Bank robbers have a clear motivation for their crimes: money. It’s there for the taking; all you have to do is get to it. But there are a lot of inherent risks involved with robbing banks, and, as a new study shows, not a great deal of return. And yet people keep robbing banks. In cybercrime, the motivation is the same, the rewards are huge and the risk of being caught is far lower. So the question is, why isn’t cybercrime worse?
If you look at the relative difficulty of the crime, it’s unclear why anyone bothers to rob banks at all anymore. The security countermeasures deployed by banks today make life extremely difficult for the would-be bandit. Mantraps, motion sensors, time locks, silent alarms, custom-designed safes and armed guards present the attacker with a daunting set of obstacles. Getting to the money is not easy, and if you’re able to do that, it turns out that the haul from your misdeed is likely to be rather disappointing. A study published in a statistical journal this month shows that bank robbers in the U.K. pulled in the equivalent of about $19,800 per job.
“A single bank raid, even a successful one, is not going to keep our would-be robber in a life of luxury. It is not going to keep him long in a life of any kind. Given that the average UK wage for those in full-time employment is around £26 000, it will give him a modest lifestyle for no more than 6 months,” the authors of the study, Barry Reilly, Neil Rickman and Robert Witt, wrote in their analysis in the journal Significance.
So the returns on a bank robbery are relatively low, while the obstacles and potential for getting caught are relatively high. This likely helps explain why there are a small number of robberies and attempted robberies each year–just 106 in 2007 of the 10,500 bank branches in the U.K., as the authors note. It just doesn’t make economic sense to rob a bank.
“The interesting question, at least to me, is why anyone is a bank robber. Why do people do things that, by any rational economic analysis, are irrational?” Bruce Schneier wrote in a blog post on the study.
“The answer is that people are terrible at figuring this sort of stuff out. They’re terrible at estimating the probability that any of their endeavors will succeed, and they’re terrible at estimating what their reward will be if they do succeed.”
Cybercrime, on the other hand, offers the aspiring criminal the ideal combination of low risk and potentially very high reward. Reliable numbers of the amount of money lost to cybercrime each year are notoriously difficult to produce, thanks to the low rate of reporting and other factors, but global estimates are in the tens of billions of dollars. So the rewards for online criminals are potentially enormous, making it an attractive crime from an economic perspective. That takes care of motive.
For the budding cybercriminal, the next step is to develop the means to commit the crime. This used to be a difficult task. When attack tools, malware and vulnerability data were passed around among a small group in the hacking underground, regular citizens had no good way of accessing them. If you didn’t know someone, you likely were out of luck. Now, however, a few minutes of Googling is all that’s needed to find whatever tools you’re looking for. You can buy remote-access Trojans, rootkits, exploit kits, custom malware, botnets and whatever else your little black heart desires. Many of these tools are point-and-click and require little in the way of technical knowledge to use.
All that leaves is opportunity, and if motive and means are easy to find, opportunity is hitting you square in the face. A bank robber needs to scout locations, look for escape routes and have a backup plan in case things go south. A cybercriminal simply needs to decide who to attack first. Take phishing as an online analog to bank robbery. Attackers can rent botnets cheaply to send the phishing emails, register dozens of domains for a few dollars and buy templates for their fake sites. The only decision is which bank to go after first.
The one missing piece here is the risk of being caught. For cybercriminals, this risk is vanishingly small. When a botnet operator, large-scale carded or successful phisher is caught, it’s major news. These successes for law enforcement are rare relative to the volume of cybercrime.
So, given the ease of getting into the game, the low risk of detection and the huge upside in terms of financial return, why isn’t cybercrime worse?
One answer is likely that people in general are good and don’t resort to crime if they have other options. Another answer might be that some potential cybercriminals aren’t aware of how easy and profitable this kind of crime is. They just haven’t been exposed to information about it, don’t know that the tools are readily available and haven’t had the chance to get involved. There are likely lots of other answers out there, but it will be interesting to note as time goes on whether cybercrime rates continue to increase as tools and techniques become even more widespread or whether law enforcement will begin to turn the tide with stricter statutes and harsher penalties for the bad guys.
For now, at least, the smart money is on the criminals.