- BlogInfoSec.com - https://www.bloginfosec.com -

Account Hijacking Down? ID Theft OK?

I was intrigued by a July31, 2015 article “Stolen Consumer Data Is a Smaller Problem Than It Seems,” by New York Times reporter Nathaniel Popper (see http://www.nytimes.com/2015/08/02/business/stolen-consumer-data-is-a-smaller-problem-than-it-seems.html?_r=0 [1] ) in which he claims that account hijacking is down and that ID theft is no big deal.

Popper is an excellent reporter on technical matters. His recent book “Digital Gold: Bitcoin and the Inside Story of the Misfits and Millionaires Trying to Reinvent Money” and related articles in The New York Times show a deep understanding of technological, economic and social issues relating to crypto-currencies. However, he appears to have become a victim of “voodoo statistics” when he tries to explain how the data indicate that the number of account hijackings is falling.

Popper uses various statistical sources to demonstrate that account hijackings, while rising in number of cases, incur less cost overall. Unfortunately, in a situation where perhaps 95 percent of account hijacks, according to the 2015 Verizon DBIR (Data Breach Investigations Report), which is available from http://www.verizonenterprise.com/DBIR/2015/ [2], never make it to the survey companies and the media, it is poor statistical analysis to draw meaningful conclusions from less than 5 percent of the total number of incidents.

If you accept the 95 percent number (and you don’t have to), then, if losses from account hijacking go from $100 billion to $200 billion say, reported losses would increase from $5 billion to $10 billion. Yes, the number doubles in both situations, but now unreported losses have gone from $90 billion to $180 billion, suggesting an enormous increase in impact of $90 billion in unreported losses versus the $5 billion reported. Now, if we assume that, with the increased volume, the percentage reported drops to say 3 percent, we have $6 billion in reported losses—a mere $1 billion increase when the actual increase is $100 billion. This is very much a case of the tail wagging the dog. A small change in percentage reported versus unreported can have a huge impact on our estimates, easily switching analysts from one conclusion to another.

From the rapid-fire news reports of major data breaches, one might easily presume that data breaches are indeed way up in both number and size. Also, when ID theft occurs, the true anguish of re-establishing one’s credit credentials is barely seen in public, but it does exist and it is considerable. Popper’s claim that ID theft has been declining is in question with recent breaches, such as the one at the government’s Office of Personnel Management and the notorious Ashley Madison breach, making the headlines. Popper does state that the apparent downward trend of ID thefts will change and head upwards. However, it’s doubtful that the number of ID thefts actually went down in the first place.

I can understand Popper wanting to express some hope that we might be deflecting the avalanche of data breaches leading to account hijacking and ID theft. But the basis for such optimism is shaky. While such reporting may make individuals more optimistic about the directions of the consequences of data breaches, it serves to reduce the pressure on companies and government agencies to improve their data protection and incident response programs, which is not a good thing.