frame   frame
SANS Logo SANS Homepage SANS Bookstore SANS Reading Room SANS Portal
  border   border  
ISC Logo   Infocon: GREEN visit SANS 2005    
border Handler on Duty: John Bambenek 18:07:30 GMT Sep 13 2005  
Trends Top 10 Reports Contact About INFOCon Presentations Links print

Keylogger Report Methodology

On the basis of the number of machines that are infected with keylogger spyware, that which is designed to steal credit card and banking account information, I estimate that approximately $24 billion USD can be leveraged by hostile entities (people not authorized by the consumer) in the United States alone.

This estimate is conservative by design for the reasons explained below. It is also a draft estimate and study with the usual disclaimers. The theft of credit card information is nothing new, but online banking has brought a new vector into identity theft. Credit Card accounts can be closed quickly and the account number changed, bank accounts are much more difficult. The fact is, this estimate of the amount of US consumer money under hostile control should be reason enough to take a serious second-look at how we are addressing this threat and protecting against it. Banks and credit card companies do have fraud-protection measures in place, but even recent history has shown that they can be undermined. Gartner estimates that in 12 months from 2003-2004, 2 million bank accounts were robbed for an average of $1,200. My estimate is to show how at risk this system really is in concrete economic terms.

$24 billion is one-fourth (or one-eighth depending on which numbers) of the cost to repair New Orleans. It's about one-eighth of the total cost of the Iraq war from day one. It's enough money to fund the entire state government of Illinois for 6 months and still have money left over to fix the broken pension system there. This is no small chunk of change we are talking about.
-------------

The point of this is not to scare people out of shopping or banking online but to show the impact of the lack of security and response about spyware on the PC. With appropriate security, online shopping and banking can be relatively safe. The problem is, the available security measures are not as widely deployed as they should be.

This is a rough and probably low-balled estimate. It's not intended to be precise. If you want a more precise study, I work for the University of Illinois in Urbana-Champaign who would be more than happy to have grant money to study this closer. I generally chose conservative figures and median as opposed to mean values so that any statistical or demographic skewing that might be present is more than accounted for and then some. As I said, I think I end up lower than where the real number is.

I started using the 2001 Survey of Consumer Finances for a good deal of my data. The reason I use the 2001 report instead of 2004 is because that report won't be available until 2006.

Here are the data points to note:

Median Transactional Account Balance: $4000
Median Credit Card Balance: $1900

The credit card balance doesn't matter for this exercise, the available credit does. According to Demos, the average card-carrying consumer has 6 credit cards with an average limit of 3,500 which totals $21,000 in total credit. I assume when someone shops online they use the same card. I also assume only one credit card carries debt. This again, will skew my results down because some might use more than one credit card online, and it certainly is likely that if someone has 6 cards, all the debt isn't carried on only one.

From there I use WebRoot's "The State of Spyware" Q1 2005 report. According to their estimates, 7% of machines contained "system monitors" that would include key loggers. This is the statistic I am focused on and reuse to extrapolate the number of US users impacted by key loggers which in turn can steal SSNs, Credit Cards, and bank account information.

This 7% number is low. WebRoot got their data from corporate clients who generally can afford anti-virus, anti-spyware software. They have security policies, security staff, and in this case, pay someone to come in and clean up their environment. This is not the case for the home user. Some may pay for it, some may not, but I believe the infection rate across the board is much higher for home users, and I would imagine no one would fight me on that point. However, I still only use the 7% figure instead of hazarding a guess. I also assume for statistical simplicity, that for each household there is only one PC. This is obviously off, but if someone has more than one machine, their odds of being impacted are higher assuming the same precautions across the board. I drop the whole thing to keep it simple, and at worst, it makes the number artificially lower, not higher.

Another thing to note is that the 7% is what the infection rate was at one point in time. This is not a valid estimate because once information is stolen, it doesn't matter if you clean the infection later, the damage is done. It is possible that infections were cleaned before they were caught by WebRoot's study. In essence, that pushes my estimate down further because a more appropriate metric is machines that have EVER been infected and were infected when banking account information was entered. As a reference, in Q4 2004, WebRoot found the number of system monitor infections was at over 11%.

According to the census bureau, there are about 141 million households. Gartner estimates 45% of people pay online. ClickZ / Pew Internet places this number of people at 44%. The Consumer Internet Barometer has the number of online shopping households in Q3 2003 at 52.4%.

The distinction between households and people is important as households may include more than one person (and often do). If one person in the house shops online or banks online, it follows that their spouse may be more likely to do so as well. However, the shopping number is a percentage of American households as a total. Going back to banking, even if a household is 5 people, it does not follow all 5 bank online. That would generally be two adults and three kids (or one adult and four). Odds are the children don't bank online because they don't have any assets to do so with. Sure there are exceptions, but they are exceptions. Children under 18 who open accounts, as far as I remember from when I was a child, have to open the accounts under a trust in their parents name. Long story short, I take the 44% number and use that as a household number. If 52.4% of households shop online (with a credit card) they are exposed even if they don't bank online. I make the assumption that the additional exposure of credit card customers compared to bank account customers makes up for and shortfall that might be there with an estimate that ends up high in terms of households who bank online. It's rough, but that's ok.

For my purposes, I use 44% that either bank or shop online, and as a result, are vulnerable to keyloggers grabbing their information. I assume people who bank online also shop online or otherwise put credit card information into their computer.

141,000,000 users * 7% = number of infected machines with keyloggers stealing banking/CC information.

- That's 9,870,000 households.

Households (see above) have $4,000 in transactional accounts, and $3,500-$1,900 or $1,600 in credit (per my estimate above). That means for the average consumer household, they have $5,600 of vulnerable money that is exposed to the Internet.

Now modify for the people who actually do online financial transactions,

9,870,000 x 44% = 4,342,800.

Continuing the math, 4,342,800 households * $5,600 exposed cash =

$24,319,680,000 in money that can be leveraged by hostile entities (i.e. anyone not the consumer or authorized by the consumer).

Again, this is a draft estimate, send feedback to bambenek -at- gmail.com

How to fix this problem? Most of it stems from the fact that online shopping and banking utilize weak authentication (one-factor). With keylogger technology, or other technology for that matter, it is easy to steal this information and then misuse it. Because the underlying one-factor authentication is easy to undermine, there is not a whole lot you can do except keep raising the security bar to block spyware and the like.

Thinks that have skewed this number:

- The infection rate is a one-time snapshot, not a number of machines ever infected by this kind of malware (and infected long enough to get the information). The overall rate of infection by this type of malware is much higher if you look at infections in general instead of infections at a certain point in time.
- Home users are more likely to be infected in general than corporate users (the study I use has corporate users). Corporations, certainly ones who pay companies like WebRoot to come in, look for this stuff and invest in it. Home users are less likely. As a result, I think the 7% figure is low because of the difference in demographics.
- The exposure rate of credit card customers is much higher than bank account customers because far more people shop online. This is changing, but I assumed the same rate of people shop online and bank online.
- I believe that the median income for people online, who shop and bank online, is probably significantly higher than the median income for people overall. I know of no where to get the data easily, however.
- Essentially I'm relying on other people's information gathered for reasons unlrelated to my estimates, I'm subject to any errors they make as well.
Link to ISC © 2002-2005 The SANS Institute
SANS Web Privacy Policy: www.sans.org/privacy.php
 Contact