Online ID fraud losses explode to $1.3bn a year

[Philip.Cohen]

Online ID fraud losses explode to $1.3bn a year
http://www.smh.com.au/technology/security/online-id-fraud-losses-explode-to-13bn-a-year-20100705-zxbj.html
 
Once again “Smee” you display your ignorance about just about everything.

If indeed the survey by Galaxy Research for VeriSign  of 2510 people was randomly selected, and there is no reason to think that it was otherwise selected, then the results of the survey would indeed be relatively accurate. That is how all such surveys are carried out by professional researchers and 2510 is a good sample to test.

But the most interesting thing about this story is that a certain Alastair MacGibbon is quoted therein as an expert in such internet fraud, and of course he certainly would know all about such fraud—and the ways in which unscrupulous operators can conceal it from the public.

MacGibbon, of course, was most recently Head of Trust, Safety & Customer Support for eBay Asia Pacific where, if indeed he had any expertise in this area of online fraud, his expertise may have been invaluable to eBay in developing ideas such as, for example, the anonymous bidder masking introduced by eBay in 2008 which serves no material purpose other than to better obscure from the consumer the shill bidding fraud that is demonstrably rampant on eBay nominal-start auctions. 

And, dear me, MacGibbon also takes the opportunity to promote PayPal as a secure method of payment. Now we really do know that he is an expert in online fraud.

As many regular eBay users know, eBay’s “Trust, Safety & Customer Support” consists of little more than smoke and mirrors and is actually a synonym for fending off and pulling the wool over the eyes of eBay consumers.

Maybe if MacGibbon is ever released from his confidentiality agreement with eBay he will write a book and tell us the truth about the internet frauds that are effectively and knowingly facilitated by both eBay and PayPal on their unsuspecting consumers. What about that Alastair?

Asher Moses, methinks that you should have Googled MacGibbon before you considered quoting him.

[shyer]

philip I agree with you a sample of 2500 is a fair sample, smee is obviously not a statistion. Smee's basic maths is wrong as well, as there are about 10 million active internet users , over 18 in Australia not the 20 million total population figure smee has used.

What i found interesting is Alistair's comment that he thought the 1.3 billion dollars and 10% of all internet users had this problem every year. He is in a position to know, and backs up the surveys result.

[*smee*]

Shyer ... my maths are not flawed it said they surveyed 2500 Australians not 2500 internet users so therefore using the population figure of 20 odd million not the 10 million internet users is the correct formula as based on your figure if the 2500 was randomly selected only about half of them would have been internet users  

Also for your information using a Random sample accuracy calculator if you allow for a 1% error rate  to get a 99% confidence rate in the result you need to survey 16562 people (internet users) out of a population of 10 million internet users if you would be hapy with 90% confidence rate in the result you would still need to survey 6802 internet users

[*Brum6y*]

Fair point, Smee - and I would have to partially agree with the reservations expressed on the accuracy of any 'sample'.

Where the percentage is significantly small, there are two problems that immediately come to mind:

The first is whether that sample is truly indicative of population it is targeting. For example, if you were surveying supermarket customers about their usage of motor vehicles, you would get two extremely different sets of results if you were to survey a Woolworths at Broken Hill and one downstairs from an inner-city apartment block. However, this is the first skill that market research companies MUST excel at to survive, so it is quite likely they have made a reasonable effort to get this as objective as possible. They also will have an idea of how accurate these results will be - and will have an 'error' figure available so whoever commissioned the survey will have a range of values to look at.

The second is the 'granularity' of a result. If, for example, there are 10,371 people with red hair in a group of 1,000,000 - then sampling 10,000 of that group would (statistically) give you 104 people with red hair. Now if you were to do half a dozen such surveys, you could get results of 103, 107, 100, 110, 99 and 101 - which are all around the "1 in 100" range that would be useful for, say, a hairdresser specialising in working with red hair. ANY ONE of these results would be satisfactory for the "1 in 100" working figure.

If your sample was reduced to 1,000 - then you might get results of 7, 8, 14, 5, 16 and 21 from six different surveys - which would indicate anything from "1 in 50" to "1 in 150". While still giving some idea of the frequency of red headed people, the value to my hypothetical hairdresser could be compromised. Their 'sweet spot' might be at the "1 in 100" mark. At "1 in 50" they might see the market being too great for them to handle on their own and would need to have additional staff - which they may not be ready for. At "1 in 150" they may see the demand would not be enough to support them - and not go into business. Since they will be only commissioning ONE survey, it will depend on which of these results they get as to which way they decide.

If we then reduce the sample to 10, the problem becomes extreme. In six surveys, you could get results of 0, 0, 0, 0, 1 and 0. In five of these surveys, the 'statistical' result will indicate that the number of red headed people in the entire group is so low, that they don't even register. The numbers could back you up if you were to say they just didn't exist - except you know you've seen one or two. However, if you got the result that says that "1 in 10" people had red hair (out of our group of 1,000,000), then our hairdresser would need to set up a salon with ten staff - according to those numbers.


This last example is the only criticism I will make of Smee's example of picking 10 people out of the MCG - since multiple such surveys will give you a zero result most of the time and the odd time you do score a hit, will not be representative.

Sample sizes must be appropriate - as well as the 'evenness' of sampling across the target group.

[Rebel*1*]

I don't think the number of people surveyed by this one entity has any relevance to whether it is therefore representative.   On the balance of International and National evidence it probably is, and no doubt that knowledge, also formed part of the original hypothesis of the survey in question. 

In fact,  It's just one survey amongst many, making similar conclusions in line with Worldwide trends.   

The report and actual subject matter of that article is probably more interesting than debating one survey, and  can be found here with all the recommendations made to 'police the net' . 

Hackers, Fraudsters and Botnets:Tackling the Problem of Cyber Crime
The Report of the Inquiry into Cyber Crime
http://www.aph.gov.au/house/committee/coms/cybercrime/report/full_report.pdf   

Looking at the bigger picture, any survey (even an informal one) would be expected to return a similar pattern  (unless those surveyed, never do anything online)  If you asked 10 people about their online experience, you could expect at least half to have had a negative experience or a near miss, and the other half to be concerned about having a negative experience.  All will report that they regularly receive phishing emails, and are concerned about keystroke viruses, Identity theft and Credit Card fraud via criminal 3rd party stealth etc.  So MOST feel they are at risk.  That's a fact.  It costs businesses billions worldwide just trying to stay in front of the latest net based fraud, or compensating losses.  And it's not just commercial, cybercrime is also aimed at Government sites at which point it is 'cyber terrorism'.  All the same to me.   The way I see it, the fraudsters own the net right now, because there is no cost effective solution to stopping them across borders.  This report is attempting to do something about it so it's very interesting to me anyway.

For those who want a short critique on the report recommendations, ABC have published a much more comprehensive article here than SMH, questioning some of the recommendations as 'curious' including those made by MacGibbon, which were considered "Impossible to Implement". 

No wonder the cyber criminals are winning
http://www.abc.net.au/unleashed/stories/s2935204.htm
If the Inquiry into Cyber Crime report is a true indication of our federal parliament's understanding of this issue, it's no wonder the bad guys are winning.

Contradictions being contradictions however, the following caught my eye.

The idea that internet service providers (ISPs) should contractually require customers to install anti-virus software and firewalls before they can connect to the internet has received the most media attention. Security consultant Alastair MacGibbon wants to go even further, requiring ISPs to monitor customers' computers and prevent them connecting if their security software isn't up to scratch.

What a guy eh?  So when he was with Ebay, it was IMPOSSIBLE to Verify users or monitor the conduct of sellers, and block access to those determined to defraud, but ISP's can apparently monitor customers Australia wide and block access to their customers if their virus scan isn't up to date?  Oh please.  Who's paying the piper this time?

Flip flop, flip flop

BTW, Some of the recommendations were considered very good.   ABC notes them as follows:

Setting up a 24/7 crime-reporting hotline with no minimum crime value. Strategically targeting the black markets in malicious software tools and personal information. Disrupting the botnets of hacked computers that now provide the infrastructure for crime, and identifying and prosecuting their managers. Collecting up-to-date data and keeping parliament informed. Reviewing legislation. Signing up to the Council of Europe Convention on Cybercrime.

The internet savvy are more likely to understand the concepts of these things much better, so why not take a look and explain it to us all in English. e.g. Can someone explain botnets for 'idiots' without trying to turn me into a 'borg'?. 

[shyer]

I don't think the number of people surveyed by this one entity has any relevance to whether it is therefore representative.   On the balance of International and National evidence it probably is,....In fact,  It's just one survey amongst many, making similar conclusions in line with Worldwide trends. The report and actual subject matter of that article is probably more interesting than debating one survey, ..........The internet savvy are more likely to understand the concepts of these things much better, so why not take a look and explain it to us all in English. e.g. Can someone explain botnets for 'idiots' without trying to turn me into a 'borg'?.

Actually rebel I think the figure of 10% is an under quote as most people are embarrased to admit mistakes let alone ones they should have spotted easily. I think it is more like 15% than 10%. And I do not see the relevance of nitpicking on sample sizes. If you ask some 5000 people over 18 do they use the internet regularly of that 2500 say yes and have they had a fraud problem and what amount of money was involed and 250 say yes and average some $800.

That is a real sample. FULL STOP. If it is 10% or 9.999% or 10.0001% that is for stirrers to worry about, the problem is real

Botware is a program that infects a computer and turns it into a bot. The machine can then receive instructions from the sender of the botware. This machine will now trasfer to the owner of the botware the information they want. A botnet is a series of 2 or 100,000 machines under the controller of the botware/s . So that for instance rebels NAB bank account user name goes to one bot computer[a] his password to another[b). His paypal email address to another (c) his paypal password to another (d) and so on.

Thus rebels info is sold in pieces to crooks who pay for it from a miriad of sources, from the botnet that controller controls.

[Rebel*1*]

Diabolical.  Makes ya feel kinda molested really !!!  And oh yes the problem is very very real, very costly and very worrying for everyone. 

I have to admit I didn't read the survey under debate, other than the news article.  I was more interested in the report itself and ABC's critique.   As you say, size doesn't matter.  LOL.

I (as no doubt many others) feel concerned that I can be molested and robbed of my identity, finances and anything else up for grabs just by clicking into an email by mistake or visiting a site that is infected.  Scary stuff.  In real life if you see or sense a risk you walk or run the other way.  In this scenario, you don't even get the luxury of escape.