- The optimal amount of fraud a business/industry should accept is non-zero
The simple observation that the cost to prevent each marginal fraud attempt increases; the last 0.1% of fraud costs way too much to prevent compared to the first 99%. Obviously society would be better off if fraud didn't exist, but since it does the effort expended is only worth it up until when the marginal cost of prevention exceeds an acceptable threshold (when it starts to lose you money).
The optimal amount of fraud is still 0, but the optimal amount of fraud prevention lies somewhere on the margin.
This is why important transactions like banking have KYC checks, and buying a pair of sneakers don't.
I think you’re conflating the terms optimal and ideal. The ideal amount of fraud in society is zero. The optimal amount of fraud in society is not defined, because optimization problems are always subject to a set of constraints.
So then we may ask: “what is the optimal amount of fraud in society such that the costs of legislation, education, and enforcement do not exceed X% of GDP?” and that is a different question. You might also throw technology and R&D in there because new tools make it easier to investigate fraud. Of course new technologies also open up new possibilities for fraud, so this is a very complicated exercise. But I think it’s fair to say that given any reasonable constraints, the optimal amount of fraud is nonzero.
An analogy that may resonate with readers here is that targeting zero fraud is like targeting 100% uptime in a computer system. You evaluate the business trade-offs and decide how many 9s of non-fraud are appropriate, knowing that (1) each additional 9 is more expensive than the last but only gives you 1/10 of the benefit, and therefore (2) infinity 9s (equivalent to zero fraud/100% uptime) is a useless aspiration for all practical purposes.
> The optimal amount of fraud a business/industry should accept is non-zero
Let's make that: "The optimal amount of fraud a business should accept under the current credit card online payment system is non-zero".
There is absolutely nothing intrinsic about online commerce that requires fraud. Online business routinely operate with a money first, zero consumer trust paradigm. They ask for my payment credentials first, and only then deliver the products.
If we were to design the online payment system from scratch, we would use cryptography to completely remove the notion of credit card theft, and escrow to settle consumer complaints, with an option for paid arbitration when things go bad. I guess you can call some of those cases "fraud" and some customers are so unreasonable that they border on criminal, yes, you can't make that segment zero, but I don't think that's the kind of fraud they are referring to.
The reason we can't have those nice things is because of immense momentum of the current system designed in the 60s by companies that have very little reason to change anything. In fact, an online payment reform would most likely strip them of their oligopoly. So yes, the optimal fraud level is non-zero because Mastercard, Visa etc. can push that fraud onto consumers (via retailers), and they are making much more money anyway from the current situation.
If you had zero fraud in society then nobody would build in any defenses against fraud at all.
You'd have a society of completely naive and trusting souls, which sounds blissful until someone wakes up one day and realizes that they can commit as much fraud as they like since society has no defenses against it.
It is like saying that the optimal amount of disease is zero, but if you have never had your immune system challenged by any kind of disease, then the first virus you come across will probably kill you.
Your suffering from childhood colds and getting burned by something like the car-out-of-gas scam help build defenses.
this explains things significantly better than the article, which seems to be little more than dragging out a surprising-sounding headline with a pretty obvious concept
This optimal (#) can and probably will change soon. We all carry around phones capable of trivial non-reputable verification, and centralised digital cash (not bitcoin but BankOfEnglandCoin) is technically feasible. So it's quite technically feasible for every day to day transaction to be completed with
with the sort of KYC verification currently reserved for say house purchases.
It's just the political / societal implications. These are beyond "hey it's expensive for banks to cut down on fraud"
I disagree with the "banks should allow certain levels of bank fraud because X" for the simple reason we don't have "banks should provide interest free funding to murderers, sex traffickers, pornographers and drug ring" even though that is often the same thing. (And in a two page HN thread I am sure I am not the first to say that)
(#) someone else mentioned the difference between ideal and optimal which is a very good distinction.
Great explanation. But I'm not so sure about "The optimal amount of fraud in society is 0".
Especially if we broaden fraud to include other crimes. There are costs to prevent other badness in society as well. Firstly it's the cost in taxes/allocating resources to its prevention: Do we really want to allocate a really large chunk of our shared human capital to police marginal criminal activity? How much more polices, judges, attorneys, lock makers, etc would we need to stop the last bike theft?
Secondly and arguably more importantly is the cost of freedom. A lot of the digital surveillance initiatives that are discussed and dismissed here on HN are enforced in the name of zero tolerance against (really bad) badness in society.
I think its hard, or impossible, to create a somewhat large society with zero crime rate. At least if we still want even just a sliver of the freedoms we are accustomed to in liberal democracies.
This, definitely. But also - at the social policy level, there are two additional issues:
- Outsiders: It's good to keep members of your society fraud-savvy enough that they can safely travel & do business outside your society...without being easy marks for fraudsters.
- Stability over time: If your society somehow gets fraud down to ~0, that'll lead to big cut-backs in anti-fraud efforts, "end of history" dreamers proclaiming that fraud has died, etc. Which is obviously a set-up for a sudden huge resurgence in fraud.
This whole article is one giant time sapping piece of click bait.
The author makes the unexpected claim that businesses want a non zero amount of fraud. And so as a reader you are tempted to read on because you haven't heard this before. But essentially the argument is that fraud is needed as an unavoidable byproduct of allowing trust/credit in the system to facilitate transactions. However, if businesses could have the trust without the fraud of course they would. I wouldn't be so upset if the author had been more upfront about what this was about. I'm sure there are plenty of people out there who are learning about the fraud and trust/credit relationship for the first time. Just don't try and spin this in a way that it isn't.
I feel like this starts with an agreeable premise. Some fraud is egregious, costly, and/or easy to detect. These low-hanging or high-impact cases are most worth pursuing. At some point you reach diminishing returns, where the amount of time / effort / capital you're putting in to eliminating fraud outstrips the losses from the fraud itself.
I don't know that I agree with the ethical conclusion that the optimal amount of fraud is therefore non-zero. The leap from "anti-fraud efforts are expensive" to these sentences in the final paragraph was not, in my opinion, convincingly made here:
>We should, as a society, accept non-zero amounts of benefits fraud. We should accept non-zero amounts of cheating on taxes.
I don’t know if that statement is backed by the article, which I will admit to not having read, but in general I agree. Completely eradicating benefit fraud will necessarily increase the burden on legitimate claimants to prove that they are in fact legitimate. Doing that is going to place enough burden on some people who should otherwise be able to claim that it results in them not doing so, or failing to do so because they were unable to provide the required evidence.
I’d much rather see a few people who didn’t need benefits manage to claim them than see people who do need them be left without. The first option costs tax payers a bit more money. The second results in people’s lives being made significantly worse, and in some cases in deaths.
> At some point you reach diminishing returns, where the amount of time / effort / capital you're putting in to eliminating fraud outstrips the losses from the fraud itself.
That's not quite what I got from the article. I read it as the more friction you put in place to prevent fraud, the harder it is for legitimate transactions to happen. Therefore, it's not so much about the cost of the fraud, but the opportunity cost of legitimate transactions which don't happen in the zero-fraud environment.
Good point. I agree with the overall thesis; there are a lot of things that get increasingly expensive as you approach perfection. (Perfection is still a useful guidestar, but each step toward it has to be made with costs in mind.)
However, I'm not nearly as breezy about $20 billion annually in fraud. Maybe that's fine from the perspective of the merchants and credit card networks. But from the societal perspective, that's subsidizing bad actors. People and groups who will not stop at one kind of crime as they try to grow. People who will divert other people into being parasitic. That's not healthy for society or for the individuals who end up living lives of crime.
So I think the society-optimal level of fraud is way below the merchant-acceptable amount of fraud.
The problem is not merely that the anti-fraud efforts are costly but that the anti-fraud surveillance apparatus will itself be value destroying. (In the tax case, it’s “people in democracies don’t enjoy their government having total visibility into their activities and society, in its judgment, says this is more important than tax collection at some margins.”)
This is not an ethical conclusion. This is a pragmatic and utilitarian conclusion where 'optimal' means minimising the cost/benefit ratio.
Incidentally, this shows that the 'perfect' ethical stance is not necessarily the one that delivers the most benefits at the least cost, aka when ideals meet the real world...
Yes, we should not accept the existence of fraud. We should simply be able to recognize the situations where fighting fraud is more costly than letting it exist.
Not that it really matters in most places since we are quite far from that point anyways.
It feels like a very subtle is-ought distinction, where the author is discussing something that unavoidably is the case and therefore concludes that it ought to be the case and therefore ought to be accepted if not even welcomed. The marketing example makes this pretty clear. Of course no one thinks the marketing directory could spend zero on marketing. But…surely they would love to spend zero if they could still get what they wanted for zero money.
Not an ethical conclusion but a pragmatic one. The ethical part is what you do after the fact:
1. Pass the cost towards self regulation of people, using client facing measures e.g. prove their innocence if they are an outlier
2. Catch a couple of cases and over market your policing ability to disadvantage the most gullible.
3. Catch a couple of cases, even minor infractions and destroy them with disproportionate fines or jail sentences, economy of randomness or economy of those who have the best lawyers.
Fraud against government, as above but add:
4. Add arbitrary constraints, you don't really want the system to work, you just fake it for political reasons
The ethical issues of accepting nonzero fraud are that striving for zero fraud creates program design changes that lock people out of benefits. If you design a health care system that aims for 0% fraud, some measurable number of people are going to be deprived of care because the registration and billing procedures are too onerous. With taxes, aiming for 0% noncompliance will prevent people from taking advantage of deductions and credits.
This isn't hypothetical; it's the issue underling the "program design" controversies about means-testing in public policy.
I would think the strategy would be to encourage low impact fraud with lazy compliance and making a customer whole (Credit card chargebacks). And then hunt out and destroy high impact fraud.
With the intent to incentivize and train criminals to stay small and low impact.
If you're a retail platform, and you have a few scammers making a few grand of 20-100 dollar scams. You can play wack a mole with them and then that keeps people doing that small fraud rather than leveling up and potentially doing crimes that could endanger the whole business with the exposure.
> I don't know that I agree with the ethical conclusion that the optimal amount of fraud is therefore non-zero. The leap from "anti-fraud efforts are expensive" to these sentences in the final paragraph was not, in my opinion, convincingly made here
It’s like saying that the optimal dirtiness after cleaning your house is non-zero (greater than zero) because cleaning it perfectly takes much more effort than it is worth!
That’s not counter-intuitive at all. It’s just an obvious fact stated in a silly way (for clicks or whatever else).
Targeting zero is an immature approach that is self-destructive in most cases.
If your incentive is to have zero fraud, the organization will find ways to not detect fraud or add so many controls and audits that the cost of doing whatever will go up.
There’s a balance. In the tax world, the de-clawing of the IRS for certain things have dramatically impacted compliance. You want enough enforcement that you’re discouraging median cheater, but not so much the cure is more expensive.
We can start with payment. What would someone pay with? Credit/debit numbers can be stolen. Checks can be stolen or forged. Cash can be counterfeit. What form of transaction has zero chance of fraud?
To make transactions available to people you need to introduce systems that can have fraud in them. There is a balance between availability/ease and fraud.
The problem with accepting it is that people figure out repeatable tricks to get around the system.
If we view those repeated tricks as business as usual - we should probably make them accessible to everyone. Otherwise the small fraud becomes rampant.
This is an extremely long-winded article/blog to say the following
> the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff of lowering fraud against the ease for legitimate users to transact.
You encounter well known tension pattern several places. For instance, in safety critical systems there's a tension between safety and progress. Or take IT-sec industry; tension between usability and being secure.
There was a study done on a tribe of wild monkeys where mutual grooming to remove ticks/fleas/lice happened. Some monkeys 'cheated' and didn't pay forwards the grooming they received. The study concluded that as long as cheaters were less than 5% of the population then mutual grooming continued. when the number of cheats exceeded 5% the system broke down and no mutual grooming happened for some time.
It seems that a society can bear a certain amount of cheating before the system breaks down, a 'tipping point' of sorts. As long as we keep the cheating below the tipping point, the game continues, which is after all the most important aspect, I think.
That's a lot of words to say "to make fraud harder you have to make buying from you harder, the optimal amount of fraud is the amount of fraud you get when any additional measure you could take against fraud would lower your revenue more from lost business than it would lower your costs from people committing less fraud"
Something related that I've noticed in government projects is that they will spend $100K on a tender process to eliminate a fraud risk of 5% that amounts to at most $10K if it does occur. So if you amortise the total "value" of the fraud, it's 10,000 x 0.05 = $500!
Spending $100K to avoid a loss of $500 is something most sane businesses will not do, but to government this makes perfect sense, because they have a rule that the acceptable amount of fraud is zero.
Hence, they'll spend nearly infinite resources to try to bring fraud down to closer and closer to zero.[1]
You see similar things with risk aversion. Some risk is inevitable, but again, government departments will cheerfully blow billions of dollars to avoid the slightest risk. Projects like ITER and the SLS are highly risk averse and their costs reflect that. Meanwhile smaller, newer, more risky projects will run circles around them.
[1] At least what is perceived to be zero. In actuality fraud remains rampant, but as long as it is technically legal, it is not subject to this rule.
When I worked Starbucks retail, we were subject to a "just say yes" policy. So when a couple came in and said they had forgotten some item, or never received it earlier in the day, I gave one to them without hesitation. It helped that I also recognized them as repeat customers. A co-worker said "you just got scammed" with disapproval. And I explained that I probably did, but we were required to do it even if we didn't want to. Otherwise we risked pissing off honest customers. Or maybe it just made more sense to spend the time serving the next 2 customers faster instead of being suspicious with 1 customer.
Later on, though, I remember pissing one off when he had to wait in line behind people buying drinks and he declared he would not be buying the $300 espresso machine he had come in to buy. I wonder if my actions resulted in a net gain or loss to the store...
It sounds more morally acceptable to say, "The optimum level of anti-fraud enforcement does not eliminate all fraud." It's not that there's a nonzero amount of fraud that is optimal — all fraud is bad — but rather that the return on efforts to eliminate the last bit of fraud is negative.
> overwhelmingly businesses simply absorb fraud costs in the same way that they absorb their office rent, staff salaries, and marketing expenses.
I didn't realize that is who usually pays for fraud. I see two problems with this arrangement:
1. The credit card companies, who in some ways are probably in a better position to prevent fraud, are less incentivised to prevent fraud, because they aren't the ones paying for it. For example they could make credit credentials more difficult to steal, by making it so the raw credentials never go directly to online businesses, either by using asymmetric cryptography rather than a number or using an oauth style flow with the credit website in order to complete a transaction. But the credit company would bear the bulk of that cost and it would primarily benefit retailers.
2. Consumers that pay using a method with less fraud risk, such as cash, still have to pay a higher price to cover the cost of absorbing the fraud cost.
On the other hand it does allow businesses to self select how much fraud they are willing to accept.
I personally can't stand PSD2[0]. It has completely ruined the online shopping experience in the EU (for me at least).
I loved the way American Express implemented it. They sent you a one-time passcode on your first purchase with the merchant, and then you could also choose for them to not bother you with any further purchases from the same merchant. I had this enabled by default, it made the experience a million times more enjoyable.
Unfortunately not everyone took AmEx, and I no longer live in UK (or a country where AmEx has presence for that matter), and the way banks in my current country of residence have implemented it is absolutely abysmal.
1. The billing address must be a match 100% of the time, which is painful in situations where you can't specify separate billing and shipping addresses and you want the item shipped to a different address (could be 3 for me)
2. Mandatory 2FA on every transaction, depends on the exact implementation, but typically you must wait for a notification on your phone, and then type in a PIN. In some implementations you have to scan a QR code, and then type in the said PIN. Sometimes the solution they use for this is down.
3. If anything is wrong at all (billing address/mistyped CVV/whatever), the transaction just gets refused at the end of this loop. Was it something you did wrong? Is some system down? Let's try again.
And sometimes this even messes up recurring subscriptions. My Microsoft 365 Business sub that's billed monthly on a credit card GETS REJECTED EVERY TIME UNTIL I MANUALLY GO THROUGH THIS STUPID PROCESS.
It has made paying for things online a chore. I couldn't care one bit about all the fraud this presents, because I was never liable for it in the first place. That decision was previously up to the merchants (who could have implemented all of this if they wanted to). Now it's forced on everyone.
This sort of thinking has been prevalent in the payments industry for a long time, and I find it infuriating.
The article is specifically limiting its discussion to situations where a payment credential is stolen. Those cases cost $10-20B per year.
This is HN, so most people here can figure out how to secure payment credentials, especially given the assumption that each credit card contains a tamper resistant computer with durable storage (as they currently do).
Instead of ending credential theft (at least in cases that don't involve violence/coercion), the payment networks pass the cost on to vendors, then advertise fraud protection as a feature to card holders.
This only works because the payment processors' monopoly prevents the merchants from fixing the underlying security issue.
So, the payment networks charge the merchants a large percentage of sales (imagine what your local government could implement if it increased sales taxes by 3-5%!) to supposedly pay for fraud protection.
This is exactly like a classic protection racket, except that the thugs that smash up the business don't actually work for the credit card companies.
(I do agree with the premise that driving crime to zero is usually not worth the cost, but that's just "Innocent until proven guilty", and not the subject of the article.)
Merchants are even more lax about card fraud than banks. The National Retail Federation complained about the cost of upgrading to chip readers. They asked the government to force banks to eliminate PCI DSS which would make it even easier to commit credit card fraud. PCI DSS is compliance not security but without it retailers would literally do nothing. Some retailers tried to get customers to switch to QR code payments linked directly to your bank account. One of these payment apps CurrentC was immediately breached.
It's actually pretty simple and intuitive if you put the reason up front, article seems needlessly long:
> the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff
What I don't get is how policy makers can appreciate such nuances and then not see how attempting to ban encryption could possibly break modern society... different policy makers I have to assume.
The literature on the evolution of cooperation, focused around computational thought experiments with iterated prisoner's dilemma, seems relevant here, e.g.,
If you allow a population of individuals repeatedly playing prisoner's dilemma against each other to evolve their own strategies, you end up with a large percentage of the population cooperating with each other by default, but punishing cheaters after they are observed cheating. But a small percentage of cheaters will always persist, because as the number of cheaters goes down, the number of naive cooperators will go up, thus making it more advantageous to cheat.
In evolutionary jargon, cheating behavior undergoes "negative frequency-dependent selection". And you end up with a low, but nonzero, equilibrium frequency of cheaters.
This outcome here depends on the order of rewards/costs: the best outcome comes from cheating on a cooperator; next best is cooperating with a cooperator; then cooperating with a cheater; and worst is two cheaters cheating on each other.
It's a caricature, but the evolutionary dynamics seem to map pretty well to the kind of examples people are bringing up here in the comments.
(The actual "prisoner's dilemma" is rather a confusing story to use, because it's about criminals trying to decide whether to cooperate with each other or betray each other to avoid jail time. So you end up talking about the evolution of cooperation among a population of criminals.)
Some banks used to take a thumbprint when you cashed a check in person. Very few do that now. When they did it, it was more symbolic than useful, because they didn't have a useful checking system. Today, if banks took fingerprints, they'd find out more than they wanted to know, because immediate lookup is possible. It's not their job to filter the entire population for warrants and illegal aliens.
In-person identification is getting really good. Here's HIKvision's new ID unit.[1] Face recognition, iris recognition, fingerprint recognition, and RFID card recognition in one convenient iPad-sized unit. Iris recognition now works at 70cm range, so it can be used routinely. In China, there is no right to be anonymous.
Worth noting: credit card companies absorbing losses varies by country. The US is pro-consumer on credit card fraud, but not on debit card fraud. This differs by country.
Is this something that could be argued about other sorts of crime as well? In particular, in the ongoing fight against encryption that has been widely commented on HN multiple times, can (or should) one (safely) argue that e.g. the optimal amount of online sex trafficking and child abuse is greater than zero? What would be the consequences of taking such a stance once it inevitably reaches public discourse?
Sure, there is a trade off, but they have it wrong for online fraud from stolen credit cards.
The three digit CVV code should be a one time passcode (OTP). Banks have been using these since the 1990s for online logins.
Using 90s technology, the card issuer would issue one of these OTP fobs along with the card. It has the card number printed on it, a button and a LCD screen where the OTP is displayed. The CVV is already sent through to the computer that authorises the transaction, the software that checks the CVV would need to be changed.
So we have a trade off of the user having to have a separate thicker card, to fit the battery, for online use.
I just googled, you can get batteries that are 0.4mm X 22mm x 29mm, a credit card is 0.76mm. Eink is old technology now with the right performance characteristics. I suspect in volume using this technology you could integrate the OTP device in the standard card form factor for less than a couple of dollars a card.
So with a bit of innovation the friction of payment / fraud tradeoff goes away.
This all strikes me as fairly obvious to someone designing these things, is there another tradeoff going on here?
I think some people are being a bit too harsh about how the author goes about explaining how you can't prevent all fraud without hurting good users - or in other words, some fraud is just the cost of doing business. Overall it is a good article (that could have probably been a bit shorter) that talks about a topic that is rarely talked about - risk tolerance.
As someone who has worked in the industry for the past 15 years, I can see a few things that I believe are causing risk tolerance levels to increase across the industry.
1. Startups/new businesses that are in growth stage have a large appetite for risk which is pushing the more traditional/legacy companies to also take more risk.
2. High friction experiences that are designed to stop fraudsters require you to provide timely support to any good users that might be blocked by mistake. We all know the trend for most companies has been to move away from providing timely support to their customers as it is extremely expensive. This is another cost (on top of potential lost sales) of creating a high friction experience.
[+] [-] e63f67dd-065b|3 years ago|reply
- The optimal amount of fraud in society is 0
- The optimal amount of fraud a business/industry should accept is non-zero
The simple observation that the cost to prevent each marginal fraud attempt increases; the last 0.1% of fraud costs way too much to prevent compared to the first 99%. Obviously society would be better off if fraud didn't exist, but since it does the effort expended is only worth it up until when the marginal cost of prevention exceeds an acceptable threshold (when it starts to lose you money).
The optimal amount of fraud is still 0, but the optimal amount of fraud prevention lies somewhere on the margin.
This is why important transactions like banking have KYC checks, and buying a pair of sneakers don't.
[+] [-] chongli|3 years ago|reply
So then we may ask: “what is the optimal amount of fraud in society such that the costs of legislation, education, and enforcement do not exceed X% of GDP?” and that is a different question. You might also throw technology and R&D in there because new tools make it easier to investigate fraud. Of course new technologies also open up new possibilities for fraud, so this is a very complicated exercise. But I think it’s fair to say that given any reasonable constraints, the optimal amount of fraud is nonzero.
[+] [-] calchris42|3 years ago|reply
I believe buried in there is one other factor that is somewhat related:
- reducing friction helps drive more legitimate business. Accordingly, over-aggressive anti-fraud practices can result in reduced sales.
A toy example: a business could eliminate exposure to credit card fraud by not accepting credit cards. That would however reduce overall sales.
I guess this can all fit within a “marginal cost” explanation though.
[+] [-] metacritic12|3 years ago|reply
- X is ipso facto bad. The optimal amount is zero.
- X is traded off against Y actually, so in general equilibrium with Y, it's nonzero.
And the above pair could be:
(Covid risk, attending fun parties)
(Risk of getting hit by a car, being able to walk anywhere)
(Discrimination in society, administrative costs of anti-discrimination laws).
The list goes on. It's a simple concept in decision theory, rehashed with an attractive title.
[+] [-] tfehring|3 years ago|reply
[+] [-] manholio|3 years ago|reply
Let's make that: "The optimal amount of fraud a business should accept under the current credit card online payment system is non-zero".
There is absolutely nothing intrinsic about online commerce that requires fraud. Online business routinely operate with a money first, zero consumer trust paradigm. They ask for my payment credentials first, and only then deliver the products.
If we were to design the online payment system from scratch, we would use cryptography to completely remove the notion of credit card theft, and escrow to settle consumer complaints, with an option for paid arbitration when things go bad. I guess you can call some of those cases "fraud" and some customers are so unreasonable that they border on criminal, yes, you can't make that segment zero, but I don't think that's the kind of fraud they are referring to.
The reason we can't have those nice things is because of immense momentum of the current system designed in the 60s by companies that have very little reason to change anything. In fact, an online payment reform would most likely strip them of their oligopoly. So yes, the optimal fraud level is non-zero because Mastercard, Visa etc. can push that fraud onto consumers (via retailers), and they are making much more money anyway from the current situation.
[+] [-] lamontcg|3 years ago|reply
If you had zero fraud in society then nobody would build in any defenses against fraud at all.
You'd have a society of completely naive and trusting souls, which sounds blissful until someone wakes up one day and realizes that they can commit as much fraud as they like since society has no defenses against it.
It is like saying that the optimal amount of disease is zero, but if you have never had your immune system challenged by any kind of disease, then the first virus you come across will probably kill you.
Your suffering from childhood colds and getting burned by something like the car-out-of-gas scam help build defenses.
[+] [-] permo-w|3 years ago|reply
[+] [-] lifeisstillgood|3 years ago|reply
It's just the political / societal implications. These are beyond "hey it's expensive for banks to cut down on fraud"
I disagree with the "banks should allow certain levels of bank fraud because X" for the simple reason we don't have "banks should provide interest free funding to murderers, sex traffickers, pornographers and drug ring" even though that is often the same thing. (And in a two page HN thread I am sure I am not the first to say that)
(#) someone else mentioned the difference between ideal and optimal which is a very good distinction.
[+] [-] filleokus|3 years ago|reply
Especially if we broaden fraud to include other crimes. There are costs to prevent other badness in society as well. Firstly it's the cost in taxes/allocating resources to its prevention: Do we really want to allocate a really large chunk of our shared human capital to police marginal criminal activity? How much more polices, judges, attorneys, lock makers, etc would we need to stop the last bike theft?
Secondly and arguably more importantly is the cost of freedom. A lot of the digital surveillance initiatives that are discussed and dismissed here on HN are enforced in the name of zero tolerance against (really bad) badness in society.
I think its hard, or impossible, to create a somewhat large society with zero crime rate. At least if we still want even just a sliver of the freedoms we are accustomed to in liberal democracies.
[+] [-] bell-cot|3 years ago|reply
- Outsiders: It's good to keep members of your society fraud-savvy enough that they can safely travel & do business outside your society...without being easy marks for fraudsters.
- Stability over time: If your society somehow gets fraud down to ~0, that'll lead to big cut-backs in anti-fraud efforts, "end of history" dreamers proclaiming that fraud has died, etc. Which is obviously a set-up for a sudden huge resurgence in fraud.
[+] [-] robbomacrae|3 years ago|reply
The author makes the unexpected claim that businesses want a non zero amount of fraud. And so as a reader you are tempted to read on because you haven't heard this before. But essentially the argument is that fraud is needed as an unavoidable byproduct of allowing trust/credit in the system to facilitate transactions. However, if businesses could have the trust without the fraud of course they would. I wouldn't be so upset if the author had been more upfront about what this was about. I'm sure there are plenty of people out there who are learning about the fraud and trust/credit relationship for the first time. Just don't try and spin this in a way that it isn't.
[+] [-] souldeux|3 years ago|reply
I don't know that I agree with the ethical conclusion that the optimal amount of fraud is therefore non-zero. The leap from "anti-fraud efforts are expensive" to these sentences in the final paragraph was not, in my opinion, convincingly made here:
>We should, as a society, accept non-zero amounts of benefits fraud. We should accept non-zero amounts of cheating on taxes.
[+] [-] jon-wood|3 years ago|reply
I’d much rather see a few people who didn’t need benefits manage to claim them than see people who do need them be left without. The first option costs tax payers a bit more money. The second results in people’s lives being made significantly worse, and in some cases in deaths.
[+] [-] Karellen|3 years ago|reply
That's not quite what I got from the article. I read it as the more friction you put in place to prevent fraud, the harder it is for legitimate transactions to happen. Therefore, it's not so much about the cost of the fraud, but the opportunity cost of legitimate transactions which don't happen in the zero-fraud environment.
[+] [-] wpietri|3 years ago|reply
However, I'm not nearly as breezy about $20 billion annually in fraud. Maybe that's fine from the perspective of the merchants and credit card networks. But from the societal perspective, that's subsidizing bad actors. People and groups who will not stop at one kind of crime as they try to grow. People who will divert other people into being parasitic. That's not healthy for society or for the individuals who end up living lives of crime.
So I think the society-optimal level of fraud is way below the merchant-acceptable amount of fraud.
[+] [-] patio11|3 years ago|reply
[+] [-] aqme28|3 years ago|reply
[+] [-] mytailorisrich|3 years ago|reply
Incidentally, this shows that the 'perfect' ethical stance is not necessarily the one that delivers the most benefits at the least cost, aka when ideals meet the real world...
[+] [-] Iridescent_|3 years ago|reply
[+] [-] tshaddox|3 years ago|reply
[+] [-] AbrahamParangi|3 years ago|reply
“It is better that ten guilty persons escape than that one innocent suffer”
At some point in pursuit of “0 crime” you will be imprisoning 10 innocent men to capture 1 criminal.
[+] [-] antman|3 years ago|reply
1. Pass the cost towards self regulation of people, using client facing measures e.g. prove their innocence if they are an outlier
2. Catch a couple of cases and over market your policing ability to disadvantage the most gullible.
3. Catch a couple of cases, even minor infractions and destroy them with disproportionate fines or jail sentences, economy of randomness or economy of those who have the best lawyers.
Fraud against government, as above but add:
4. Add arbitrary constraints, you don't really want the system to work, you just fake it for political reasons
[+] [-] tptacek|3 years ago|reply
This isn't hypothetical; it's the issue underling the "program design" controversies about means-testing in public policy.
[+] [-] gonzo41|3 years ago|reply
With the intent to incentivize and train criminals to stay small and low impact.
If you're a retail platform, and you have a few scammers making a few grand of 20-100 dollar scams. You can play wack a mole with them and then that keeps people doing that small fraud rather than leveling up and potentially doing crimes that could endanger the whole business with the exposure.
[+] [-] avgcorrection|3 years ago|reply
It’s like saying that the optimal dirtiness after cleaning your house is non-zero (greater than zero) because cleaning it perfectly takes much more effort than it is worth!
That’s not counter-intuitive at all. It’s just an obvious fact stated in a silly way (for clicks or whatever else).
[+] [-] Spooky23|3 years ago|reply
If your incentive is to have zero fraud, the organization will find ways to not detect fraud or add so many controls and audits that the cost of doing whatever will go up.
There’s a balance. In the tax world, the de-clawing of the IRS for certain things have dramatically impacted compliance. You want enough enforcement that you’re discouraging median cheater, but not so much the cure is more expensive.
[+] [-] mfer|3 years ago|reply
We can start with payment. What would someone pay with? Credit/debit numbers can be stolen. Checks can be stolen or forged. Cash can be counterfeit. What form of transaction has zero chance of fraud?
To make transactions available to people you need to introduce systems that can have fraud in them. There is a balance between availability/ease and fraud.
[+] [-] lumost|3 years ago|reply
If we view those repeated tricks as business as usual - we should probably make them accessible to everyone. Otherwise the small fraud becomes rampant.
[+] [-] EdwardDiego|3 years ago|reply
And benefits are for helping people who are in poverty.
[+] [-] vishnugupta|3 years ago|reply
> the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff of lowering fraud against the ease for legitimate users to transact.
You encounter well known tension pattern several places. For instance, in safety critical systems there's a tension between safety and progress. Or take IT-sec industry; tension between usability and being secure.
[+] [-] woleium|3 years ago|reply
It seems that a society can bear a certain amount of cheating before the system breaks down, a 'tipping point' of sorts. As long as we keep the cheating below the tipping point, the game continues, which is after all the most important aspect, I think.
[+] [-] Kwantuum|3 years ago|reply
[+] [-] jiggawatts|3 years ago|reply
Spending $100K to avoid a loss of $500 is something most sane businesses will not do, but to government this makes perfect sense, because they have a rule that the acceptable amount of fraud is zero.
Hence, they'll spend nearly infinite resources to try to bring fraud down to closer and closer to zero.[1]
You see similar things with risk aversion. Some risk is inevitable, but again, government departments will cheerfully blow billions of dollars to avoid the slightest risk. Projects like ITER and the SLS are highly risk averse and their costs reflect that. Meanwhile smaller, newer, more risky projects will run circles around them.
[1] At least what is perceived to be zero. In actuality fraud remains rampant, but as long as it is technically legal, it is not subject to this rule.
[+] [-] jrootabega|3 years ago|reply
Later on, though, I remember pissing one off when he had to wait in line behind people buying drinks and he declared he would not be buying the $300 espresso machine he had come in to buy. I wonder if my actions resulted in a net gain or loss to the store...
[+] [-] JasonFruit|3 years ago|reply
[+] [-] no_identd|3 years ago|reply
[+] [-] thayne|3 years ago|reply
I didn't realize that is who usually pays for fraud. I see two problems with this arrangement:
1. The credit card companies, who in some ways are probably in a better position to prevent fraud, are less incentivised to prevent fraud, because they aren't the ones paying for it. For example they could make credit credentials more difficult to steal, by making it so the raw credentials never go directly to online businesses, either by using asymmetric cryptography rather than a number or using an oauth style flow with the credit website in order to complete a transaction. But the credit company would bear the bulk of that cost and it would primarily benefit retailers. 2. Consumers that pay using a method with less fraud risk, such as cash, still have to pay a higher price to cover the cost of absorbing the fraud cost.
On the other hand it does allow businesses to self select how much fraud they are willing to accept.
[+] [-] Anderkent|3 years ago|reply
[+] [-] sgjohnson|3 years ago|reply
I loved the way American Express implemented it. They sent you a one-time passcode on your first purchase with the merchant, and then you could also choose for them to not bother you with any further purchases from the same merchant. I had this enabled by default, it made the experience a million times more enjoyable.
Unfortunately not everyone took AmEx, and I no longer live in UK (or a country where AmEx has presence for that matter), and the way banks in my current country of residence have implemented it is absolutely abysmal.
1. The billing address must be a match 100% of the time, which is painful in situations where you can't specify separate billing and shipping addresses and you want the item shipped to a different address (could be 3 for me)
2. Mandatory 2FA on every transaction, depends on the exact implementation, but typically you must wait for a notification on your phone, and then type in a PIN. In some implementations you have to scan a QR code, and then type in the said PIN. Sometimes the solution they use for this is down.
3. If anything is wrong at all (billing address/mistyped CVV/whatever), the transaction just gets refused at the end of this loop. Was it something you did wrong? Is some system down? Let's try again.
And sometimes this even messes up recurring subscriptions. My Microsoft 365 Business sub that's billed monthly on a credit card GETS REJECTED EVERY TIME UNTIL I MANUALLY GO THROUGH THIS STUPID PROCESS.
It has made paying for things online a chore. I couldn't care one bit about all the fraud this presents, because I was never liable for it in the first place. That decision was previously up to the merchants (who could have implemented all of this if they wanted to). Now it's forced on everyone.
[0] https://www.bbva.com/en/everything-need-know-psd2/
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] mooreds|3 years ago|reply
I really enjoyed the whole thing.
[+] [-] hedora|3 years ago|reply
The article is specifically limiting its discussion to situations where a payment credential is stolen. Those cases cost $10-20B per year.
This is HN, so most people here can figure out how to secure payment credentials, especially given the assumption that each credit card contains a tamper resistant computer with durable storage (as they currently do).
Instead of ending credential theft (at least in cases that don't involve violence/coercion), the payment networks pass the cost on to vendors, then advertise fraud protection as a feature to card holders.
This only works because the payment processors' monopoly prevents the merchants from fixing the underlying security issue.
So, the payment networks charge the merchants a large percentage of sales (imagine what your local government could implement if it increased sales taxes by 3-5%!) to supposedly pay for fraud protection.
This is exactly like a classic protection racket, except that the thugs that smash up the business don't actually work for the credit card companies.
(I do agree with the premise that driving crime to zero is usually not worth the cost, but that's just "Innocent until proven guilty", and not the subject of the article.)
[+] [-] supertrope|3 years ago|reply
[+] [-] tomxor|3 years ago|reply
> the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff
What I don't get is how policy makers can appreciate such nuances and then not see how attempting to ban encryption could possibly break modern society... different policy makers I have to assume.
[+] [-] edbaskerville|3 years ago|reply
https://en.wikipedia.org/wiki/The_Evolution_of_Cooperation
If you allow a population of individuals repeatedly playing prisoner's dilemma against each other to evolve their own strategies, you end up with a large percentage of the population cooperating with each other by default, but punishing cheaters after they are observed cheating. But a small percentage of cheaters will always persist, because as the number of cheaters goes down, the number of naive cooperators will go up, thus making it more advantageous to cheat.
In evolutionary jargon, cheating behavior undergoes "negative frequency-dependent selection". And you end up with a low, but nonzero, equilibrium frequency of cheaters.
This outcome here depends on the order of rewards/costs: the best outcome comes from cheating on a cooperator; next best is cooperating with a cooperator; then cooperating with a cheater; and worst is two cheaters cheating on each other.
It's a caricature, but the evolutionary dynamics seem to map pretty well to the kind of examples people are bringing up here in the comments.
(The actual "prisoner's dilemma" is rather a confusing story to use, because it's about criminals trying to decide whether to cooperate with each other or betray each other to avoid jail time. So you end up talking about the evolution of cooperation among a population of criminals.)
[+] [-] Animats|3 years ago|reply
Some banks used to take a thumbprint when you cashed a check in person. Very few do that now. When they did it, it was more symbolic than useful, because they didn't have a useful checking system. Today, if banks took fingerprints, they'd find out more than they wanted to know, because immediate lookup is possible. It's not their job to filter the entire population for warrants and illegal aliens.
In-person identification is getting really good. Here's HIKvision's new ID unit.[1] Face recognition, iris recognition, fingerprint recognition, and RFID card recognition in one convenient iPad-sized unit. Iris recognition now works at 70cm range, so it can be used routinely. In China, there is no right to be anonymous.
Worth noting: credit card companies absorbing losses varies by country. The US is pro-consumer on credit card fraud, but not on debit card fraud. This differs by country.
[1] https://www.youtube.com/watch?v=I29_WWuntxs
[+] [-] phoe-krk|3 years ago|reply
[+] [-] richardc323|3 years ago|reply
The three digit CVV code should be a one time passcode (OTP). Banks have been using these since the 1990s for online logins.
Using 90s technology, the card issuer would issue one of these OTP fobs along with the card. It has the card number printed on it, a button and a LCD screen where the OTP is displayed. The CVV is already sent through to the computer that authorises the transaction, the software that checks the CVV would need to be changed.
So we have a trade off of the user having to have a separate thicker card, to fit the battery, for online use.
I just googled, you can get batteries that are 0.4mm X 22mm x 29mm, a credit card is 0.76mm. Eink is old technology now with the right performance characteristics. I suspect in volume using this technology you could integrate the OTP device in the standard card form factor for less than a couple of dollars a card.
So with a bit of innovation the friction of payment / fraud tradeoff goes away.
This all strikes me as fairly obvious to someone designing these things, is there another tradeoff going on here?
[+] [-] benja123|3 years ago|reply
As someone who has worked in the industry for the past 15 years, I can see a few things that I believe are causing risk tolerance levels to increase across the industry.
1. Startups/new businesses that are in growth stage have a large appetite for risk which is pushing the more traditional/legacy companies to also take more risk.
2. High friction experiences that are designed to stop fraudsters require you to provide timely support to any good users that might be blocked by mistake. We all know the trend for most companies has been to move away from providing timely support to their customers as it is extremely expensive. This is another cost (on top of potential lost sales) of creating a high friction experience.