[HN Gopher] The optimal amount of fraud is non-zero
___________________________________________________________________
The optimal amount of fraud is non-zero
Author : piinbinary
Score : 236 points
Date : 2022-09-03 13:56 UTC (9 hours ago)
(HTM) web link (bam.kalzumeus.com)
(TXT) w3m dump (bam.kalzumeus.com)
| [deleted]
| AtNightWeCode wrote:
| Some scams in my country have been ongoing for years cause the
| amount of the scam is one unit below what you can report to the
| right authorities. You can report to the police too but that is
| useless.
| fijiaarone wrote:
| If your job is fixing broken windows, then supporting vandalism
| just so you get to keep your job is a pretty asinine philosophy.
|
| I can see why this clown is the most famous redditor in the
| world.
| thayne wrote:
| > overwhelmingly businesses simply absorb fraud costs in the same
| way that they absorb their office rent, staff salaries, and
| marketing expenses.
|
| I didn't realize that is who usually pays for fraud. I see two
| problems with this arrangement:
|
| 1. The credit card companies, who in some ways are probably in a
| better position to prevent fraud, are less incentivised to
| prevent fraud, because they aren't the ones paying for it. For
| example they could make credit credentials more difficult to
| steal, by making it so the raw credentials never go directly to
| online businesses, either by using asymmetric cryptography rather
| than a number or using an oauth style flow with the credit
| website in order to complete a transaction. But the credit
| company would bear the bulk of that cost and it would primarily
| benefit retailers. 2. Consumers that pay using a method with less
| fraud risk, such as cash, still have to pay a higher price to
| cover the cost of absorbing the fraud cost.
|
| On the other hand it does allow businesses to self select how
| much fraud they are willing to accept.
| Anderkent wrote:
| re: 1; since payments processors compete for business, ones
| that can convincingly claim to reduce fraud rate can charge
| higher fees of the merchants
| jstummbillig wrote:
| > The reason for this is that Directors of Fraud are aware that
| the policy choices available to them impact the user experience
| of fraudsters and legitimate users alike.
|
| I think herein lies the crux: All things interact, and if you
| think they don't you are just not aware of how. The game is
| identifying and moving the cogs that a) are either most important
| and isolated to get you where you want most efficiently or b)
| interact favorably in concert.
|
| You win relatively by understanding this better than others. You
| win absolutely by seeing or creating an opportunity to implement
| a brand new cog.
| NicholasN wrote:
| Unfortunately this is mostly an American issue. CC fraud in
| Europe is minimal because cards have an embedded PIN required for
| each transaction. In addition, when purchasing online, an instant
| pop-up on your mobile phone asks you to approve or decline the
| transaction within 2 minutes. Contactless transactions under $25
| do not require PIN or pop-up verification. These options are
| considered inconvenient for American consumers so we eat the
| fraud and sign receipts like is 1989 :-)
| hedora wrote:
| I'd expect fraud to rise in Europe soon, since the pin part of
| that protocol can be bypassed:
|
| https://www.zdnet.com/article/chip-and-pin-is-broken-say-res...
|
| The mobile popup is a reasonable mitigation though; it seems
| likely to limit fraud to small purchases, or encourage sim
| swapping, etc.
| [deleted]
| paulcole wrote:
| > This is counterintuitive and sounds like it is trying a bit too
| hard to be clever.
|
| We can wrap up the unintentional HN slogan contest right now.
| hedora wrote:
| This sort of thinking has been prevalent in the payments industry
| for a long time, and I find it infuriating.
|
| The article is specifically limiting its discussion to situations
| where a payment credential is stolen. Those cases cost $10-20B
| per year.
|
| This is HN, so most people here can figure out how to secure
| payment credentials, especially given the assumption that each
| credit card contains a tamper resistant computer with durable
| storage (as they currently do).
|
| Instead of ending credential theft (at least in cases that don't
| involve violence/coercion), the payment networks pass the cost on
| to vendors, then advertise fraud protection as a feature to card
| holders.
|
| This only works because the payment processors' monopoly prevents
| the merchants from fixing the underlying security issue.
|
| So, the payment networks charge the merchants a large percentage
| of sales (imagine what your local government could implement if
| it increased sales taxes by 3-5%!) to supposedly pay for fraud
| protection.
|
| This is exactly like a classic protection racket, except that the
| thugs that smash up the business don't actually work for the
| credit card companies.
|
| (I do agree with the premise that driving crime to zero is
| usually not worth the cost, but that's just "Innocent until
| proven guilty", and not the subject of the article.)
| supertrope wrote:
| Merchants are even more lax about card fraud than banks. The
| National Retail Federation complained about the cost of
| upgrading to chip readers. They asked the government to force
| banks to eliminate PCI DSS which would make it even easier to
| commit credit card fraud. PCI DSS is compliance not security
| but without it retailers would literally do nothing. Some
| retailers tried to get customers to switch to QR code payments
| linked directly to your bank account. One of these payment apps
| CurrentC was immediately breached.
| hedora wrote:
| Smart cards were also breached before the US switched to
| them.
|
| I'd object to paying for PCI DSS if I were them, to be
| honest. The idea that every merchant (or credit card reader)
| even has access to credentials is ludicrous.
|
| The currentc was of email lists, not the payment flow. It's
| embarrassing, but still a better track record than the
| existing payment processors (which probably suffered 10,000s
| of payment flow breaches as I typed this.)
| aaron695 wrote:
| antman wrote:
| Especially if the burden of proof of fraud falls mostly on the
| consumer. This is how it works, we don't know the actual ratio of
| fraudulent vs ok cases so we compare accross institutions. If one
| institution is an outlier than arbitrarily changes the acceptance
| threshold pushing the cost to the grieving consumer.
|
| If on the other hand the cost of misidentifying a case fell on
| the institution then they would simply accept only personally
| identified payments e.g. sms or other 2fa at virtually no cost
| for them and effectively zeroing fraud
|
| In some places with more modern banking, this is pretty common
| e63f67dd-065b wrote:
| There's 2 different things going on here:
|
| - The optimal amount of fraud in society is 0
|
| - The optimal amount of fraud a business/industry should _accept_
| is non-zero
|
| The simple observation that the cost to prevent each marginal
| fraud attempt increases; the last 0.1% of fraud costs way too
| much to prevent compared to the first 99%. Obviously society
| would be better off if fraud didn't exist, but since it does the
| effort expended is only worth it up until when the marginal cost
| of prevention exceeds an acceptable threshold (when it starts to
| lose you money).
|
| The optimal amount of fraud is still 0, but the optimal amount of
| fraud prevention lies somewhere on the margin.
|
| This is why important transactions like banking have KYC checks,
| and buying a pair of sneakers don't.
| chongli wrote:
| I think you're conflating the terms optimal and ideal. The
| ideal amount of fraud in society is zero. The optimal amount of
| fraud in society is not defined, because optimization problems
| are always subject to a set of constraints.
|
| So then we may ask: "what is the optimal amount of fraud in
| society such that the costs of legislation, education, and
| enforcement do not exceed X% of GDP?" and that is a different
| question. You might also throw technology and R&D in there
| because new tools make it easier to investigate fraud. Of
| course new technologies also open up new possibilities for
| fraud, so this is a very complicated exercise. But I think it's
| fair to say that given any reasonable constraints, the optimal
| amount of fraud is nonzero.
| jbarciauskas wrote:
| The way this is phrased, I expected to learn there was some
| benefit to a low amount of fraud, as such. There is not.
| There is a benefit to a high amount of trust, which
| necessitates accepting some amount of fraud.
| bdw5204 wrote:
| The optimal amount of crime in a society is non-zero
| because a society with zero crime would be a dystopian
| police state where innocent people sometimes get caught up
| in the justice system's net to make sure it catches all of
| the criminals.
|
| The classic principle of Anglosphere common law is that its
| better to let 10 criminals get away with it than to convict
| 1 innocent person. The same idea applies to fraud because
| overzealous fraud prevention causes problems for legitimate
| users whose actions incorrectly get detected as possible
| fraud. The benefit to tolerating a low amount of fraud is
| that your product won't be hostile to your legitimate
| users. The benefit to tolerating a low amount of crime is
| that you will live in a free society rather than a
| dystopian tyranny. Freedom is good and it is worth giving
| up quite a bit of safety for the sake of being free.
| Infernal wrote:
| > The optimal amount of crime in a society is non-zero
| because a society with zero crime would be a dystopian
| police state where innocent people sometimes get caught
| up in the justice system's net to make sure it catches
| all of the criminals.
|
| At this point you're just playing with the definition of
| crime. I would argue that it is criminal to deprive an
| innocent person of their freedom, and challenge that your
| proposed scenario is actually "zero crime".
|
| Secondly, you talk of catching "all of the criminals". In
| a "zero crime" environment there are no criminals - by
| definition if there is a criminal, then a crime has been
| committed at some point.
|
| All that said I agree with your larger point - the cost
| of freedom is that people are not constrained before the
| fact from committing crime, and that's a good thing on
| the whole.
| throwaway98797 wrote:
| i hope you're trolling
|
| do you see how with the framing your proposing it's
| extremely difficult to reason? might even be impossible.
| Nextgrid wrote:
| I'd argue that the optimal amount of crime is zero but
| the optimal amount of _possibility of crime_ should be
| non-zero. That's a necessary escape hatch out of a police
| state or authoritarian government. After all, the
| resistance against the Nazis was technically criminal at
| that time, even though now we'd all agree it was a good
| thing it occurred anyway.
|
| It is especially important nowadays because unlike back
| then where technology was limited and surveilling 100% of
| the population was impossible, it is very much possible
| today and is already being done in certain places such as
| China.
| TheGoddessInari wrote:
| I like this view: you take care of a lot of the
| conventional concern we while also some futuristic ones
| like Pre-Crime in Minority Report.
| fijiaarone wrote:
| Exactly.
|
| But patio's argument is that since he works for the fraud
| department at Stripe payments, he wants fraud to exist so
| he can keep his cushy job.
|
| Ask the police about the optimal amount of speeding
| tickets.
| galaxyLogic wrote:
| Exactly. Everybody seems to be throwing around the word
| "optimal" but not asking "optimal to whom?".
|
| The article was kind of long-winded so I didn't read it
| all. But has a catchy title. So is the title about
|
| a) Optimal amount of fraud to the society at large?
|
| b) Optimal amount of fraud to the businesses which suffer
| a loss because of it?
|
| c) Optimal amount of fraud to the customers of such
| businesses?
|
| d) Optimal amount of fraud to the chief of fraud-
| prevention department?
|
| e) Optimal amount of fraud to the fraudsters?
| jokethrowaway wrote:
| If you define crime as violating the anarchist non-
| aggression principle, then it makes more sense. The only
| problem is that the state would be the largest offender.
|
| Nazi laws weren't moral, as it's not moral today to
| demand half of my profits or I go to jail.
| atq2119 wrote:
| You just picked your own idea of morality and decided to
| elevate it above others: you chose the "anarchist non-
| aggression principle" as somehow morally superior to
| other ideas about how crimes should be defined, and
| decided that with that definition, targeting zero crimes
| makes more sense.
|
| But the whole point is that we will never universally
| agree on a morality because society's overall preferences
| shift over time. So targeting zero crimes _never_ makes
| sense.
| chongli wrote:
| We don't need there to be a benefit to a low amount of
| fraud to optimize for it. Optimization is a purely
| mathematical exercise [1]. Once we construct the problem
| with a chosen set of constraints then we apply mathematical
| techniques to solve it. Of course, many types of
| optimization problems (especially non-linear or non-convex)
| can be extremely difficult to solve optimally without
| relaxing some constraints or settling for approximations to
| the optimal solution.
|
| But, besides that, the task of interpreting the results and
| of potentially selecting new constraints or even a new
| objective function is a separate matter. Perhaps we should
| be seeking to maximize trust rather than minimize fraud in
| society. But then we have to ask ourselves: "what would
| that look like?"
|
| [1] https://en.wikipedia.org/wiki/Mathematical_optimization
| auggierose wrote:
| There does not need to be a set of constraints for
| optimisation to be defined. You can talk about
| optimisation on an unconstrained domain, for example all
| of RR. But there DOES need to be a measure function that
| measures what you are optimising for. The benefit of
| fraud would be one such function you could optimise for,
| and that seems to be what GP is after. The pure amount of
| fraud is a different one, which seems to be what you are
| interested in.
| 8note wrote:
| Even without trust, you will reach an optimal amount
| because preventing fraud tends to become more expensive
| than the fraud itself, once you cover the simple and easy
| cases
| jazzkingrt wrote:
| I think you're conflating the standard english word "optimal"
| with mathematical optimization.
| thaumasiotes wrote:
| user5678 is correct; this isn't a case where the
| mathematical use of the word differs from the normal use.
| user5678 wrote:
| thaumasiotes wrote:
| > So then we may ask: "what is the optimal amount of fraud in
| society such that the costs of legislation, education, and
| enforcement do not exceed X% of GDP?" and that is a different
| question.
|
| It's also not a question of any particular interest; you're
| interested in what maximizes (good - bad), not what maximizes
| (good / bad).
| [deleted]
| asah wrote:
| "optimal amount of fraud in society is 0" - are you sure? why?
|
| Bad Things(tm) are useful for testing and improving
| safety/security, and when I see people/institutions with no
| experience reacting to Bad Things(tm), I know they're in for a
| world of hurt when it does happen.
|
| Perhaps you mean, the optimal amount of fraud that isn't
| prosecuted... or not detected... ? Even then, I'd argue that
| there's a tiny percentage that's useful for keeping the
| safety/security industry on its toes and at the ready.
|
| As a proof point, if you believe that war (world peace) is not
| a solved problem, then it's only a matter of time before your
| city/region/civilization/race faces an existential threat, for
| which the only true preparation is to be ready to innovate and
| mobilize.
|
| Sorry if this comes across as dark. I mean it in the same vein
| as having a small percentage of farmers is desirable.
|
| By contrast, I visited a traditional silk factory in Stockholm
| (amazing btw) and the craft has been lost to the point where
| they're struggling to find craftspeople able to work their
| looms and other old equipment. See Jonathan Blow's excellent
| talk about lost technology:
| https://www.youtube.com/watch?v=ZSRHeXYDLko
| [deleted]
| bawolff wrote:
| There are also arguments that a certain amount of rule breaking
| is neccesary in society to support innovation. A society with
| no rule breaking becomes static.
| calchris42 wrote:
| Your explanation is so much more succinct than the article!
|
| I believe buried in there is one other factor that is somewhat
| related:
|
| - reducing friction helps drive more legitimate business.
| Accordingly, over-aggressive anti-fraud practices can result in
| reduced sales.
|
| A toy example: a business could eliminate exposure to credit
| card fraud by not accepting credit cards. That would however
| reduce overall sales.
|
| I guess this can all fit within a "marginal cost" explanation
| though.
| panarky wrote:
| > a business could eliminate exposure to credit card fraud by
| not accepting credit cards
|
| A business could eliminate all fraud, abuse and theft of
| every type by shutting down completely.
| mlyle wrote:
| > I guess this can all fit within a "marginal cost"
| explanation though.
|
| Yes, but it undermines the first point, a bit. There's
| costs-- direct and social costs-- to making transactions
| hard; so perhaps optimal for a society is still not 0.
|
| Also, there's nothing to say that the amount of fraud is
| _stable_ and that we can 't find a world where we have better
| mechanisms to reduce it for the same cost. (Improved
| technology, legal structures, norms, etc).
| ghaff wrote:
| >reducing friction helps drive more legitimate business.
|
| A very real example in retail. I can minimize the possibility
| that I'll be hit with fraudulent returns. Require a receipt,
| short window, store credit only, must be in like new
| condition with all packaging, etc. (Or just sell everything
| on an all sales are final basis.) Different stores do many of
| these things to a greater or lesser degree on at least some
| merchandise. But you'd probably better be offering really
| good prices if you do.
| rileymat2 wrote:
| And with all that effort all that friction, you still get
| hit with chargebacks no matter your policy for returns.
| fijiaarone wrote:
| Yeah, the system is set up so the payment processors
| benefit from fraud.
| metacritic12 wrote:
| Right, more generally:
|
| - X is ipso facto bad. The optimal amount is zero.
|
| - X is traded off against Y actually, so in _general
| equilibrium_ with Y, it 's nonzero.
|
| And the above pair could be:
|
| (Covid risk, attending fun parties)
|
| (Risk of getting hit by a car, being able to walk anywhere)
|
| (Discrimination in society, administrative costs of anti-
| discrimination laws).
|
| The list goes on. It's a simple concept in decision theory,
| rehashed with an attractive title.
| scott_w wrote:
| Some of those aren't analogous. Your Covid example: there's
| also the cost _to others _ of you catching and spreading it,
| even if the risk to you is lower.
|
| Speeding is another example: the cost (or risk) might be
| acceptable to you but not to the person you have an increased
| likelihood of hitting and doing serious injury to.
|
| At a societal level, it holds, which is why we invest in
| measures to increase the cost of doing the wrong thing
| (speeding tickets, removing licenses).
| sneak wrote:
| > _This is why important transactions like banking have KYC
| checks, and buying a pair of sneakers don 't._
|
| Banks do KYC checks because it is required by law, not because
| it does anything to reduce fraud. Fake IDs are a thing.
| Requiring identification does not make transactions safer
| without a lot of other stuff happening too.
| permo-w wrote:
| this explains things significantly better than the article,
| which seems to be little more than dragging out a surprising-
| sounding headline with a pretty obvious concept
| jbuhbjlnjbn wrote:
| To be more specific, the article mimics the topic of a
| counter-intuitive "surprising" truth (like, for example the
| goat problem; or flaws in human cognition), while letting the
| reader down by making an obvious, easy to understand truth
| unnecessarily complicated.
|
| "Clickbait light"
| patio11 wrote:
| The reason I went to the trouble of writing it was that many,
| many people in both business and the finance industry do not
| agree it is obvious and a good portion _do not agree it is
| true_ , and they take actions consistent with those beliefs,
| which harm themselves and others.
| not2b wrote:
| An optimal amount is an amount that can be achieved. The only
| way to achieve zero fraud is to have zero financial
| transactions.
| LorenPechtel wrote:
| More generally--the cost to eliminate bad outcomes goes up
| exponentially as you deal with the easy bad outcomes. Credit
| card fraud is simply one example.
|
| Or consider a simple non-financial example: I left half a dozen
| pears on the tree this year--getting those last few pears would
| have required hauling a 50 pound ladder around the house and
| then struggle with setting it up. (Due to it's size it's a lot
| harder to handle than it's weight indicates.)
| bell-cot wrote:
| This, definitely. _But also_ - at the social policy level,
| there are two additional issues:
|
| - Outsiders: It's good to keep members of your society fraud-
| savvy enough that they can safely travel & do business outside
| your society...with _out_ being easy marks for fraudsters.
|
| - Stability over time: If your society somehow gets fraud down
| to ~0, that'll lead to big cut-backs in anti-fraud efforts,
| "end of history" dreamers proclaiming that fraud has died, etc.
| Which is obviously a set-up for a sudden huge resurgence in
| fraud.
| lifeisstillgood wrote:
| This optimal (#) can and probably will change soon. We all
| carry around phones capable of trivial non-reputable
| verification, and centralised digital cash (not bitcoin but
| BankOfEnglandCoin) is technically feasible. So it's quite
| technically feasible for every day to day transaction to be
| completed with with the sort of KYC verification currently
| reserved for say house purchases.
|
| It's just the political / societal implications. These are
| beyond "hey it's expensive for banks to cut down on fraud"
|
| I disagree with the "banks should allow certain levels of bank
| fraud because X" for the simple reason we don't have "banks
| should provide interest free funding to murderers, sex
| traffickers, pornographers and drug ring" even though that is
| often the same thing. (And in a two page HN thread I am sure I
| am not the first to say that)
|
| (#) someone else mentioned the difference between ideal and
| optimal which is a very good distinction.
| jrnvs wrote:
| I doubt it. The current system is a local optimum. Better
| local optimums already exist elsewhere.
|
| In The Netherlands, direct online payments using debit cards
| are very common. These are secure payments, verified through
| a bank's mobile banking app or internet banking with 2FA.
|
| https://en.m.wikipedia.org/wiki/IDEAL
|
| This means there is no risk for the seller that a payment
| gets reversed. There is fraud, but it centers mostly on
| social engineering people to authorise payments for others,
| or to mail their debit card to "the bank" for "recycling".
|
| Cost per payment: about 30 cents.
|
| Meanwhile, in other countries, credit cards are the common
| online payment option. Security? A number on the front of the
| card and a "secret" second number on the back of the card.
|
| Cost: 1.5-3.5% of payment.
|
| Better security is possible, but it's hard to move from a
| local optimum when you're locked into a certain ecosystem.
|
| The credit card no-security scheme works because everyone
| gets reimbursed for fraud. It comes at the cost of retailers
| handing a few percent of every transaction to intermediaries,
| instead of just a few pennies.
| bobthepanda wrote:
| I would not call anything in the fragmented, legacy US
| financial system "trivial."
|
| It took us a decade and counting to get chipped cards, longer
| to get contactless pay, and even then we don't really use the
| PIN part of chip+pin. Something like FedNow is only coming
| next year.
| lifeisstillgood wrote:
| Anything I am describing is a decade plus away.
|
| I mean every central bank could tomorrow just put up a non-
| permissive (#) blockchain and just make a virtual coin for
| every cent out there. And this would cause utter chaos. It
| would essentially end fractional reserve banking. That
| makes loans ... difficult.
|
| The impacts are enormous, but a digital native currency is
| so simple, so attractive we may well try it. And then have
| to rethink our financial regulations. It will look a lot
| like ICOs.
|
| I still think it is inevitable.
|
| (#) ok the terminology I find either dubious or I
| misunderstand but basically every wallet holder gets their
| private / public key registered, then there is a known
| state of money globally, and the Bank is a verifying party
| to each transaction. Something like that anyway. Theee are
| many options but essentially if we all "trust" the money
| printer then the _technical_ problems simplify.
| thaumasiotes wrote:
| > and centralised digital cash (not bitcoin but
| BankOfEnglandCoin) is technically feasible.
|
| Not only is it feasible, we've had it forever.
| BankOfEnglandCoin is more commonly known as the pound
| sterling.
| manholio wrote:
| > The optimal amount of fraud a business/industry should accept
| is non-zero
|
| Let's make that: "The optimal amount of fraud a business should
| accept _under the current credit card online payment system_ is
| non-zero ".
|
| There is absolutely nothing intrinsic about online commerce
| that requires fraud. Online business routinely operate with a
| money first, zero consumer trust paradigm. They ask for my
| payment credentials first, and only then deliver the products.
|
| If we were to design the online payment system from scratch, we
| would use cryptography to completely remove the notion of
| credit card theft, and escrow to settle consumer complaints,
| with an option for paid arbitration when things go bad. I guess
| you can call some of those cases "fraud" and some customers are
| so unreasonable that they border on criminal, yes, you can't
| make that segment zero, but I don't think that's the kind of
| fraud they are referring to.
|
| The reason we can't have those nice things is because of
| immense momentum of the current system designed in the 60s by
| companies that have very little reason to change anything. In
| fact, an online payment reform would most likely strip them of
| their oligopoly. So yes, the optimal fraud level is non-zero
| because Mastercard, Visa etc. can push that fraud onto
| consumers (via retailers), and they are making much more money
| anyway from the current situation.
| [deleted]
| tfehring wrote:
| An analogy that may resonate with readers here is that
| targeting zero fraud is like targeting 100% uptime in a
| computer system. You evaluate the business trade-offs and
| decide how many 9s of non-fraud are appropriate, knowing that
| (1) each additional 9 is more expensive than the last but only
| gives you 1/10 of the benefit, and therefore (2) infinity 9s
| (equivalent to zero fraud/100% uptime) is a useless aspiration
| for all practical purposes.
| kelnos wrote:
| That's incomplete, though. The business running the computer
| system would bear all the costs in attempting to target 100%
| uptime.
|
| Targeting zero payments fraud does mean the business has to
| bear the costs of the fraud prevention measures, but their
| _customers_ also have to bear intangible costs, like the
| annoyance of a detailed, invasive know-your-customer process
| before being able to buy anything.
|
| But if I'm a user of this computer system that targets 100%
| uptime, I don't have to see any of the downsides/costs that
| the business incurs to try to get that uptime. I just see
| great uptime, and it's all rosy for me.
|
| I think it's important to acknowledge that, in pursuing lower
| (or zero) fraud, both the business _and its customers_ have
| to bear costs related to that goal.
| filleokus wrote:
| Great explanation. But I'm not so sure about "The optimal
| amount of fraud in society is 0".
|
| Especially if we broaden fraud to include other crimes. There
| are costs to prevent other badness in society as well. Firstly
| it's the cost in taxes/allocating resources to its prevention:
| Do we really want to allocate a really large chunk of our
| shared human capital to police marginal criminal activity? How
| much more polices, judges, attorneys, lock makers, etc would we
| need to stop the last bike theft?
|
| Secondly and arguably more importantly is the cost of freedom.
| A lot of the digital surveillance initiatives that are
| discussed and dismissed here on HN are enforced in the name of
| zero tolerance against (really bad) badness in society.
|
| I think its hard, or impossible, to create a somewhat large
| society with zero crime rate. At least if we still want even
| just a sliver of the freedoms we are accustomed to in liberal
| democracies.
| konschubert wrote:
| If you want something to be legal, make it legal.
|
| Don't make it illegal-but-not-enforced. Because then, whoever
| is in power can selectively enforce the law against any group
| they choose.
| filleokus wrote:
| Hmm. I think my mental model is more that it should be
| "randomly" enforced. The probability of getting caught is
| higher than some certain threshold, but that it's not
| necessarily bad if that threshold is lower than 100%.
|
| I can't think of any resonable society that have taken
| actions to show that they want the probability to be 100%.
| I would even argue that the most harsh dictatorships
| probably have the highest enforcement, but that laws
| were/are very selectively enforced in the favor of e.g
| regime officials.
| konschubert wrote:
| Okay, I see your point, I think we were talking about
| different things.
| kordlessagain wrote:
| There will always be people in society that think it is their
| job to drive us to zero risk, even if they have nothing to
| offer other than a downvote.
| thayne wrote:
| I think the point is that in a theoretical society in whcih
| there are no bad actors, and there is no cost to prevent
| fraud, the optimal amount of fraud is zero. That is, there
| isn't a reason you would want to encourage fraud, because a
| little bit of fraud is good. But when you also consider the
| cost of reducing fraud the optimal state for the system as a
| whole will have a non-zero amount of fraud. And of course,
| bad actors do exist, so in a real system you want to accept
| some amount of fraud.
|
| The difference is significant, because if you discover a way
| to significantly reduce fraud for a low cost (including cost
| of freedoms and similar), it will be worth implementating.
| And there isn't some point where you say "we are already down
| to x% fraud, we don't want to go any lower than that, even if
| it doesn't cost us anything".
| edbaskerville wrote:
| The literature on the evolution of cooperation, focused around
| computational thought experiments with iterated prisoner's
| dilemma, seems relevant here, e.g.,
|
| https://en.wikipedia.org/wiki/The_Evolution_of_Cooperation
|
| If you allow a population of individuals repeatedly playing
| prisoner's dilemma against each other to evolve their own
| strategies, you end up with a large percentage of the population
| cooperating with each other by default, but punishing cheaters
| after they are observed cheating. But a small percentage of
| cheaters will always persist, because as the number of cheaters
| goes down, the number of naive cooperators will go up, thus
| making it more advantageous to cheat.
|
| In evolutionary jargon, cheating behavior undergoes "negative
| frequency-dependent selection". And you end up with a low, but
| nonzero, equilibrium frequency of cheaters.
|
| This outcome here depends on the order of rewards/costs: the best
| outcome comes from cheating on a cooperator; next best is
| cooperating with a cooperator; then cooperating with a cheater;
| and worst is two cheaters cheating on each other.
|
| It's a caricature, but the evolutionary dynamics seem to map
| pretty well to the kind of examples people are bringing up here
| in the comments.
|
| (The actual "prisoner's dilemma" is rather a confusing story to
| use, because it's about criminals trying to decide whether to
| cooperate with each other or betray each other to avoid jail
| time. So you end up talking about the evolution of cooperation
| among a population of criminals.)
| phoe-krk wrote:
| Is this something that could be argued about other sorts of crime
| as well? In particular, in the ongoing fight against encryption
| that has been widely commented on HN multiple times, can (or
| should) one (safely) argue that e.g. the optimal amount of online
| sex trafficking and child abuse is greater than zero? What would
| be the consequences of taking such a stance once it inevitably
| reaches public discourse?
| dahart wrote:
| > can one argue that the optimal amount of online sex
| trafficking and child abuse is greater than zero?
|
| No, this fraud argument does not apply to child abuse or sex
| trafficking. The reason is because the fraud argument is
| talking only about _direct financial_ loss of fraud compared to
| direct financial loss of enforcement. The fraud argument
| doesn't actually work if we're talking about individuals losing
| their savings, it only makes sense if you assume the cost of
| fraud is borne by banks, and that it's a marginal cost and does
| not bankrupt anyone.
|
| There is no amount of money that makes the damage done by sex
| trafficking or child abuse okay, and there is no reasonable way
| to convert the damage done by these crimes into money. To
| suggest that the optimal amount is non-zero would only be an
| externalizing of the damage and costs of such crimes, and to
| essentially reduce our morals to money. And that's exactly what
| this very argument does in other contexts; it externalizes non-
| financial damage, and sometimes financial damage too. This
| argument is made in other contexts, and it's sometimes wrong
| and/or full of assumptions that aren't true.
|
| We could imagine extreme hypothetical situations that might
| clarify the argument or how to think about it - is it
| equivalent if 1% of people suffer a 100mm knife wound or 100%
| of people suffer a 1mm knife wound? The 1% would all die. In
| the other case, everyone suffers a mild inconvenience they
| forget about by tomorrow. Despite the equal amount of flesh
| damage, these are not remotely equivalent, and thus can't be
| compared or declared as optimal. The type of damage done
| matters, and the number of people affected and amount of damage
| done to individuals matters.
|
| Beware arguments that reduce negative outcomes to money. These
| tend to favor businesses (who are biased to prefer less
| regulation) and tend to externalize all the indirect costs and
| the costs to society. This is exactly what has been done with
| regard to pollution over the last century - it has been
| successfully argued that the optimal amount of pollution is
| non-zero, and we're starting to see the consequences of that
| and pay costs for decisions made long ago. There was a pretty
| good paper I read [1] that re-evaluated these arguments for
| several specific large public works projects in the 50s through
| 70s, where the post-facto costs and outcome benefits
| calculations were shown to be different by _orders of
| magnitude_ compared to when the decisions were being debated.
| IOW there is good historical precedent-based reason not to
| trust someone who claims the damage will be minimal or
| equivalent to the case where we put some effort into minimizing
| it.
|
| [1]
| https://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?a...
| phoe-krk wrote:
| Thanks for the in-depth reply - that's exactly the sort of
| fuel for the mind that I hoped for when posing my questions.
| Thiez wrote:
| You could argue that but as you expect your opponents would
| quickly paint you as being pro-X. Every decent person would
| prefer zero child abuse, but few people would support having
| mandatory police surveillance cameras installed in every room
| in their house, even if such a panopticon would be proven to
| reduce significantly child abuse. Us meatbags are irrational
| like that.
| kurupt213 wrote:
| Governments do make that choice through prosecutorial
| discretion
| peteradio wrote:
| Its not a choice of amount to leave out there, its a choice of
| how much defense to allocate.
| jacobkg wrote:
| This is the thesis of the excellent book on financial fraud
| "Lying for Money"
| souldeux wrote:
| I feel like this starts with an agreeable premise. Some fraud is
| egregious, costly, and/or easy to detect. These low-hanging or
| high-impact cases are most worth pursuing. At some point you
| reach diminishing returns, where the amount of time / effort /
| capital you're putting in to eliminating fraud outstrips the
| losses from the fraud itself.
|
| I don't know that I agree with the ethical conclusion that the
| optimal amount of fraud is therefore non-zero. The leap from
| "anti-fraud efforts are expensive" to these sentences in the
| final paragraph was not, in my opinion, convincingly made here:
|
| >We should, as a society, accept non-zero amounts of benefits
| fraud. We should accept non-zero amounts of cheating on taxes.
| lumost wrote:
| The problem with accepting it is that people figure out
| repeatable tricks to get around the system.
|
| If we view those repeated tricks as business as usual - we
| should probably make them accessible to everyone. Otherwise the
| small fraud becomes rampant.
| aqme28 wrote:
| So a non-comedic version of this Mitchell and Webb skit:
| https://www.youtube.com/watch?v=fqYyxvM85zU
| gonzo41 wrote:
| I would think the strategy would be to encourage low impact
| fraud with lazy compliance and making a customer whole (Credit
| card chargebacks). And then hunt out and destroy high impact
| fraud.
|
| With the intent to incentivize and train criminals to stay
| small and low impact.
|
| If you're a retail platform, and you have a few scammers making
| a few grand of 20-100 dollar scams. You can play wack a mole
| with them and then that keeps people doing that small fraud
| rather than leveling up and potentially doing crimes that could
| endanger the whole business with the exposure.
| mytailorisrich wrote:
| This is not an ethical conclusion. This is a pragmatic and
| utilitarian conclusion where 'optimal' means minimising the
| cost/benefit ratio.
|
| Incidentally, this shows that the 'perfect' ethical stance is
| not necessarily the one that delivers the most benefits at the
| least cost, aka when ideals meet the real world...
| tptacek wrote:
| The ethical issues of accepting nonzero fraud are that striving
| for zero fraud creates program design changes that lock people
| out of benefits. If you design a health care system that aims
| for 0% fraud, some measurable number of people are going to be
| deprived of care because the registration and billing
| procedures are too onerous. With taxes, aiming for 0%
| noncompliance will prevent people from taking advantage of
| deductions and credits.
|
| This isn't hypothetical; it's the issue underling the "program
| design" controversies about means-testing in public policy.
| atq2119 wrote:
| Not to mention that enforcement has rapidly diminishing
| returns. Even if your _only_ goal was to maximize tax revenue
| (minus cost of tax administration), and you didn 't care at
| all about people being able to take advantage of deductions,
| the optimal amount of fraud is almost certainly non-zero.
|
| (And of course, if you _did_ want to maximize tax revenue,
| you 'd focus enforcement on the big fish.)
| tshaddox wrote:
| It feels like a very subtle is-ought distinction, where the
| author is discussing something that unavoidably _is_ the case
| and therefore concludes that it _ought_ to be the case and
| therefore ought to be accepted if not even welcomed. The
| marketing example makes this pretty clear. Of course no one
| thinks the marketing directory could spend zero on marketing.
| But...surely they would love to spend zero if they could still
| get what they wanted for zero money.
| Spooky23 wrote:
| Targeting zero is an immature approach that is self-destructive
| in most cases.
|
| If your incentive is to have zero fraud, the organization will
| find ways to not detect fraud or add so many controls and
| audits that the cost of doing whatever will go up.
|
| There's a balance. In the tax world, the de-clawing of the IRS
| for certain things have dramatically impacted compliance. You
| want enough enforcement that you're discouraging median
| cheater, but not so much the cure is more expensive.
| avgcorrection wrote:
| > I don't know that I agree with the ethical conclusion that
| the optimal amount of fraud is therefore non-zero. The leap
| from "anti-fraud efforts are expensive" to these sentences in
| the final paragraph was not, in my opinion, convincingly made
| here
|
| It's like saying that the optimal dirtiness after cleaning your
| house is non-zero (greater than zero) because cleaning it
| perfectly takes much more effort than it is worth!
|
| That's not counter-intuitive at all. It's just an obvious fact
| stated in a silly way (for clicks or whatever else).
| LanternLight83 wrote:
| It's like cleaning old painted metal with a scouring pad; You
| want to clean thoroughly enough to take off the grime, but if
| you scour too long or too hard you'll end up taking off the
| paint itself. You'll always either leave a littke dirt
| behind, or take off some paint, never perfection. You could
| strip all the paint and repaint it, but that's so much more
| costly in terms of time and materials that it's a whole
| different task.
|
| And the argument that more stringent anti-fraud protections
| increase the burdon on legitimate claimants is absolutely
| spot on, and has parallels in all sorts of other legal,
| financial, and market situations c:
| Taywee wrote:
| That doesn't mean that the optimal amount is nonzero. Taken
| in isolation, the optimal amount is clearly zero. The optimal
| amount doesn't change based on the cost, the optimal amount
| of effort to expend is a different answer.
|
| It's not just stated in a silly way, it's stated in a way
| that's incorrect because they didn't mean what they said.
| "The optimal amount of fraud is nonzero" does not actually
| mean the exact same thing as "in an optimally-beneficial
| fraud prevention effort, the amount of fraud is non-zero".
| jasode wrote:
| _> Taken in isolation, the optimal amount is clearly zero.
| _
|
| But the very point of the article is to _not take zero-
| fraud in isolation_ and instead, explain how _non-zero-
| fraud is an unavoidable tradeoff_ when balancing 2
| simultaneous goals:
|
| - (1) prevent fraud transactions as much as practically
| possible
|
| - (2) make legitimate transactions as easy as possible
|
| If one accepts the premise of _pursuing those 2 goals at
| the same time_ , then by definition, we're no longer
| talking about _" in isolation"_. You've now unavoidably
| entered non-zero fraud territory.
|
| Perhaps it's the author's particular wordsmithing of what
| he's trying to convey that just rubs many readers the wrong
| way.
| nocman wrote:
| > "in an optimally-beneficial fraud prevention effort, the
| amount of fraud is non-zero".
|
| Yeah, but that phrase won't get any clicks.
|
| I gave up about half way through the article and just
| skimmed through the rest.
| awillen wrote:
| > Taken in isolation, the optimal amount is clearly zero.
|
| The post makes it clear that the discussion is not about
| theory or taking anything in isolation - it's about fraud
| in the real world. In that context, the way it's stated is
| correct - if you have zero fraud in the real world, that
| means that you designed the tradeoffs wrong and that the
| cost of your fraud prevention (in terms of actual dollars
| as well as inconvenience to customers, etc.) is greater
| than the overall cost would be if you allowed a small
| amount of fraud to occur (looking at the total cost of that
| fraud as well as the cost of preventing additional fraud).
|
| I suppose the problem is that whether or not the title of
| the post is true or not depends on the context in which
| it's taken, and the title itself doesn't have any context.
| Since the post does offer context, though, I think it's
| reasonable to take the title in that context.
| avgcorrection wrote:
| Yeah, I agree.
| antman wrote:
| Not an ethical conclusion but a pragmatic one. The ethical part
| is what you do after the fact:
|
| 1. Pass the cost towards self regulation of people, using
| client facing measures e.g. prove their innocence if they are
| an outlier
|
| 2. Catch a couple of cases and over market your policing
| ability to disadvantage the most gullible.
|
| 3. Catch a couple of cases, even minor infractions and destroy
| them with disproportionate fines or jail sentences, economy of
| randomness or economy of those who have the best lawyers.
|
| Fraud against government, as above but add:
|
| 4. Add arbitrary constraints, you don't really want the system
| to work, you just fake it for political reasons
| jon-wood wrote:
| I don't know if that statement is backed by the article, which
| I will admit to not having read, but in general I agree.
| Completely eradicating benefit fraud will necessarily increase
| the burden on legitimate claimants to prove that they are in
| fact legitimate. Doing that is going to place enough burden on
| some people who should otherwise be able to claim that it
| results in them not doing so, or failing to do so because they
| were unable to provide the required evidence.
|
| I'd much rather see a few people who didn't need benefits
| manage to claim them than see people who do need them be left
| without. The first option costs tax payers a bit more money.
| The second results in people's lives being made significantly
| worse, and in some cases in deaths.
| UncleEntity wrote:
| > The first option costs tax payers a bit more money.
|
| The first option costs taxpayers significantly more than a
| 'bit'.
|
| Just look at how much it cost when they basically turned off
| all the checks in order to get covid relief into the hands of
| people who really needed it. In Arizona, after a while, they
| made it so you had to sit on (virtual) hold for 8-10 hours to
| verify your identity with a human or they would cut you off.
| Which worked well enough to ensure only the people who really
| needed it went through all the hassle. It really sucked for
| those people but they stopped sending billions of dollars
| overseas to people who just googled someone's address.
| tialaramex wrote:
| Also, not means testing universal benefits means everybody
| appreciates them as just something their society does, so
| that reduces stigma for the beneficiaries and increases pride
| in your society. "We ensure children in this country have
| nutritious food" not "Why are my taxes going to feed this 10
| year old whose mother has a full time job".
|
| I grew up in an area where many parents could afford (maybe
| if they budget carefully, maybe just anyway) to privately
| educate a child. But they mostly didn't, because the
| government funded schools were pretty good. In fact, as
| children it was actually a minor stigma to be privately
| educated, because if your parents are spending a lot of money
| on the fancy school, either they don't know how to spend
| their cash (so they're stupid) or you're _really stupid_ and
| they sent you to that school in the hope of making up for it.
| It was seen as like easy mode. Smart kids don 't go to
| private school, why would they waste the money?
| Iridescent_ wrote:
| Yes, we should not accept the existence of fraud. We should
| simply be able to recognize the situations where fighting fraud
| is more costly than letting it exist. Not that it really
| matters in most places since we are quite far from that point
| anyways.
| wpietri wrote:
| Good point. I agree with the overall thesis; there are a lot of
| things that get increasingly expensive as you approach
| perfection. (Perfection is still a useful guidestar, but each
| step toward it has to be made with costs in mind.)
|
| However, I'm not nearly as breezy about $20 billion annually in
| fraud. Maybe that's fine from the perspective of the merchants
| and credit card networks. But from the societal perspective,
| that's subsidizing bad actors. People and groups who will not
| stop at one kind of crime as they try to grow. People who will
| divert other people into being parasitic. That's not healthy
| for society or for the individuals who end up living lives of
| crime.
|
| So I think the society-optimal level of fraud is way below the
| merchant-acceptable amount of fraud.
| hedora wrote:
| One problem with credit card fraud is that it subsidizes the
| payment networks. Without it, most of their reason to exist
| would disappear.
| AbrahamParangi wrote:
| It's also, in some sense, a formulation of Blackstone's ratio:
|
| "It is better that ten guilty persons escape than that one
| innocent suffer"
|
| At some point in pursuit of "0 crime" you will be imprisoning
| _10 innocent men_ to capture _1 criminal_.
| gernb wrote:
| not if letting 10 guilty esacpe breeds more and more bad
| actors. you can make the argument that a few innocent suffer
| is a net benefit for society in tne same way. in pursuit of 0
| innocent suffering you will capture no bad actors
|
| To put it another way you're forgetting the victims. The 10
| fraudsters made 10 people suffer. their suffering needs to
| added to the equation
| mfer wrote:
| How do you achieve zero fraud in a transaction?
|
| We can start with payment. What would someone pay with?
| Credit/debit numbers can be stolen. Checks can be stolen or
| forged. Cash can be counterfeit. What form of transaction has
| zero chance of fraud?
|
| To make transactions available to people you need to introduce
| systems that can have fraud in them. There is a balance between
| availability/ease and fraud.
| joedavison wrote:
| Bitcoin. It can easily be confirmed as valid (zero chance of
| counterfeit), and is otherwise a bearer instrument with no
| further settlement, and impossible to reverse (like cash).
| ajanuary wrote:
| Ah yes, and there's a 0% rate of peoples wallets being
| stolen.
| patio11 wrote:
| The problem is not merely that the anti-fraud efforts are
| costly but that the anti-fraud surveillance apparatus will
| itself be value destroying. (In the tax case, it's "people in
| democracies don't enjoy their government having total
| visibility into their activities and society, in its judgment,
| says this is more important than tax collection at some
| margins.")
| Karellen wrote:
| > At some point you reach diminishing returns, where the amount
| of time / effort / capital you're putting in to eliminating
| fraud outstrips the losses from the fraud itself.
|
| That's not quite what I got from the article. I read it as the
| more friction you put in place to prevent fraud, the harder it
| is for legitimate transactions to happen. Therefore, it's not
| so much about the cost of the fraud, but the opportunity cost
| of legitimate transactions which don't happen in the zero-fraud
| environment.
| jimkleiber wrote:
| I appreciate how you phrased this. It has me thinking about
| how it might be similar for privacy and security in terms of
| information or even physical security. Yes, one can be super
| secure and safe from harm if one puts tons of locks on
| everything, but it also keeps out people who we might want to
| let in.
|
| Actually, now I'm thinking about it emotionally as well. Best
| way to prevent myself from getting hurt is to close off as
| much as I can. Also the best way to prevent myself from
| feeling joy and all the other things I want to feel.
|
| So thank you for this reminder.
| EdwardDiego wrote:
| It's analogous - reaching zero benefit fraud would impact
| legitimate recipients.
|
| And benefits are for helping people who are in poverty.
| mchusma wrote:
| I think a more fascinating look at this is how the difference
| between "legitimized fraud" versus "illegitimate fraud".
|
| Basically, for most businesses the amount of "friendly fraud"
| which means customers disputing charges because they changed
| their mind or didn't want to talk to the company or whatever is
| 10x the amount of fraud from stolen charges. (Visa estimates this
| as 3x but my experience is different).
|
| Civil asset forfeiture is the government seizing property without
| trial, and it is slightly more than theft each year.
|
| So between these things, it seems pretty easy to reduce fraud by
| 75% without much additional friction.
| TheAceOfHearts wrote:
| Potentially controversial take: this general idea also applies to
| other areas such as elections. Any sufficiently large election
| will have to contend with fraud and human error, but this is
| acceptable as long as the numbers aren't large enough to change
| the outcome.
|
| If you carefully scrutinize any large election you can almost
| certainly find at least one example of fraud. However, isolated
| cases of fraud or human error are not evidence of widescale
| election rigging.
| cratermoon wrote:
| This is what happens when enforcement is both overzealous and
| uneven: https://www.texastribune.org/2022/05/11/crystal-mason-
| illega...
| tgflynn wrote:
| If it's the merchants who carry the burden of credit card fraud
| why is it that almost all fraud prevention efforts seem to be
| done by banks/card issuers rather than by merchants ?
|
| Except for a small number of cases involving pre-paid cards, I
| have never seen a merchant refuse to accept a valid credit card
| payment for an online purchase. I have however encountered and
| heard of cases of banks declining transactions they considered
| possibly fraudulent.
| jameshart wrote:
| Because the card services are in the business of selling their
| service to merchants in exchange for a fee, and they have
| competition in that space. Merchants will (in theory) refuse to
| work with - or pay as much to - a card service which does
| insufficient work to prevent fraud.
| tgflynn wrote:
| That explanation doesn't make sense because the fraud
| prevention/transaction denials are being done by the card
| holders bank, not by the merchant or payment processor and
| merchants don't get to decide what issuing banks they will be
| doing business with. For the most part they either have to
| accept all Visa cards or none (except maybe for some very
| broad categories like country of origin or pre-paid vs. non
| pre-paid).
| JasonFruit wrote:
| It sounds more morally acceptable to say, "The optimum level of
| anti-fraud enforcement does not eliminate all fraud." It's not
| that there's a nonzero amount of fraud that is optimal -- all
| fraud is bad -- but rather that the return on efforts to
| eliminate the last bit of fraud is negative.
| no_identd wrote:
| I wouldn't even go as far as saying "level of anti-fraud
| enforcement", because "anti-fraud enforcement" ain't exactly
| formally well defined
| JasonFruit wrote:
| Well, I needed _some_ noun. Any recommendations?
| pigbearpig wrote:
| Do people who write these things really think these are novel
| concepts? The amount of arrogance and delusion required to state
| the obvious is hard to comprehend.
| benreesman wrote:
| I think I agree with OP's premise that driving "fraud" to "zero"
| is kind of a fool's errand: some people, like Bender from
| Futurama, "just love crime, just love stealin' things...da dah
| da".
|
| But for me at least, it grates more than a little whenever Self-
| Assured Tech Person With Logic and Statistics In Hand assures
| you, dear reader, that if you actually crunched the numbers
| instead of gobbling up pablum from the Washington Post like a
| lemming, would in fact realize the Free Enterprise Is Going Just
| Great.
|
| The World Economic Forum has sufficient data to do a plausible
| "Social Mobility Index" on 82/195 UN-recognized sovereign states:
| and its just one of many data points that Capitalism Muzzled by
| Social Democracy is in fact what you want if "people having a
| shot at doing better than their parents in large numbers" is a
| priority.
|
| I'm old enough to have watched the effects of the Operational
| Research PhD's at Megacorp "optimizing" every angstrom of human
| joy and dignity out of living in a Free Enterprise Zone. You
| can't do _anything_ these days that involves commerce without
| bumping into this. Friendly dare for US readers: try invalidating
| a credit card number in a way that stops every recurring auto-pay
| that has barnacled itself onto your economic ship is forced to
| get you to re-auth it. Good luck.
|
| So while driving "fraud" to "zero" might be silly, we can almost
| surely take a big whack out of it by making a salutary example or
| 1000 of companies that have "optimized" the right amount of
| paying OSHA fines rather than allowing bathroom breaks to "all of
| them", or "optimized" the right amount of cheap and fast
| municipal fiber to "zero", or the right amount of employees to
| force _just_ below the "gets benefits" line to "whatever the
| maximum is".
|
| I worked in butcher shops and call centers and retail in the
| Clinton Administration, and boy were they after you for every
| dime. Having been an over-privileged techie for the last decade
| or two I've personally been largely insulated from how much worse
| it's gotten since then, but the kids I grew up with for the most
| part haven't, and it's a little hard to regard the significant
| fraction of them with some "grey at best" side hustle as doing
| anything other than scamming the scammers who have Corporate
| Backing.
| sgjohnson wrote:
| I personally can't stand PSD2[0]. It has completely ruined the
| online shopping experience in the EU (for me at least).
|
| I loved the way American Express implemented it. They sent you a
| one-time passcode on your first purchase with the merchant, and
| then you could also choose for them to not bother you with any
| further purchases from the same merchant. I had this enabled by
| default, it made the experience a million times more enjoyable.
|
| Unfortunately not everyone took AmEx, and I no longer live in UK
| (or a country where AmEx has presence for that matter), and the
| way banks in my current country of residence have implemented it
| is absolutely abysmal.
|
| 1. The billing address must be a match 100% of the time, which is
| painful in situations where you can't specify separate billing
| and shipping addresses and you want the item shipped to a
| different address (could be 3 for me)
|
| 2. Mandatory 2FA on every transaction, depends on the exact
| implementation, but typically you must wait for a notification on
| your phone, and then type in a PIN. In some implementations you
| have to scan a QR code, and then type in the said PIN. Sometimes
| the solution they use for this is down.
|
| 3. If anything is wrong at all (billing address/mistyped
| CVV/whatever), the transaction just gets refused at the end of
| this loop. Was it something you did wrong? Is some system down?
| Let's try again.
|
| And sometimes this even messes up recurring subscriptions. My
| Microsoft 365 Business sub that's billed monthly on a credit card
| GETS REJECTED EVERY TIME UNTIL I MANUALLY GO THROUGH THIS STUPID
| PROCESS.
|
| It has made paying for things online a chore. I couldn't care one
| bit about all the fraud this presents, because I was never liable
| for it in the first place. That decision was previously up to the
| merchants (who could have implemented all of this if they wanted
| to). Now it's forced on everyone.
|
| [0] https://www.bbva.com/en/everything-need-know-psd2/
| no_identd wrote:
| tbf that's more an issue with incompetent software devs and
| more importantly (lest someone accuses me of shifting the blame
| on devs like a clown would) horrible business product owners.
| My hope is that Biden's executive order on SBOMs and whatever
| thing like it which the EU probably has in the works will
| (unfortunately only slowly) shift the way in which the way
| business treats software development affects software
| development culture. (SBOMs may sound completely tangential to
| this, but in the long run they have a pretty important role to
| play here.)
| 988747 wrote:
| Two-factor authentication is my least favorite thing about
| PSD2. Back in the day I would simply memorize my credit card
| data, and was free to buy anything online, anytime. It also
| gave me confidence during the vacations abroad that if i get
| mugged on the street I will still have access to my money. Now
| I need to keep my phone close for SMS codes / mobile app
| authorization, and I need to keep a backup phone just in case
| my primary phone breaks/gets lost/is stolen.
| hyperman1 wrote:
| I'm comparing the US credit card system with the chip+pin system
| common in my country.
|
| * As you need both the card and the code, and as cards are almost
| impossible to clone, card fraud and identity theft are almost
| nonexistent.
|
| * Plenty of online shops allow me to buy something without
| creating an account or providing a billing address.
|
| * As the whole thing runs on debet instead of credit, nobody
| cares about credit scores.
|
| * A common complaint from merchants is that the system is
| expensive. My paper merchant recently grumbled he paid around
| EUR4000/year. I don't know if this is normal or how much the
| credit card system costs for a merchant, but substracting these
| amounts would provide an upper bound to the preferrable amount of
| fraud.
|
| So while kalzumeus might be right, I believe the system he
| describes/is used to allows a lot more fraud than required.
| entropicgravity wrote:
| Under this regime I would accept less than zero fraud.
| woleium wrote:
| There was a study done on a tribe of wild monkeys where mutual
| grooming to remove ticks/fleas/lice happened. Some monkeys
| 'cheated' and didn't pay forwards the grooming they received. The
| study concluded that as long as cheaters were less than 5% of the
| population then mutual grooming continued. when the number of
| cheats exceeded 5% the system broke down and no mutual grooming
| happened for some time.
|
| It seems that a society can bear a certain amount of cheating
| before the system breaks down, a 'tipping point' of sorts. As
| long as we keep the cheating below the tipping point, the game
| continues, which is after all the most important aspect, I think.
| rendall wrote:
| I'm surprised the grooming monkeys didn't retaliate by refusing
| to groom the shirkers.
| sgjohnson wrote:
| There surely is a game theory model for this.
| GnarfGnarf wrote:
| TL;DR: If your fraud-prevention measures are too stringent, you
| will alienate your honest customers. Relax just enough so that
| the losses to fraud are less than what business you would lose if
| you were any more strict.
| LorenPechtel wrote:
| True, but we don't always get the balance right.
|
| Take, for example, many sites asking for the CVV code when
| using a saved card. In many cases, why?? If I supplied the CVV
| once and I haven't changed anything since what's the chance a
| subsequent order is fraud?
|
| There's also the problem that some anti-fraud measures would
| have to be implemented by the credit card company but they're
| not the ones that eats the cost. I could see a market for a
| credit card with better terms but where you must approve every
| transaction with an app on your phone--but how do you make that
| work in the current marketplace?
|
| I have a credit card that supports virtual numbers--but it's a
| pain to use. Their benefit, but a hassle for me.
| velavar wrote:
| > True, but we don't always get the balance right.
|
| Agreed :)
|
| > Take, for example, many sites asking for the CVV code when
| using a saved card. In many cases, why?? If I supplied the
| CVV once and I haven't changed anything since what's the
| chance a subsequent order is fraud?
|
| As a fraud risk manager, I've seen this scenario way too
| often: Say you have your card saved on a merchant website -
| fraudsters can often compromise your login on said merchant
| site and go on a spending spree with all your saved cards
| (unless you ask for a CVV from time to time, that is).
| richardc323 wrote:
| Sure, there is a trade off, but they have it wrong for online
| fraud from stolen credit cards.
|
| The three digit CVV code should be a one time passcode (OTP).
| Banks have been using these since the 1990s for online logins.
|
| Using 90s technology, the card issuer would issue one of these
| OTP fobs along with the card. It has the card number printed on
| it, a button and a LCD screen where the OTP is displayed. The CVV
| is already sent through to the computer that authorises the
| transaction, the software that checks the CVV would need to be
| changed.
|
| So we have a trade off of the user having to have a separate
| thicker card, to fit the battery, for online use.
|
| I just googled, you can get batteries that are 0.4mm X 22mm x
| 29mm, a credit card is 0.76mm. Eink is old technology now with
| the right performance characteristics. I suspect in volume using
| this technology you could integrate the OTP device in the
| standard card form factor for less than a couple of dollars a
| card.
|
| So with a bit of innovation the friction of payment / fraud
| tradeoff goes away.
|
| This all strikes me as fairly obvious to someone designing these
| things, is there another tradeoff going on here?
| still_grokking wrote:
| Banks don't have much initiative for investments in IT
| security. They have insurances.
|
| That's why IT sec all around banking is just the bare minimum
| required by regulations.
|
| Those sec-specs are also usually at least one decade behind the
| state of the art... And they get updated only extremely seldom
| as this would cause "a lot of paper work" at the banks, so the
| banks are always against any changes to that regulations; and
| if something changes finally it takes the banks again at least
| half a decade to adapt to those changes; they can do it like
| that as the time windows to comply are usually set to be very
| long, because you know, it's really a lot of paper work...
| richardc323 wrote:
| I suspect it is the credit card company rather than the banks
| that have the power to fix this, but yes the incentives seem
| wrong.
|
| They have successfully shifted liability for the problem to
| banks and merchants.
|
| Instead the innovation has gone into things like Paywave
| which reduces payment friction.
| jokethrowaway wrote:
| If each card were a public/private keypair, you could sign a
| message authorising a payment of X amount at current time, in
| zero knowledge, without leaking your secret (the credit card
| number) in every transaction.
|
| Add two factor authentication, if you want, but fix the
| underlying giant issue first.
| richardc323 wrote:
| This would be more secure than what I proposed, but requires
| changes that are out of the control of the credit card
| companies.
|
| For the card to sign the transaction, you need to add some
| kind of card interface to the users device. Maybe this is
| what happens with chip cards when you use it at a shop with a
| card terminal.
| skybrian wrote:
| I have memorized the CVV for one card I use, and the rest is
| saved in the browser. So, having to actually get out the credit
| card would be adding a minor inconvenience. That doesn't matter
| too much for me, but it probably does mean many millions in
| revenue for retailers.
| oli5679 wrote:
| There is a concept in microeconomics called the Lerner equation.
| A monopolist maximises profits at the price where gross margin %
| is equal to -1/ price elasticity of demand.
|
| The intuition behind this is their uplift in sales from a small
| price cut must equal the revenue they lose on all existing items,
| and their costs of producing the extra items. So if they have a
| gross margin of 50%, they need price elasticity of demand to be
| -2, since a 1% price cut will sell 2% more, raising revenue by 1%
| and costs by 1%.
|
| The same applies for blocking fraudulent customers, you want your
| assessed likelihood of fraud to be higher than your gross margin.
| If I think you have a 25% chance of being fraudster, and I make a
| 25% margin, then selling to 4 customers I will make 25% 3 times,
| and lose 75% one time.
|
| If you have more complicated factors like cost of processing
| chargeback, different interventions like 3DS/manual review, then
| the threshold is different, but the overall probabilistic
| framework and calculating breakeven thresholds can still be used.
|
| https://en.wikipedia.org/wiki/Lerner_index
| mooreds wrote:
| Here's the Planet Money episode:
| https://www.npr.org/2022/08/26/1119606931/wake-up-and-smell-...
|
| I really enjoyed the whole thing.
| Kwantuum wrote:
| That's a lot of words to say "to make fraud harder you have to
| make buying from you harder, the optimal amount of fraud is the
| amount of fraud you get when any additional measure you could
| take against fraud would lower your revenue more from lost
| business than it would lower your costs from people committing
| less fraud"
| jiggawatts wrote:
| Something related that I've noticed in government projects is
| that they will spend $100K on a tender process to eliminate a
| fraud risk of 5% that amounts to at most $10K if it does occur.
| So if you amortise the total "value" of the fraud, it's 10,000 x
| 0.05 = $500!
|
| Spending $100K to avoid a loss of $500 is something most sane
| businesses will not do, but to government this makes perfect
| sense, because they have a _rule_ that the acceptable amount of
| fraud is _zero_.
|
| Hence, they'll spend nearly _infinite_ resources to try to bring
| fraud down to closer and closer to zero.[1]
|
| You see similar things with risk aversion. Some risk is
| inevitable, but again, government departments will cheerfully
| blow billions of dollars to avoid the slightest risk. Projects
| like ITER and the SLS are highly risk averse and their costs
| reflect that. Meanwhile smaller, newer, _more risky_ projects
| will run circles around them.
|
| [1] At least what is _perceived_ to be zero. In actuality fraud
| remains rampant, but as long as it is _technically_ legal, it is
| not subject to this rule.
| 616c wrote:
| > Spending $100K to avoid a loss of $500 is something most sane
| businesses will not do, but to government this makes perfect
| sense, because they have a rule that the acceptable amount of
| fraud is zero.
|
| In short: no. That's the perception but is not correct, at
| least security risks.
|
| So since you mentioned SLS (you mean CMS and healthcare.gov
| maybe? Hello from a friend of people who made those things) I
| assume you mean US government. Now I totally agree that is
| perceived. Few parts of risk management are mandated at least
| in terms of the infosec side of the fence with risk management
| beyond what is in law (FISMA and thus Risk Management Fraework
| made to address it as a req). The NIST RMF (SP 800-37 and SP
| 800-53) is very flexible and without even mentioning
| quantitative methods in those documents would inherently be at
| odds with your example; it is the opposite of risk management.
| But I do agree USG staff and contractors perpetuate this
| fallacy when provided the checklists of high-level
| recommendations and don't bother reading 800-37 at all, which
| explains the rationale strategy and approach that explain this
| example you give is bad and for good reason. They essentially
| document that not all systems get the same breadth and depth of
| security across govt in all agencies and projects equally for
| this reason. It doesn't scale or make sense.
|
| Sorry for the rant. I have it once a week with friends in
| public and private sector and the perception is true and may
| happen but the docs and the people who wrote them (also
| friends) can tell you that is very much the opposite of what's
| recommended by NIST and those upstream guidelines are those
| derived from law.
| unicornporn wrote:
| Reminds me of Marx and his theories on the productivity of crime.
|
| _The criminal moreover produces the whole of the police and of
| criminal justice, constables, judges, hangmen, juries, etc.; and
| all these different lines of business, which form equally many
| categories of the social division of labour, develop different
| capacities of the human spirit, create new needs and new ways of
| satisfying them. Torture alone has given rise to the most
| ingenious mechanical inventions, and employed many honourable
| craftsmen in the production of its instruments._ [1]
|
| [1] https://marxengels.public-archive.net/en/ME1920en.html
| robocat wrote:
| That is the broken window fallacy
| (https://en.m.wikipedia.org/wiki/Parable_of_the_broken_window)
| which was written in 1850, and Marx wrote the document you
| linked to in 1862 & 1863. Although I find Marx so impenetrable
| to read that I can't even tell what his opinion or theory
| actually is. I would guess Marx read it, but he doesn't respond
| to it, perhaps because in that linked document Marx says "For
| which reason all vulgar economists--like Bastiat...". I also
| wonder what defines an economist as vulgar?
|
| Fraud is waste. Businesses optimise for profit, and that
| optimisation often leads to some level of waste. No process is
| perfect.
| [deleted]
| unmole wrote:
| From the title, I thought it was a reference to the book _Lying
| for Money_ by Dan Davis. Anyways, the book is an brilliant
| exploration of this premise and also makes the case for why trust
| is necessary.
| tomxor wrote:
| It's actually pretty simple and intuitive if you put the reason
| up front, article seems needlessly long:
|
| > the policy choices available to them impact the user experience
| of fraudsters and legitimate users alike. They want to choose
| policies which balance the tradeoff
|
| What I don't get is how policy makers can appreciate such nuances
| and then not see how attempting to ban encryption could possibly
| break modern society... different policy makers I have to assume.
| dqpb wrote:
| The title is wrong. The argument is actually that the optimal
| amount of fraud prevention is non-100-percent.
| swid wrote:
| I guess this applies to all crimes, even major ones likes
| murder and child abuse. We can monitor everyone all the time,
| or make sacrifices to live in a more free society.
|
| If you think the optimal amount of crime is greater than zero,
| at some point we are clearly using different applications of
| the word optimal. One person is talking about the level under
| the optimal "solution", while the other is talking about one
| constraint that still must be balanced against other
| constraints. The optimal amount of fraud spending is zero, but
| then we'd be left with a ton of fraud.
| vishnugupta wrote:
| Exactly. The optimum amount of fraud is really zero. But in
| order to achieve last 0.00001% you may end up screwing up
| experience for about 99% of your customers by asking them to
| 10-factor auth and what not.
| golemotron wrote:
| I thought the article was going to go in another equally
| compelling direction. If there is no fraud, measures to prevent
| it become lax because they are unnecessary costs. With no
| measures in place, fraud comes back because there is no cost to
| the fraudster.
| v8xi wrote:
| Heard an ad for a cybersecurity company yesterday and this same
| thought crossed my mind - how much business (and expertise) is
| generated to prevent cyber crime? Since the capital companies
| spend on preventing fraud likely far outweighs what the criminals
| actually earn, it could easily stand the cyber crime is a net
| positive for society given the job creation and technical know-
| how needed to fill those jobs.
| LBJsPNS wrote:
| TTBOMK, there is not and has never been a system built by humans
| that other humans haven't been able to take advantage of for
| their own devices. It's more an issue of minimizing it and
| punishing it when we find it.
| Michelangelo11 wrote:
| What an extremely, needlessly elaborate way of saying "security
| vs. convenience is a tradeoff." Indeed it is, and that's not a
| particularly novel insight.
| ygjb wrote:
| "security vs. convenience is a tradeoff" is an extremely glib
| and meaningless aphorism that is instinctively innate to almost
| every living organism.
|
| The statement obliterates the nuance of which tradeoffs need to
| be made and the cost and impact of those tradeoffs from an
| economic and social perspective that are foundational to being
| able to reason about risk.
| Michelangelo11 wrote:
| I wouldn't put it that way, but I would agree with anyone
| saying that statement omits a lot of information. Sure, it
| does, and it's pretty much the most general and abstract
| possible way of saying that. My beef with the article is
| that, despite its truly gargantuan word count, it hasn't
| added any new information on top of that statement. Once you
| know the thesis of the article is "The optimal amount of
| fraud is non-zero because security is a tradeoff and you want
| users to have convenience," everything in the article is
| pretty predictable.
|
| I would have liked to see, say, some nuts-and-bolts
| discussion od fraud handling in some particular industry --
| that would be novel and interesting to me.
| vishnugupta wrote:
| This is an extremely long-winded article/blog to say the
| following
|
| > the policy choices available to them impact the user experience
| of fraudsters and legitimate users alike. They want to choose
| policies which balance the tradeoff of lowering fraud against the
| ease for legitimate users to transact.
|
| You encounter well known tension pattern several places. For
| instance, in safety critical systems there's a tension between
| safety and progress. Or take IT-sec industry; tension between
| usability and being secure.
| righttoolforjob wrote:
| It's like a braindump of a thought-train trying to reach a
| simple conclusion rather than just stating the simple
| conclusion itself.
| datalopers wrote:
| patio11 is good at many things, brevity is not one.
| cratermoon wrote:
| I work in IT/AppSec, and this came to mind immediately.
| Implementing perfect security would be "don't connect to the
| internet and don't let anyone use the computer". Clearly not an
| option, so my job is to analyze the cost and risks against the
| benefits and help choose a path of balance. A specific example:
| we can only heuristically detect the difference between
| legitimate and malicious calls to the public endpoints. Is that
| spike in traffic trying to DDOS us, or is it close to Black
| Friday so customers are in go-go mode? Setting the rate limits
| somewhere meaningful is a tradeoff.
| LilBytes wrote:
| Great analogy re. appsec.
|
| Risk is never zero and achieving it prevents everything.
| [deleted]
| robbomacrae wrote:
| This whole article is one giant time sapping piece of click bait.
|
| The author makes the unexpected claim that businesses want a non
| zero amount of fraud. And so as a reader you are tempted to read
| on because you haven't heard this before. But essentially the
| argument is that fraud is needed as an unavoidable byproduct of
| allowing trust/credit in the system to facilitate transactions.
| However, if businesses could have the trust without the fraud of
| course they would. I wouldn't be so upset if the author had been
| more upfront about what this was about. I'm sure there are plenty
| of people out there who are learning about the fraud and
| trust/credit relationship for the first time. Just don't try and
| spin this in a way that it isn't.
| schemester wrote:
| The optimal amount of headline fraud is also non-zero.
| koheripbal wrote:
| There is an interesting thought experiment you can do. Imagine
| a world with 100% honest, rule-abiding people. What are the
| consequences of such a world?
|
| The initial things you realize are, no keys, no locks, no
| gates, no passwords. ...but it gets even more profound the more
| you think about it. No police, no military, no cashiers, no
| ticket collectors, no bouncers, no bartenders (for beer/wine),
| no security guards, no prisons, no weapons manufacturing or
| sales, no security cameras or systems, no cybersecurity
| professionals or monitoring software, no criminal judicial
| system, no financial enforcement agencies... ...and how many
| industries would function far more cheaply such as insurance,
| unemployment, credit cards, and healthcare, due to no fraud?
|
| It's actually staggering how much of society is structured
| purely around a lack of trust. It's easy to imagine that
| security is responsible for a huge portion or all human
| GDP/budgets - maybe 50%?
|
| ...and what percentage of the population is really responsible
| for causing this? It is 1%? 5? Or maybe it's much more? Maybe
| most of us are _not_ criminals _because_ of the enforcement?
|
| If we could program in obedience in people - what leaps and
| bounds we could achieve!
|
| But more realistically, there is an equilibrium that exists
| between dishonest behavior and efficiency. The more common
| dishonest people are, the more expensive the entire system
| becomes. ...and it's not at all linear. A change from 0.1%
| dishonest behavior and 1% dishonest behavior probably results
| in an outlandishly more complex security setup.
| petjuh wrote:
| This reminds me of War of the Worlds, where the martians had
| no diseases and thus no immune system. When they came to
| earth they died from diseases.
|
| A society like that, with no defenses, would be very
| vulnerable. That's why it's better to actually have some bad
| actors to keep "selective pressure" on societies so we evolve
| our defenses.
| koheripbal wrote:
| Utopia vulnerable to aliens? Sign me up
| akira2501 wrote:
| > It's actually staggering how much of society is structured
| purely around a lack of trust.
|
| You've ignored one huge category: disagreements. We can all
| observe the rules, but we may not all come to the same
| conclusions as to how they bind our actions. Reasonable
| people can disagree without being "dishonest."
|
| Further, you're pre-supposing a list of rules that does not
| and does not need to change. Which is far less profound than
| you make it out to be.
| robbomacrae wrote:
| I agree whole heartedly. Often wondered the same. But I'd
| always think a small amount of conflict is needed to keep our
| defenses evolving in case we ever come into contact with a
| society that would be more sophisticated than us in that
| regard. The same applies to computer viruses, pathogens, and
| even scams and haggling. I know at least some of these been
| explored already in fiction (Pandora's Star, War of the
| Worlds, Bender's Big Score).
| kortilla wrote:
| This is fanciful but ignores that a huge amount of this
| system is in place because we can't even agree on what is
| correct.
|
| > It is 1%? 5? Or maybe it's much more? Maybe most of us are
| not criminals because of the enforcement?
|
| Far more. The number of people who speed consistently and
| only slow down when they see a cop is the most visible
| evidence of this. Marijuana use was something like 20% of the
| population before any legalization passed.
| pwdisswordfish9 wrote:
| Is this just a blog-post-long Umeshism?
| jp57 wrote:
| I most of this thesis can be summarized with a few points: (1) A
| perfect ROC (100% AUC) on fraud detection is impossible, (2)
| false positives have costs in both lost revenue and customer
| insults, and (3) the operating point with 100% fraud capture has
| an unacceptable false positive cost.
| tomjen3 wrote:
| I think is an important point, but it misses things like
| verifying your transaction with your bank in an-easy-to-do-hard-
| to-fake-way. Like if you were sent to your mobile bank app after
| completing a purchase and had to FaceId verify that it was you,
| then fraud rates would essentially be zero.
|
| Yes such a system is annoying, I know because we have something
| kinda similar here in Europe, but because all the merchants are
| using it, I have no choice but to go to a retailer who doesn't
| use the system (I probably would if I could, because I tend to
| use my computer to do things).
| ljw1001 wrote:
| Couldn't they just write the title as "businesses shouldn't try
| to completely eliminate fraud" instead of trying to inflate their
| argument with this pseudo-academic bullshit? Seriously, "non-
| zero"? Is the "optimal" amount of fraud sometimes negative?
| velavar wrote:
| I've spent most of the last decade working in fraud risk
| management and I love the message that this article conveys. It's
| great to see someone saying the exact thing I've innately
| understood but couldn't put into words :)
|
| This is something I now ask when I try out for jobs in Fraud
| teams. If my hiring manager expects me to bring fraud down to
| zero, I immediately know that this work relationship may not work
| because we would be on completely different pages on how some
| fraud losses are the necessary cost of running a business.
| Animats wrote:
| Papers, please.
|
| Some banks used to take a thumbprint when you cashed a check in
| person. Very few do that now. When they did it, it was more
| symbolic than useful, because they didn't have a useful checking
| system. Today, if banks took fingerprints, they'd find out more
| than they wanted to know, because immediate lookup is possible.
| It's not their job to filter the entire population for warrants
| and illegal aliens.
|
| In-person identification is getting really good. Here's
| HIKvision's new ID unit.[1] Face recognition, iris recognition,
| fingerprint recognition, and RFID card recognition in one
| convenient iPad-sized unit. Iris recognition now works at 70cm
| range, so it can be used routinely. In China, there is no right
| to be anonymous.
|
| Worth noting: credit card companies absorbing losses varies by
| country. The US is pro-consumer on credit card fraud, but not on
| debit card fraud. This differs by country.
|
| [1] https://www.youtube.com/watch?v=I29_WWuntxs
| sethev wrote:
| This is similar to the argument that you shouldn't set a service-
| level objective of 100% availability. It's not achievable and
| people who claim that's the goal don't act as if it is - so it's
| better to talk about what amount of downtime is acceptable given
| the cost.
| RcouF1uZ4gsC wrote:
| You could also use this reasoning to say that the optimal number
| of rapes is greater than zero.
|
| I would disagree with the world "optimal". The optimal number of
| fraud and rapes is both zero, but unfortunately we don't really
| have the realistic ability to achieve that.
| e63f67dd-065b wrote:
| Obviously the optimal number of rapes is 0, but the optimal
| amount of rapes we should try to prevent is not infinite, and
| thus the optimal amount of rapes we accept as a consequence of
| the above policy is non-zero.
|
| It's really a simple cost-benefit calculation; the cost of
| preventing the last 0.1% rape on earth is surveillance cameras
| in every home and egregious violations of privacy, obviously
| the cost of such a scheme is probably not worth it.
|
| The simple observation is that there are tradeoffs: in exchange
| of preventing <bad thing>, we have to give up <good thing>, at
| some sort non-linear curve. The cost of rape prevention goes up
| with each rape prevented, there reaches a point where the cost
| is no longer worth it and we should call it a day.
|
| People can (and do) argue all day about the point where the
| marginal cost of rape prevention is too great, but I'm fairly
| certain most would agree that it's not infinite.
| benja123 wrote:
| I think some people are being a bit too harsh about how the
| author goes about explaining how you can't prevent all fraud
| without hurting good users - or in other words, some fraud is
| just the cost of doing business. Overall it is a good article
| (that could have probably been a bit shorter) that talks about a
| topic that is rarely talked about - risk tolerance.
|
| As someone who has worked in the industry for the past 15 years,
| I can see a few things that I believe are causing risk tolerance
| levels to increase across the industry.
|
| 1. Startups/new businesses that are in growth stage have a large
| appetite for risk which is pushing the more traditional/legacy
| companies to also take more risk.
|
| 2. High friction experiences that are designed to stop fraudsters
| require you to provide timely support to any good users that
| might be blocked by mistake. We all know the trend for most
| companies has been to move away from providing timely support to
| their customers as it is extremely expensive. This is another
| cost (on top of potential lost sales) of creating a high friction
| experience.
| 60Vhipx7b4JL wrote:
| The article seems to imply that there is a standard revenue/fraud
| curve.
|
| But what if there isn't such a static condition and you could
| jump to a less fraud (higher revenue) situation with different
| technical measures? So changing the revenue/fraud curve.
|
| Like: 2fa (like an app confirmation) based on heuristics?
|
| Yes, the fundamental statement is the same, but you changed the
| existing "rules"
| righttoolforjob wrote:
| The conclusion/title talks about fraud without any context, which
| is the misleading thing here. What he means to say is that we
| have to accept to not fight some fraud because it would be too
| expensive. The most expensive option perhaps being to not run a
| business at all, eliminating both fraud and proper sales.
| dahart wrote:
| This argument is a naive cost-benefit analysis, which is already
| a red flag, but on top of that it claims the damage is done
| primarily to business that can afford it, ignoring the fact that
| a non-trivial amount of fraud affects individuals.
|
| > In the overwhelming majority of cases, that is where the
| waterfall ends. While insurance is available (both specialized
| chargeback insurance and general business insurance),
| overwhelmingly businesses simply absorb fraud costs in the same
| way that they absorb their office rent, staff salaries, and
| marketing expenses. That $10 to $20 billion number we threw
| around earlier? This is what happens to it, in the ordinary
| course of business.
|
| This claim of "overwhelming majority" being businesses and being
| a marginal insurance-covered cost does not square with the fact
| that millions of individual are losing billions of dollars to
| fraud and suffering very negative consequences.
|
| "In 2017, an estimated 3.0 million persons (1.25% of all persons
| age 18 or older) reported that they were victims of personal
| financial fraud during the prior 12 months. [...] About 14% of
| financial fraud victims reported the incident to police. About
| three-quarters of financial fraud victims reported the incident
| to their family and friends (77%), two-fifths reported the
| incident to a company's customer service (42%), and one-third
| reported the incident to their bank, credit card company, or
| other payment provider (31%). More than half of financial fraud
| victims said they experienced socioemotional problems as a
| consequence of the incident (53%). Financial fraud victims lost
| $1,090 on average and more than $3.2 billion in total."
|
| https://bjs.ojp.gov/content/pub/pdf/ffus17_sum.pdf
|
| And what about the opportunity cost & lost potential to
| innovating better solutions to fraud? There's no good reason to
| assume the cost to solve this problem is an ongoing expense.
|
| http://frankackerman.com/publications/costbenefit/Prospering...
| c3534l wrote:
| The author seems to be doing exactly what he repeatedly claims
| not to be doing: being cute with his phrasing. He tells you he's
| going to make a case for fraud ceterus parabus, then actually
| argues fraud naturally arises through tradeoffs, which anyone who
| has ever made any kind of decision should be aware of. He wasted
| my time and had nothing insightful to say.
| jakzurr wrote:
| Long-winded article, but an important subject for discussion.
|
| A business which has draconian policies can go downhill pretty
| fast. Facebook, maybe?
| gumby wrote:
| This is true for things like welfare fraud (and other anti-help
| conditions) as well, but unfortunately Inna quest for headlines,
| taxpayer money is wasted (and injustice performed) in a quest to
| take the level to zero.
| hamzareh wrote:
| https://www.youtube.com/
| v8xi wrote:
| thank you
| jrootabega wrote:
| When I worked Starbucks retail, we were subject to a "just say
| yes" policy. So when a couple came in and said they had forgotten
| some item, or never received it earlier in the day, I gave one to
| them without hesitation. It helped that I also recognized them as
| repeat customers. A co-worker said "you just got scammed" with
| disapproval. And I explained that I probably did, but we were
| required to do it even if we didn't want to. Otherwise we risked
| pissing off honest customers. Or maybe it just made more sense to
| spend the time serving the next 2 customers faster instead of
| being suspicious with 1 customer.
|
| Later on, though, I remember pissing one off when he had to wait
| in line behind people buying drinks and he declared he would not
| be buying the $300 espresso machine he had come in to buy. I
| wonder if my actions resulted in a net gain or loss to the
| store...
| ufmace wrote:
| > he declared he would not be buying the $300 espresso machine
| he had come in to buy
|
| FWIW I strongly doubt that people who say things like that ever
| really intended to buy the thing. If you were really planning
| on buying a $300 expresso machine today, are you actually going
| to change your mind because you had to wait an extra 5 minutes?
| zach_garwood wrote:
| When I worked retail, I would give customers whatever they
| asked for because 1) it's not my stuff, 2) it belonged to a
| soulless corporation that did not need it, 3) I am not paid
| enough to be a store's loss prevention agent.
| jrootabega wrote:
| But Starbucks had this explicit corporate policy anyway,
| which lines up with the article and its principles.
|
| And it takes a while to become that realistically cynical
| about retail work. We were actually treated pretty well, had
| mostly friendly customers, and got along with management. At
| least at the time.
| kevinventullo wrote:
| I'm fairly brand-loyal to Starbucks precisely because of their
| relaxed attitude towards customers. I remember a few times in
| grad school going there to work for a few hours, using their
| wifi, and leaving without buying a single item. I never
| intended to do so, I just got lost in my work. I don't think
| the baristas even noticed.
| hoseja wrote:
| It's coffee with like 1000% markup, unsurprising they don't
| nickle-and-dime you further.
| stevebmark wrote:
| I agree with the other commenters. This is uniquely terrible
| writing.
___________________________________________________________________
(page generated 2022-09-03 23:00 UTC)