We argue that passwords are not the bottle-neck, and are but one, and by
no means the most important, ingredient in the cyber-
crime value chain. We show that, in spite of appear-
ances, password-stealing is a bad business proposition.
. . . .
It is worth, at the outset, dispelling a widely-held
misapprehension about password-stealing. Thieves cer-
tainly steal passwords, and money is certainly a large
part of their motivation, but when they successfully
extract money from nancial accounts individual con-
sumers do not pay. In the US, Regulation E of the Fed-
eral Reserve [1] limits consumer liability, in the event
of fraud, to $50 (this is separate from the $50 limit for
credit-card fraud, Regulation CC) and covers "any elec-
tronic transfer that is initiated through an electronic
terminal, telephone, computer or magnetic tape." In
the US banks, brokerages, and credit unions are gov-
erned by this regulation and most go beyond it and o er
a zero liability policy to consumers. Bank of America,
for example, "guarantees zero liability for any unautho-
rized activity originating from Online Banking or Bill
Pay." Wells Fargo says "We guarantee that you will
be covered for 100 percent of funds removed from your
Wells Fargo accounts in the unlikely event that someone
you haven't authorized removes those funds through our
Online Services." Fidelity "will reimburse your Fidelity
account for any losses due to unauthorized activity" and
"under HSBC's $0 Liability, Online Guarantee, you're
covered 100% and liable for $0." Even non-traditional
nancial institutions o ffer this guarantee. For exam-
ple in its Dec. 2009 10-K ling eBay states: "Pay-
Pal currently voluntarily reimburses consumers for all
fi nancial losses from transactions not authorized by the
consumer, not just losses above $50."
Thus, in the US, individual consumers are largely in-
sulated from the direct fi nancial consequences of creden-
tial theft (losses of small businesses and indirect losses
are briey mentioned below). Consumers who have
their accounts emptied through stolen credentials are
made whole. Of course, the cost of the fraud doesn't
just go away: covering fraud is a cost which gets passed
back to consumers in the form of increased fees. How-
ever, the idea that consumers are just a few clicks
away" from having their accounts irretrievably emp-
tied is simply incorrect. There is a world of di erence
between being personally liable for losses, and shar-
ing losses that are diluted across the whole population.
While we all pay for cyber-crime" is true in a general
sense, it is not the case that individual users face grave
fi nancial risk.
http://research.microsoft.com/pubs/1618 ... WeKnow.pdf
