A couple or advanced references...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apologies for the noise, but I'd like to go ahead and provide
references for a couple of data points which I plan to mention
tomorrow during my brief presentation -- they are not referenced in
my presentation slides, but they do highlight the issues I'm trying
to address.

Each are very recently announced studies, papers, or announced
statistics.

The first one is a study conducted by the fine folks at Google,
wherein they "...investigated billions of URLs and found more
than three million unique URLs on over 180,000 web sites
automatically installing malware".

The paper is located here:

"All Your iFrame Are Point to Us"
http://research.google.com/archive/provos-2008a.pdf

...and associated blog entry here:
http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-
to-us.html

This study reinforces what we are seeing -- literally hundreds of
thousands of compromises on the web and server -side.

Second, is a paper recently jointly released/presented by Ga. Tech
and Google on the the rampant escalation of rogue/malicious DNS
resolution paths:

http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf

The numbers are somewhat... staggering.

The two issues above contribute directly, and overlap, more than
most people are aware.

And thirdly is a figure that some folks may already be aware of; the
fact that identity theft was the number one source of consumer
fraud complaints submitted to the U.S. Federal Trade Commission
in 2007.

According to the agency's yearly report on fraud complaints for
2007, of 813,899 total complaints received in 2007, 258,427, or
32 percent, were related to identity theft:

http://www.ftc.gov/opa/2008/02/fraud.pdf

According to the FTC, total consumer fraud losses totaled $1.2
billion, with the average monetary loss for an individual at
$349.

Credit card fraud was the most common form of reported identity
theft at 23 percent, followed by utilities fraud at 18 percent,
employment fraud at 14 percent, and bank fraud at 13 percent.

Now, there is a certain "fudge factor" in these numbers, of course,
but I only mention these issues as a preface for the topics that
I plan to solicit the NANOG community's assistance in addressing.

Thanks, and see you tomorrow!

- - ferg

Right, but that may or may not have anything to do with the Internet;
see http://www.schneier.com/blog/archives/2007/11/identity_theft_6.html
(among many others).

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

In many countries in Europe, people pay with debit cards that have a PIN number. You need to both copy the magnetic strip on the card and obtain the PIN to get at someone's money. And that's 1990s, if not 1980s, technology.

The other issue is that banks and credit card companies don't have any interest in getting rid of fraud: as long as there is fraud, they can sell you the service of compensating you for that, which of course we all pay for through the credit card commissions on our purchases. And in many cases, the vendor ends up eating the loss rather than the bank, anyway.

If you want stuff to work, you need to align the costs and benefits. See growth of the routing table: the community pays for the larger routers, the users of PI space get the benefits.

BTW, about identity theft: if someone takes out a bank loan in my name, how is that my problem and not the bank's?

And defrauding that is now a bulk produced scam - companies in .asia
mass-producing bar scanning and key input devices customised for various
ATM models.

Adrian

In article <E8246AAA-AC28-4C1D-B262-739659CCED1E@muada.com>, Iljitsch van Beijnum <iljitsch@muada.com> writes

BTW, about identity theft: if someone takes out a bank loan in my name, how is that my problem and not the bank's?

Because of the time it takes you to persuade other banks [1] that the first bank's report that you are bad debtor was mistaken. Of course, there may be "credit repair" products you can buy to help you.

[1] And even the first bank's debt collectors.