Re: Pricing intrusions

[robert_david_graham () yahoo com (Robert Graham)]

--- Stuart Staniford-Chen <stuart () SiliconDefense com> wrote:
> I'm wondering if anyone has any data on what various kinds of data are worth
> if stolen.  (I'd like to be able to give a client some faintly quantitative
> information on what the economic value of their information is to a potential
> intruder).
>
> I don't even know the basics like what a credit-card number or calling card
> number is worth on the black market.  How about someone's medical records,
> communications with their lawyer, etc?

Cost to the victim or price if you want to buy it?

The cost to a consumer of losing their credit card is, in theory, $50. If you
read your E-trade or E-Schwab agreement, they claim they are not liable if
somebody trades away your stocks for you by breaking into your machine. That
cost is essentially infinite (if the hacker has fun by buying options on margin
in your account).

In any case, like many things on the Internet, economics depends upon
direction. In other words, a .exe that someone e-mails (pushes) you is on
average 100 times more dangerous than an .exe that you get (pull) from the web.

In the same fashion, the price to hire a hacker to go after a customer list is
vastly different than a hacker might get that has already stolen a customer
list and then must find a buyer for it.

The "stolen information market" isn't very liquid right now, because the number
of products and consumers is very low. Some hacker collectives are trying to
generate such a market, but right now the hype outweighs the reality. 

I've read of bribery cases where the amounts have been $10,000 to $100,000 if
it gives any quantitative comparison.

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com