed for fraud. Most of us do not buy cars, houses, or open credit cards on a frequent basis, but our credit system is designed so that you can do so at any point in time without any inconvenience. Good for them, not so good for you if your personal information has been compromised. An easy step for all of us is to freeze our credit ( see FTC’s guidance here). Doing so does not adversely affect you in any way except that when you are trying to open a credit card, buy a house or car (with financing) you will have to spend about five minutes online to unfreeze your credit before the transaction goes through. With your credit frozen most forms of identity theft will fail as new accounts can not be opened in your name.
• Use a two-tiered banking system — most of us have a pretty simple setup with our banks, a checking account that we use for our ATM card, direct deposit and bill pay and some form of savings or investment account. For our convenience our banks often set up automatic transfers to help us avoid overdraft etc. The downside of this is that our checking account is part of our ‘public’ face. We set up bill pay everywhere, we send people we barely know checks, and use our ATM/debit cards all the time. To have this automatically connected to our investment / savings accounts drastically increases the amount of money that might be stolen from us. To protect against this create a separation between the bank account you use to interface with the world and that you use to save for the future. The easiest is to have these at separate banks, but short of that talk with your bank to ensure there is no automatic transfers going from the savings to the daily use account.
• Use your credit card — for now, the credit card industry has taken on a lot of the responsibility for fraud. Use this to your advantage, whenever possible use your credit card for daily transactions, bill pay, etc. Then always review your transactions before giving them any money — once real money is sent it will be harder to get back!

Each one of these suggestions is based on the fundamental premise of making you a more expensive target. Some increase the cost of exploit, others increase the cost of extracting money from you. Modifying your behavior to perform at least some of these suggestions will dramatically modify your exposure to cybercrime. With the adoption of all of these practices you will substantially reduce your risk for most types of attacks. Over time these suggestions may be reduced in their utility as more of the population adopts them and the cyber criminals are forced to adapt their ‘business’ to accommodate. However, the fundamental premise will continue to hold true — ask yourself ‘How can I make myself a more expensive target? How can I look different from everyone else? How can I minimize the footprint of my digital identity on the internet?’ All of these suggestions pull back to those fundamental questions and the effort you can take to increase the material costs of an attack.