Wednesday, February 08, 2006

Big scary numbers

Bruce blogs on Check Washing. The fraud itself is reasonably well known, take a check, alter the payee, increase the amount, repeat. What caught my eye though was the number of $815 million a year lost in check washing fraud and Bruce's request for a footnote.

After a bit of digging I found out that the page is a project of the National Consumers League which is a hundred year old organization originally an offshoot of the union movement. Look for the union label, thats them.

So I have no doubt that the information is being offered in good faith. Bruce points out that the Web site looks rather amateurish, to me it looks like it hasn't been updated since 1999. You could get away with that type of stuff then, before Google demonstrated that black type on a white background has much to be said for it. The rest of the NCL site has been updated to a modern professional look.

But back to that 815 million figure. While it does not sound completely unrealistic as a figure for cheque fraud in general it is the type of big scary number that gets endlessly repeated from one presentation to another, often turning out to have originated as either a guess or a tenuous extrapolation from some sort of official estimate.

Recently a person speaking at a conference in Dubai presented the claim that cybercrime is now more profitable than narcotics. This was picked up by some of the trade press but fortunately didn't make it as a mainstream media meme. Once the figures came out it was clear that the claim was total nonsense. If you use an amazingly broad definition of cybercrime, including all types of credit card and bank fraud, not just the ones that touch the net and including pedophilia a very big number can be put on the 'damage caused by cybercrime'. This number is arguably less than the profits of the major narcotics dealers.

But this is not comparing like with like.

The profits from the drugs trade are far less than the amount of damage caused and the same is true of every other type of crime including cybercrimes. Say that a carding gang buys a stolen credit card number for $1 and runs up $800 of charges on the card buying a fancy camera. The camera is then received by a package reshipper who sends it to Romainia via international shipper, paying the $200 charge with another stolen card. On arrival the camera is sold to a fence for $400. The damage caused is $1,000 but the revenue to the carding gang is only $400 of which maybe $350 is actual profit.

So now imagine that we are compiling figures for the 'size' cybercrime, do we work off the $1,000 that was lost or the $350 realized as profit? Another common problem is double and tripple counting. If we simply add the losses resulting from phishing crime and the losses caused by carding we end up counting the same money twice.

And yes, those figures were made up figures for purposes of illustration, not real figures. But often when I try to look into a crime statistics claim I find what is presented as real figures in one presentation is an estimate in another based on illustrative numbers in a third.

A factor of two is not a big deal when trying to estimate the size of a crime. All statistics that try to put a dollar value on criminal activity are pretty 'squishy'. But when it is introduced in the process of numbers being shuffled backwards and forth between powerpoint presentations that take a number from here, a number from there and add them together doubling the size of the problem at each stage is a real problem.

The point here is not just that sloppy statistics and sloppy research are a problem. The point is that ultimately most of these figures are either unknowable or should be quoted with collosal error bars. I have very good first hand evidence that tells me that direct losses from phishing in the USA are more than $50 million. I also have pretty good but circumstantial evidence showing that the direct losses are less than $1 billion. Between those figures I could make a guess but that is what it would be.

The blogosphere abhors an information vaccum. If there is a demand for a precise statistic then the blogosphere will provide it. And after it has been repeated often enough it will be treated as fact regardless of what the original basis of the figures was.

No comments: