Interesting paper on phishing

Ross Anderson, professor of security engineering at Cambridge, has written an interesting paper on “Closing the Phishing Hole”:

Human societies have always had laws to make it hard for a thief to get away with stolen goods or money. In general, a thief could never acquire good title to his victim’s goods. There were some rules to create certainty about ownership: in medieval England, if you stole my horse and sold it to the vicar at an open regulated market between dusk and dawn, the vicar acquired good title to the animal. (This did not extinguish my right to have you hanged and seize the money back from your estate.) Laundering money was harder; apart from a few arcane special cases33, stolen money could always in principle be recovered.

For this reason, transactions needing certainty of payment have long used intermediaries who insured the counterparty risk, be they accepting houses who underwrote merchants’ bills, factors who would discount invoices without recourse, or bankers who sold cashiers’ checks to their customers. So long as such risks were transparent and transferable, the market allocated them to the principals best able to bear them, which usually meant a financial institution to which the relying party was well known. This apparatus of risk management was largely unanalysed, except in rather general terms by law-and-econnomics scholars, and never really became a formal part of bank regulation.

Over the last ten years, the growth of electronic payment services has undermined this. Rapid globalisation has created strong incentives for principals to throw risks over the fence; regulatory confusion and arbitrage have led financial institutions to rewrite their contracts to dump risk on their customers (whether cardholders or merchants) whenever they could; and new nonbank payment schemes have been set up outside traditional regulatory frameworks. While some of these new payment services have been operated in good faith by large, reputable companies, others have cut corners – and even the best have shaved away at traditional consumer protections. Third-party arbitration is being replaced with an approach of ‘trust us – we will refund you if you’re defrauded’. This risks a return to the world of early eighteenth-century banking regulation, a race to the bottom, and perhaps even an electronic South Sea Bubble.

Regulators’ initial reaction to the problem has been confounded by the sequelae of 9/11 and in particular the drive to issue people with biometrically-linked government-issue photo-ID. Regardless of the costs and benefits of this program, it has been implemented at the cost of regulators taking their eye off the need to trace stolen funds. Following the money and naming the suspect are not perfect substitutes, and this shift has serious costs. Now that the ID push is running out of steam worldwide, we need to move the emphasis back to following the money.

Link here.