Is this something that could be argued about other sorts of crime as well? In particular, in the ongoing fight against encryption that has been widely commented on HN multiple times, can (or should) one (safely) argue that e.g. the optimal amount of online sex trafficking and child abuse is greater than zero? What would be the consequences of taking such a stance once it inevitably reaches public discourse?
You could argue that but as you expect your opponents would quickly paint you as being pro-X. Every decent person would prefer zero child abuse, but few people would support having mandatory police surveillance cameras installed in every room in their house, even if such a panopticon would be proven to reduce significantly child abuse. Us meatbags are irrational like that.
> can one argue that the optimal amount of online sex trafficking and child abuse is greater than zero?
No, this fraud argument does not apply to child abuse or sex trafficking. The reason is because the fraud argument is talking only about direct financial loss of fraud compared to direct financial loss of enforcement. The fraud argument doesn’t actually work if we’re talking about individuals losing their savings, it only makes sense if you assume the cost of fraud is borne by banks, and that it’s a marginal cost and does not bankrupt anyone.
There is no amount of money that makes the damage done by sex trafficking or child abuse okay, and there is no reasonable way to convert the damage done by these crimes into money. To suggest that the optimal amount is non-zero would only be an externalizing of the damage and costs of such crimes, and to essentially reduce our morals to money. And that’s exactly what this very argument does in other contexts; it externalizes non-financial damage, and sometimes financial damage too. This argument is made in other contexts, and it’s sometimes wrong and/or full of assumptions that aren’t true.
We could imagine extreme hypothetical situations that might clarify the argument or how to think about it - is it equivalent if 1% of people suffer a 100mm knife wound or 100% of people suffer a 1mm knife wound? The 1% would all die. In the other case, everyone suffers a mild inconvenience they forget about by tomorrow. Despite the equal amount of flesh damage, these are not remotely equivalent, and thus can’t be compared or declared as optimal. The type of damage done matters, and the number of people affected and amount of damage done to individuals matters.
Beware arguments that reduce negative outcomes to money. These tend to favor businesses (who are biased to prefer less regulation) and tend to externalize all the indirect costs and the costs to society. This is exactly what has been done with regard to pollution over the last century - it has been successfully argued that the optimal amount of pollution is non-zero, and we’re starting to see the consequences of that and pay costs for decisions made long ago. There was a pretty good paper I read [1] that re-evaluated these arguments for several specific large public works projects in the 50s through 70s, where the post-facto costs and outcome benefits calculations were shown to be different by orders of magnitude compared to when the decisions were being debated. IOW there is good historical precedent-based reason not to trust someone who claims the damage will be minimal or equivalent to the case where we put some effort into minimizing it.
I feel like this starts with an agreeable premise. Some fraud is egregious, costly, and/or easy to detect. These low-hanging or high-impact cases are most worth pursuing. At some point you reach diminishing returns, where the amount of time / effort / capital you're putting in to eliminating fraud outstrips the losses from the fraud itself.
I don't know that I agree with the ethical conclusion that the optimal amount of fraud is therefore non-zero. The leap from "anti-fraud efforts are expensive" to these sentences in the final paragraph was not, in my opinion, convincingly made here:
>We should, as a society, accept non-zero amounts of benefits fraud. We should accept non-zero amounts of cheating on taxes.
I don’t know if that statement is backed by the article, which I will admit to not having read, but in general I agree. Completely eradicating benefit fraud will necessarily increase the burden on legitimate claimants to prove that they are in fact legitimate. Doing that is going to place enough burden on some people who should otherwise be able to claim that it results in them not doing so, or failing to do so because they were unable to provide the required evidence.
I’d much rather see a few people who didn’t need benefits manage to claim them than see people who do need them be left without. The first option costs tax payers a bit more money. The second results in people’s lives being made significantly worse, and in some cases in deaths.
Also, not means testing universal benefits means everybody appreciates them as just something their society does, so that reduces stigma for the beneficiaries and increases pride in your society. "We ensure children in this country have nutritious food" not "Why are my taxes going to feed this 10 year old whose mother has a full time job".
I grew up in an area where many parents could afford (maybe if they budget carefully, maybe just anyway) to privately educate a child. But they mostly didn't, because the government funded schools were pretty good. In fact, as children it was actually a minor stigma to be privately educated, because if your parents are spending a lot of money on the fancy school, either they don't know how to spend their cash (so they're stupid) or you're really stupid and they sent you to that school in the hope of making up for it. It was seen as like easy mode. Smart kids don't go to private school, why would they waste the money?
> The first option costs tax payers a bit more money.
The first option costs taxpayers significantly more than a ‘bit’.
Just look at how much it cost when they basically turned off all the checks in order to get covid relief into the hands of people who really needed it. In Arizona, after a while, they made it so you had to sit on (virtual) hold for 8-10 hours to verify your identity with a human or they would cut you off. Which worked well enough to ensure only the people who really needed it went through all the hassle. It really sucked for those people but they stopped sending billions of dollars overseas to people who just googled someone’s address.
Yes, we should not accept the existence of fraud. We should simply be able to recognize the situations where fighting fraud is more costly than letting it exist.
Not that it really matters in most places since we are quite far from that point anyways.
This is not an ethical conclusion. This is a pragmatic and utilitarian conclusion where 'optimal' means minimising the cost/benefit ratio.
Incidentally, this shows that the 'perfect' ethical stance is not necessarily the one that delivers the most benefits at the least cost, aka when ideals meet the real world...
It feels like a very subtle is-ought distinction, where the author is discussing something that unavoidably is the case and therefore concludes that it ought to be the case and therefore ought to be accepted if not even welcomed. The marketing example makes this pretty clear. Of course no one thinks the marketing directory could spend zero on marketing. But…surely they would love to spend zero if they could still get what they wanted for zero money.
> I don't know that I agree with the ethical conclusion that the optimal amount of fraud is therefore non-zero. The leap from "anti-fraud efforts are expensive" to these sentences in the final paragraph was not, in my opinion, convincingly made here
It’s like saying that the optimal dirtiness after cleaning your house is non-zero (greater than zero) because cleaning it perfectly takes much more effort than it is worth!
That’s not counter-intuitive at all. It’s just an obvious fact stated in a silly way (for clicks or whatever else).
It's like cleaning old painted metal with a scouring pad; You want to clean thoroughly enough to take off the grime, but if you scour too long or too hard you'll end up taking off the paint itself. You'll always either leave a littke dirt behind, or take off some paint, never perfection. You could strip all the paint and repaint it, but that's so much more costly in terms of time and materials that it's a whole different task.
And the argument that more stringent anti-fraud protections increase the burdon on legitimate claimants is absolutely spot on, and has parallels in all sorts of other legal, financial, and market situations c:
That doesn't mean that the optimal amount is nonzero. Taken in isolation, the optimal amount is clearly zero. The optimal amount doesn't change based on the cost, the optimal amount of effort to expend is a different answer.
It's not just stated in a silly way, it's stated in a way that's incorrect because they didn't mean what they said. "The optimal amount of fraud is nonzero" does not actually mean the exact same thing as "in an optimally-beneficial fraud prevention effort, the amount of fraud is non-zero".
>Taken in isolation, the optimal amount is clearly zero.
But the very point of the article is to not take zero-fraud in isolation and instead, explain how non-zero-fraud is an unavoidable tradeoff when balancing 2 simultaneous goals:
- (1) prevent fraud transactions as much as practically possible
- (2) make legitimate transactions as easy as possible
If one accepts the premise of pursuing those 2 goals at the same time, then by definition, we're no longer talking about "in isolation". You've now unavoidably entered non-zero fraud territory.
Perhaps it's the author's particular wordsmithing of what he's trying to convey that just rubs many readers the wrong way.
> Taken in isolation, the optimal amount is clearly zero.
The post makes it clear that the discussion is not about theory or taking anything in isolation - it's about fraud in the real world. In that context, the way it's stated is correct - if you have zero fraud in the real world, that means that you designed the tradeoffs wrong and that the cost of your fraud prevention (in terms of actual dollars as well as inconvenience to customers, etc.) is greater than the overall cost would be if you allowed a small amount of fraud to occur (looking at the total cost of that fraud as well as the cost of preventing additional fraud).
I suppose the problem is that whether or not the title of the post is true or not depends on the context in which it's taken, and the title itself doesn't have any context. Since the post does offer context, though, I think it's reasonable to take the title in that context.
Good point. I agree with the overall thesis; there are a lot of things that get increasingly expensive as you approach perfection. (Perfection is still a useful guidestar, but each step toward it has to be made with costs in mind.)
However, I'm not nearly as breezy about $20 billion annually in fraud. Maybe that's fine from the perspective of the merchants and credit card networks. But from the societal perspective, that's subsidizing bad actors. People and groups who will not stop at one kind of crime as they try to grow. People who will divert other people into being parasitic. That's not healthy for society or for the individuals who end up living lives of crime.
So I think the society-optimal level of fraud is way below the merchant-acceptable amount of fraud.
> At some point you reach diminishing returns, where the amount of time / effort / capital you're putting in to eliminating fraud outstrips the losses from the fraud itself.
That's not quite what I got from the article. I read it as the more friction you put in place to prevent fraud, the harder it is for legitimate transactions to happen. Therefore, it's not so much about the cost of the fraud, but the opportunity cost of legitimate transactions which don't happen in the zero-fraud environment.
I appreciate how you phrased this. It has me thinking about how it might be similar for privacy and security in terms of information or even physical security. Yes, one can be super secure and safe from harm if one puts tons of locks on everything, but it also keeps out people who we might want to let in.
Actually, now I'm thinking about it emotionally as well. Best way to prevent myself from getting hurt is to close off as much as I can. Also the best way to prevent myself from feeling joy and all the other things I want to feel.
Emotions are a little different though. The more you know how deep the lows can go, the more you appreciate even the smallest highs. There is a little utility in getting hurt.
The problem with accepting it is that people figure out repeatable tricks to get around the system.
If we view those repeated tricks as business as usual - we should probably make them accessible to everyone. Otherwise the small fraud becomes rampant.
Not an ethical conclusion but a pragmatic one. The ethical part is what you do after the fact:
1. Pass the cost towards self regulation of people, using client facing measures e.g. prove their innocence if they are an outlier
2. Catch a couple of cases and over market your policing ability to disadvantage the most gullible.
3. Catch a couple of cases, even minor infractions and destroy them with disproportionate fines or jail sentences, economy of randomness or economy of those who have the best lawyers.
Fraud against government, as above but add:
4. Add arbitrary constraints, you don't really want the system to work, you just fake it for political reasons
not if letting 10 guilty esacpe breeds more and more bad actors. you can make the argument that a few innocent suffer is a net benefit for society in tne same way. in pursuit of 0 innocent suffering you will capture no bad actors
To put it another way you're forgetting the victims. The 10 fraudsters made 10 people suffer. their suffering needs to added to the equation
The current system from that perspective works great. You have to get pretty unlucky to get convicted as an innocent, especially in this day and age where a cop’s testimony isn’t worth nowhere near as much as it used to be.
And morally alone it’s far worse to wrongfully convict an innocent person than to let a guilty one go free.
We can start with payment. What would someone pay with? Credit/debit numbers can be stolen. Checks can be stolen or forged. Cash can be counterfeit. What form of transaction has zero chance of fraud?
To make transactions available to people you need to introduce systems that can have fraud in them. There is a balance between availability/ease and fraud.
Bitcoin. It can easily be confirmed as valid (zero chance of counterfeit), and is otherwise a bearer instrument with no further settlement, and impossible to reverse (like cash).
The problem is not merely that the anti-fraud efforts are costly but that the anti-fraud surveillance apparatus will itself be value destroying. (In the tax case, it’s “people in democracies don’t enjoy their government having total visibility into their activities and society, in its judgment, says this is more important than tax collection at some margins.”)
I would think the strategy would be to encourage low impact fraud with lazy compliance and making a customer whole (Credit card chargebacks). And then hunt out and destroy high impact fraud.
With the intent to incentivize and train criminals to stay small and low impact.
If you're a retail platform, and you have a few scammers making a few grand of 20-100 dollar scams. You can play wack a mole with them and then that keeps people doing that small fraud rather than leveling up and potentially doing crimes that could endanger the whole business with the exposure.
Targeting zero is an immature approach that is self-destructive in most cases.
If your incentive is to have zero fraud, the organization will find ways to not detect fraud or add so many controls and audits that the cost of doing whatever will go up.
There’s a balance. In the tax world, the de-clawing of the IRS for certain things have dramatically impacted compliance. You want enough enforcement that you’re discouraging median cheater, but not so much the cure is more expensive.
The ethical issues of accepting nonzero fraud are that striving for zero fraud creates program design changes that lock people out of benefits. If you design a health care system that aims for 0% fraud, some measurable number of people are going to be deprived of care because the registration and billing procedures are too onerous. With taxes, aiming for 0% noncompliance will prevent people from taking advantage of deductions and credits.
This isn't hypothetical; it's the issue underling the "program design" controversies about means-testing in public policy.
Not to mention that enforcement has rapidly diminishing returns. Even if your only goal was to maximize tax revenue (minus cost of tax administration), and you didn't care at all about people being able to take advantage of deductions, the optimal amount of fraud is almost certainly non-zero.
(And of course, if you did want to maximize tax revenue, you'd focus enforcement on the big fish.)
That's a lot of words to say "to make fraud harder you have to make buying from you harder, the optimal amount of fraud is the amount of fraud you get when any additional measure you could take against fraud would lower your revenue more from lost business than it would lower your costs from people committing less fraud"
Exactly. The optimum amount of fraud is really zero. But in order to achieve last 0.00001% you may end up screwing up experience for about 99% of your customers by asking them to 10-factor auth and what not.
I guess this applies to all crimes, even major ones likes murder and child abuse. We can monitor everyone all the time, or make sacrifices to live in a more free society.
If you think the optimal amount of crime is greater than zero, at some point we are clearly using different applications of the word optimal. One person is talking about the level under the optimal “solution”, while the other is talking about one constraint that still must be balanced against other constraints. The optimal amount of fraud spending is zero, but then we’d be left with a ton of fraud.
This is an extremely long-winded article/blog to say the following
> the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff of lowering fraud against the ease for legitimate users to transact.
You encounter well known tension pattern several places. For instance, in safety critical systems there's a tension between safety and progress. Or take IT-sec industry; tension between usability and being secure.
I work in IT/AppSec, and this came to mind immediately. Implementing perfect security would be "don't connect to the internet and don't let anyone use the computer". Clearly not an option, so my job is to analyze the cost and risks against the benefits and help choose a path of balance. A specific example: we can only heuristically detect the difference between legitimate and malicious calls to the public endpoints. Is that spike in traffic trying to DDOS us, or is it close to Black Friday so customers are in go-go mode? Setting the rate limits somewhere meaningful is a tradeoff.
You could also use this reasoning to say that the optimal number of rapes is greater than zero.
I would disagree with the world “optimal”. The optimal number of fraud and rapes is both zero, but unfortunately we don’t really have the realistic ability to achieve that.
Obviously the optimal number of rapes is 0, but the optimal amount of rapes we should try to prevent is not infinite, and thus the optimal amount of rapes we accept as a consequence of the above policy is non-zero.
It's really a simple cost-benefit calculation; the cost of preventing the last 0.1% rape on earth is surveillance cameras in every home and egregious violations of privacy, obviously the cost of such a scheme is probably not worth it.
The simple observation is that there are tradeoffs: in exchange of preventing <bad thing>, we have to give up <good thing>, at some sort non-linear curve. The cost of rape prevention goes up with each rape prevented, there reaches a point where the cost is no longer worth it and we should call it a day.
People can (and do) argue all day about the point where the marginal cost of rape prevention is too great, but I'm fairly certain most would agree that it's not infinite.
The conclusion/title talks about fraud without any context, which is the misleading thing here. What he means to say is that we have to accept to not fight some fraud because it would be too expensive. The most expensive option perhaps being to not run a business at all, eliminating both fraud and proper sales.
When I worked Starbucks retail, we were subject to a "just say yes" policy. So when a couple came in and said they had forgotten some item, or never received it earlier in the day, I gave one to them without hesitation. It helped that I also recognized them as repeat customers. A co-worker said "you just got scammed" with disapproval. And I explained that I probably did, but we were required to do it even if we didn't want to. Otherwise we risked pissing off honest customers. Or maybe it just made more sense to spend the time serving the next 2 customers faster instead of being suspicious with 1 customer.
Later on, though, I remember pissing one off when he had to wait in line behind people buying drinks and he declared he would not be buying the $300 espresso machine he had come in to buy. I wonder if my actions resulted in a net gain or loss to the store...
When I worked retail, I would give customers whatever they asked for because 1) it's not my stuff, 2) it belonged to a soulless corporation that did not need it, 3) I am not paid enough to be a store's loss prevention agent.
But Starbucks had this explicit corporate policy anyway, which lines up with the article and its principles.
And it takes a while to become that realistically cynical about retail work. We were actually treated pretty well, had mostly friendly customers, and got along with management. At least at the time.
I’m fairly brand-loyal to Starbucks precisely because of their relaxed attitude towards customers. I remember a few times in grad school going there to work for a few hours, using their wifi, and leaving without buying a single item. I never intended to do so, I just got lost in my work. I don’t think the baristas even noticed.
> he declared he would not be buying the $300 espresso machine he had come in to buy
FWIW I strongly doubt that people who say things like that ever really intended to buy the thing. If you were really planning on buying a $300 expresso machine today, are you actually going to change your mind because you had to wait an extra 5 minutes?
> Later on, though, I remember pissing one off when he had to wait in line behind people buying drinks and he declared he would not be buying the $300 espresso machine he had come in to buy. I wonder if my actions resulted in a net gain or loss to the store...
Sorry, I didn’t understand this part. Did he expect to cut in line because he wanted to buy the machine rather than a drink? I don’t get what you were supposed to have done differently. Or maybe I do, but the expectation doesn’t make sense to me, I have never seen anything like that done anywhere.
Our store had a couple registers on either end of an L-shaped counter. We didn't always open both. Our main register near the drinks was open and had a line. He approached me as I was doing some task near the other, closed register, which was also near where we stored the espresso machines for sale. So he didn't want to cut in line so much as to have me/us start a parallel flow for his purchase.
It's not a crazy idea; we appeared to have some spare capacity for it (although we really didn't). And he may have spoken to someone else about it earlier. It also wouldn't have been unreasonable to expect that once he got to the front of the line he would have been directed to the other register to wait anyway. He may have been trying to minimize the disruption he caused to the line. He may have also thought the line was too long and we should have already opened up the second register. We were very efficient with a single-register flow, but customers always tried to start up a second line before it was really necessary.
I'm not confident I did the right thing by him; just that there may be situations where losing a $300 sale may be the most profitable choice.
- The optimal amount of fraud a business/industry should accept is non-zero
The simple observation that the cost to prevent each marginal fraud attempt increases; the last 0.1% of fraud costs way too much to prevent compared to the first 99%. Obviously society would be better off if fraud didn't exist, but since it does the effort expended is only worth it up until when the marginal cost of prevention exceeds an acceptable threshold (when it starts to lose you money).
The optimal amount of fraud is still 0, but the optimal amount of fraud prevention lies somewhere on the margin.
This is why important transactions like banking have KYC checks, and buying a pair of sneakers don't.
this explains things significantly better than the article, which seems to be little more than dragging out a surprising-sounding headline with a pretty obvious concept
The reason I went to the trouble of writing it was that many, many people in both business and the finance industry do not agree it is obvious and a good portion do not agree it is true, and they take actions consistent with those beliefs, which harm themselves and others.
To be more specific, the article mimics the topic of a counter-intuitive "surprising" truth (like, for example the goat problem; or flaws in human cognition), while letting the reader down by making an obvious, easy to understand truth unnecessarily complicated.
That you think something is obvious is a fact about you, not about the world. People are not downvoting you because your English has any problems. They are downvoting you because they you’re wrong and arrogant.
"optimal amount of fraud in society is 0" - are you sure? why?
Bad Things(tm) are useful for testing and improving safety/security, and when I see people/institutions with no experience reacting to Bad Things(tm), I know they're in for a world of hurt when it does happen.
Perhaps you mean, the optimal amount of fraud that isn't prosecuted... or not detected... ? Even then, I'd argue that there's a tiny percentage that's useful for keeping the safety/security industry on its toes and at the ready.
As a proof point, if you believe that war (world peace) is not a solved problem, then it's only a matter of time before your city/region/civilization/race faces an existential threat, for which the only true preparation is to be ready to innovate and mobilize.
Sorry if this comes across as dark. I mean it in the same vein as having a small percentage of farmers is desirable.
By contrast, I visited a traditional silk factory in Stockholm (amazing btw) and the craft has been lost to the point where they're struggling to find craftspeople able to work their looms and other old equipment. See Jonathan Blow's excellent talk about lost technology: https://www.youtube.com/watch?v=ZSRHeXYDLko
> I guess this can all fit within a “marginal cost” explanation though.
Yes, but it undermines the first point, a bit. There's costs-- direct and social costs-- to making transactions hard; so perhaps optimal for a society is still not 0.
Also, there's nothing to say that the amount of fraud is stable and that we can't find a world where we have better mechanisms to reduce it for the same cost. (Improved technology, legal structures, norms, etc).
>reducing friction helps drive more legitimate business.
A very real example in retail. I can minimize the possibility that I'll be hit with fraudulent returns. Require a receipt, short window, store credit only, must be in like new condition with all packaging, etc. (Or just sell everything on an all sales are final basis.) Different stores do many of these things to a greater or lesser degree on at least some merchandise. But you'd probably better be offering really good prices if you do.
Some of those aren’t analogous. Your Covid example: there’s also the cost _to others _ of you catching and spreading it, even if the risk to you is lower.
Speeding is another example: the cost (or risk) might be acceptable to you but not to the person you have an increased likelihood of hitting and doing serious injury to.
At a societal level, it holds, which is why we invest in measures to increase the cost of doing the wrong thing (speeding tickets, removing licenses).
More generally--the cost to eliminate bad outcomes goes up exponentially as you deal with the easy bad outcomes. Credit card fraud is simply one example.
Or consider a simple non-financial example: I left half a dozen pears on the tree this year--getting those last few pears would have required hauling a 50 pound ladder around the house and then struggle with setting it up. (Due to it's size it's a lot harder to handle than it's weight indicates.)
This, definitely. But also - at the social policy level, there are two additional issues:
- Outsiders: It's good to keep members of your society fraud-savvy enough that they can safely travel & do business outside your society...without being easy marks for fraudsters.
- Stability over time: If your society somehow gets fraud down to ~0, that'll lead to big cut-backs in anti-fraud efforts, "end of history" dreamers proclaiming that fraud has died, etc. Which is obviously a set-up for a sudden huge resurgence in fraud.
Great explanation. But I'm not so sure about "The optimal amount of fraud in society is 0".
Especially if we broaden fraud to include other crimes. There are costs to prevent other badness in society as well. Firstly it's the cost in taxes/allocating resources to its prevention: Do we really want to allocate a really large chunk of our shared human capital to police marginal criminal activity? How much more polices, judges, attorneys, lock makers, etc would we need to stop the last bike theft?
Secondly and arguably more importantly is the cost of freedom. A lot of the digital surveillance initiatives that are discussed and dismissed here on HN are enforced in the name of zero tolerance against (really bad) badness in society.
I think its hard, or impossible, to create a somewhat large society with zero crime rate. At least if we still want even just a sliver of the freedoms we are accustomed to in liberal democracies.
Hmm. I think my mental model is more that it should be "randomly" enforced. The probability of getting caught is higher than some certain threshold, but that it's not necessarily bad if that threshold is lower than 100%.
I can't think of any resonable society that have taken actions to show that they want the probability to be 100%. I would even argue that the most harsh dictatorships probably have the highest enforcement, but that laws were/are very selectively enforced in the favor of e.g regime officials.
I think the point is that in a theoretical society in whcih there are no bad actors, and there is no cost to prevent fraud, the optimal amount of fraud is zero. That is, there isn't a reason you would want to encourage fraud, because a little bit of fraud is good. But when you also consider the cost of reducing fraud the optimal state for the system as a whole will have a non-zero amount of fraud. And of course, bad actors do exist, so in a real system you want to accept some amount of fraud.
The difference is significant, because if you discover a way to significantly reduce fraud for a low cost (including cost of freedoms and similar), it will be worth implementating. And there isn't some point where you say "we are already down to x% fraud, we don't want to go any lower than that, even if it doesn't cost us anything".
I think you’re conflating the terms optimal and ideal. The ideal amount of fraud in society is zero. The optimal amount of fraud in society is not defined, because optimization problems are always subject to a set of constraints.
So then we may ask: “what is the optimal amount of fraud in society such that the costs of legislation, education, and enforcement do not exceed X% of GDP?” and that is a different question. You might also throw technology and R&D in there because new tools make it easier to investigate fraud. Of course new technologies also open up new possibilities for fraud, so this is a very complicated exercise. But I think it’s fair to say that given any reasonable constraints, the optimal amount of fraud is nonzero.
The way this is phrased, I expected to learn there was some benefit to a low amount of fraud, as such. There is not. There is a benefit to a high amount of trust, which necessitates accepting some amount of fraud.
We don’t need there to be a benefit to a low amount of fraud to optimize for it. Optimization is a purely mathematical exercise [1]. Once we construct the problem with a chosen set of constraints then we apply mathematical techniques to solve it. Of course, many types of optimization problems (especially non-linear or non-convex) can be extremely difficult to solve optimally without relaxing some constraints or settling for approximations to the optimal solution.
But, besides that, the task of interpreting the results and of potentially selecting new constraints or even a new objective function is a separate matter. Perhaps we should be seeking to maximize trust rather than minimize fraud in society. But then we have to ask ourselves: “what would that look like?”
There does not need to be a set of constraints for optimisation to be defined. You can talk about optimisation on an unconstrained domain, for example all of ℝ⨯ℝ. But there DOES need to be a measure function that measures what you are optimising for. The benefit of fraud would be one such function you could optimise for, and that seems to be what GP is after. The pure amount of fraud is a different one, which seems to be what you are interested in.
Even without trust, you will reach an optimal amount because preventing fraud tends to become more expensive than the fraud itself, once you cover the simple and easy cases
The optimal amount of crime in a society is non-zero because a society with zero crime would be a dystopian police state where innocent people sometimes get caught up in the justice system's net to make sure it catches all of the criminals.
The classic principle of Anglosphere common law is that its better to let 10 criminals get away with it than to convict 1 innocent person. The same idea applies to fraud because overzealous fraud prevention causes problems for legitimate users whose actions incorrectly get detected as possible fraud. The benefit to tolerating a low amount of fraud is that your product won't be hostile to your legitimate users. The benefit to tolerating a low amount of crime is that you will live in a free society rather than a dystopian tyranny. Freedom is good and it is worth giving up quite a bit of safety for the sake of being free.
> The optimal amount of crime in a society is non-zero because a society with zero crime would be a dystopian police state where innocent people sometimes get caught up in the justice system's net to make sure it catches all of the criminals.
At this point you're just playing with the definition of crime. I would argue that it is criminal to deprive an innocent person of their freedom, and challenge that your proposed scenario is actually "zero crime".
Secondly, you talk of catching "all of the criminals". In a "zero crime" environment there are no criminals - by definition if there is a criminal, then a crime has been committed at some point.
All that said I agree with your larger point - the cost of freedom is that people are not constrained before the fact from committing crime, and that's a good thing on the whole.
I’d argue that the optimal amount of crime is zero but the optimal amount of possibility of crime should be non-zero. That’s a necessary escape hatch out of a police state or authoritarian government. After all, the resistance against the Nazis was technically criminal at that time, even though now we’d all agree it was a good thing it occurred anyway.
It is especially important nowadays because unlike back then where technology was limited and surveilling 100% of the population was impossible, it is very much possible today and is already being done in certain places such as China.
If you define crime as violating the anarchist non-aggression principle, then it makes more sense. The only problem is that the state would be the largest offender.
Nazi laws weren't moral, as it's not moral today to demand half of my profits or I go to jail.
You just picked your own idea of morality and decided to elevate it above others: you chose the "anarchist non-aggression principle" as somehow morally superior to other ideas about how crimes should be defined, and decided that with that definition, targeting zero crimes makes more sense.
But the whole point is that we will never universally agree on a morality because society's overall preferences shift over time. So targeting zero crimes never makes sense.
Does he mention this somewhere? Last time I spoke to him, he was working on Stripe Press, his interest in fraud and spam prevention long predates his work at Stripe.
> ts better to let 10 criminals get away with it than to convict 1 innocent person.
is arguably false. it forgets that 10 criminals had 10 or more victims. If you optimize for the least number of victims then it's easily possible that convicting a few innocent people has a net positive in lowering the total number of victims including the victims of being wrongly convicted
to put it another way, perfect is the enemy of good. In this case if in pursuit of perfection of having zero wrongly convicted you end up causing more victims of criminals then you've arguably failed
I also believe that it’s better to let 10 criminals get away with it than it is to wrongly convict 1 innocent person. And I’m fairly sure that all the innocent people who were unfortunate enough to go through the court system would agree with me.
Also, not every crime must have a victim. There are a million victimless crimes.
Yes, it’s also debatable whether those should even be crimes (in my opinion - no), but the argument that 1 crime = at least 1 victim is flat out false.
also you too made the exact same error. you discounted the victims of the criminals. yes the 1 innocent wrongly convicted is bad but what about all the innocents that are victims of the criminals. You absolutely have to add those innocents to your total of how many innocents you helped
if you catch 10 serial killers and 1 happens to be innocent you still saved 9-18-27 lives in exchange for one innocent. If because of over zealousness of zero innocents being caught you only catch 5 serial killers you saved 1 extra life and forfeited 5 to 15 others
You arguably believe what I'm saying. no law enforcement can be perfect so it's guaranteed that innocent people will be mistakenly convicted. The only logical conclusion is if you truly believe there must be zero innocents convicted then you believe law enforcement should not exist since there will never be perfect law enforcement
it doesn't forget that. it implies that you shouldn't optimize for the least number of victims. it's cool to disagree with that and think about why or why not, but please actually engage with the idea rather than just assuming they didn't think it through at all.
I said this somewhere else, but there’s 2 things at play here:
- A utopia where people don’t defect in prisoners dilemmas (most types of crimes like shoplifting: the store won’t have to hire loss prevention and cashiers, and you pay less for their reduced costs) is ideal, but:
- Such a utopia doesn’t and can’t exist because defection individually increases utility at the cost of everybody else. Hence cashiers, loss prevention, KYC, etc.
Thus the real world is a careful optimisation problem where we have to search for an equilibrium at which society as a whole benefits the most. People can argue all day about where this is, because the trade offs involved are non-obvious:
- More surveillance means, all else being equal, less crime, but police officers can defect too and only arrest minorities and use said surveillance for something else, etc.
The problem is walking through a very high-dimensional search space, and we humans are had at it. There’s no real solution though, because individual incentives don’t line up to solve it.
The benefit to a low level of fraud is that people are still looking out for fraud, so the society is more robust. If there was no fraud, and someone just invent fraud (it will happen), the damage could be devastating.
they would have to be Moriarty level like in their inventiveness, most people start low and then expand their inventiveness with experience, the low early frauds would establish the new invention in the society.
> So then we may ask: “what is the optimal amount of fraud in society such that the costs of legislation, education, and enforcement do not exceed X% of GDP?” and that is a different question.
It's also not a question of any particular interest; you're interested in what maximizes (good - bad), not what maximizes (good / bad).
I meant optimal fraud at 0 as in a utopia would have no fraud whatsoever; a utopia where everybody cooperates in prisoner’s dilemmas, where I can lend a stranger my phone and not worry they’ll run off with it, and where cashiers don’t exist because you can count on people leaving money as they walk out the store.
Obviously this utopia doesn’t and can’t exist: people defect because it works against cooperators. Fraudsters are people who defect in the societal game of iterated prisoners dilemma, and thus we have to build defences against them until some sort of Nash equilibria is reached.
So I guess I did mean optimal in two different ways. One is a utopian cooperative paradise, the other an optimisation problem for an optima where businesses make the most money and society overall is richer than if business activity got crippled.
> This is why important transactions like banking have KYC checks, and buying a pair of sneakers don't.
Banks do KYC checks because it is required by law, not because it does anything to reduce fraud. Fake IDs are a thing. Requiring identification does not make transactions safer without a lot of other stuff happening too.
This optimal (#) can and probably will change soon. We all carry around phones capable of trivial non-reputable verification, and centralised digital cash (not bitcoin but BankOfEnglandCoin) is technically feasible. So it's quite technically feasible for every day to day transaction to be completed with
with the sort of KYC verification currently reserved for say house purchases.
It's just the political / societal implications. These are beyond "hey it's expensive for banks to cut down on fraud"
I disagree with the "banks should allow certain levels of bank fraud because X" for the simple reason we don't have "banks should provide interest free funding to murderers, sex traffickers, pornographers and drug ring" even though that is often the same thing. (And in a two page HN thread I am sure I am not the first to say that)
(#) someone else mentioned the difference between ideal and optimal which is a very good distinction.
I would not call anything in the fragmented, legacy US financial system “trivial.”
It took us a decade and counting to get chipped cards, longer to get contactless pay, and even then we don’t really use the PIN part of chip+pin. Something like FedNow is only coming next year.
I mean every central bank could tomorrow just put up a non-permissive (#)
blockchain and just make a virtual coin for every cent out there. And this would cause utter chaos. It would essentially end fractional reserve banking. That makes loans ... difficult.
The impacts are enormous, but a digital native currency is so simple, so attractive we may well try it. And then have to rethink our financial regulations. It will look a lot like ICOs.
I still think it is inevitable.
(#) ok the terminology I find either dubious or I misunderstand but basically
every wallet holder gets their private / public key registered, then there is a known state of money globally, and the Bank is a verifying party to each transaction. Something like that anyway. Theee are many options but essentially if we all "trust" the money printer then the technical problems simplify.
I doubt it. The current system is a local optimum. Better local optimums already exist elsewhere.
In The Netherlands, direct online payments using debit cards are very common. These are secure payments, verified through a bank’s mobile banking app or internet banking with 2FA.
This means there is no risk for the seller that a payment gets reversed. There is fraud, but it centers mostly on social engineering people to authorise payments for others, or to mail their debit card to “the bank” for “recycling”.
Cost per payment: about 30 cents.
Meanwhile, in other countries, credit cards are the common online payment option. Security? A number on the front of the card and a “secret” second number on the back of the card.
Cost: 1.5-3.5% of payment.
Better security is possible, but it’s hard to move from a local optimum when you’re locked into a certain ecosystem.
The credit card no-security scheme works because everyone gets reimbursed for fraud. It comes at the cost of retailers handing a few percent of every transaction to intermediaries, instead of just a few pennies.
At some point (maybe already) we will perform 50% of GDP online. That makes the Visa network essentially a seperate private tax collecting entity. I get the "local optimum" - it's hard to break. But if anything motivates governments it's competition
Yeah but there is not a digital version, issued by the BoE. It's not a digital native so has all these layers on top.
I think a clean simple version is appealing - it's kind of the case for Bitcoin as a whole. Unfortunately they people attracted to that case did not realise that 75%+ of regulation and layers is trying to protect people from sharks.
> The optimal amount of fraud a business/industry should accept is non-zero
Let's make that: "The optimal amount of fraud a business should accept under the current credit card online payment system is non-zero".
There is absolutely nothing intrinsic about online commerce that requires fraud. Online business routinely operate with a money first, zero consumer trust paradigm. They ask for my payment credentials first, and only then deliver the products.
If we were to design the online payment system from scratch, we would use cryptography to completely remove the notion of credit card theft, and escrow to settle consumer complaints, with an option for paid arbitration when things go bad. I guess you can call some of those cases "fraud" and some customers are so unreasonable that they border on criminal, yes, you can't make that segment zero, but I don't think that's the kind of fraud they are referring to.
The reason we can't have those nice things is because of immense momentum of the current system designed in the 60s by companies that have very little reason to change anything. In fact, an online payment reform would most likely strip them of their oligopoly. So yes, the optimal fraud level is non-zero because Mastercard, Visa etc. can push that fraud onto consumers (via retailers), and they are making much more money anyway from the current situation.
An analogy that may resonate with readers here is that targeting zero fraud is like targeting 100% uptime in a computer system. You evaluate the business trade-offs and decide how many 9s of non-fraud are appropriate, knowing that (1) each additional 9 is more expensive than the last but only gives you 1/10 of the benefit, and therefore (2) infinity 9s (equivalent to zero fraud/100% uptime) is a useless aspiration for all practical purposes.
That's incomplete, though. The business running the computer system would bear all the costs in attempting to target 100% uptime.
Targeting zero payments fraud does mean the business has to bear the costs of the fraud prevention measures, but their customers also have to bear intangible costs, like the annoyance of a detailed, invasive know-your-customer process before being able to buy anything.
But if I'm a user of this computer system that targets 100% uptime, I don't have to see any of the downsides/costs that the business incurs to try to get that uptime. I just see great uptime, and it's all rosy for me.
I think it's important to acknowledge that, in pursuing lower (or zero) fraud, both the business and its customers have to bear costs related to that goal.
There are also arguments that a certain amount of rule breaking is neccesary in society to support innovation. A society with no rule breaking becomes static.
If you had zero fraud in society then nobody would build in any defenses against fraud at all.
You'd have a society of completely naive and trusting souls, which sounds blissful until someone wakes up one day and realizes that they can commit as much fraud as they like since society has no defenses against it.
It is like saying that the optimal amount of disease is zero, but if you have never had your immune system challenged by any kind of disease, then the first virus you come across will probably kill you.
Your suffering from childhood colds and getting burned by something like the car-out-of-gas scam help build defenses.
Not a perfect analogy with disease. And maybe it should suggest to you that maybe in fact, the optimal amount of fraud is zero.
With disease, the optimal amount is likely still zero. The immune system we have is not great, its only selection criteria is to keep people alive long enough to have children and keep them alive long enough so they can. We're beginning to understand, like with HPV, that anything from a life threatening case to an asymptomatic one can cause lifelong changes in the immune system and either cause or increase lifelong risk of non-infectious diseases.
And that's setting aside that we can, for example, just eradicate certain diseases if we set ourselves to it. Polio, smallpox, and hopefully malaria.
If we could eliminate certain kinds of fraud - through education, through making it impractical - that seems good, yeah?
But I think you just showed that its really pretty similar.
And my gut reaction to the title of the article is that we really need less fraud and that we're very, very far from optimal right now. Although I'm not very concerned at all about fraud against government programs to help the disenfranchised. I'm more concerned about the endless e-mail, phone scams, door to door scams and all the stuff that prey on the elderly and vulnerable.
Similarly with the immune system it would be interesting to consider wiping out Epstein Barr and maybe eliminate Multiple Sclerosis, along with exterminating the mosquitoes that bite humans and cause disease.
But zero is likely not achievable or a stable optimum, and we're probably not going to cure the common cold or wipe out influenza and we may not want to (at least not without quite a bit of science fiction, global access to medicine and nearly 100% acceptance of vaccination in the population).
I think we're in agreement - the analogy to disease was flawed because eradicating some (perhaps many, all?) kind of disease would have widespread, uniformly positive effects.
The person I replied to seemed to think that exposure to disease helps in youth? Certainly seems like a widespread idea, but I don't know how true it is.
I like to think of it prisoner's dilemma style: the optimal amount of fraud is zero, the same way the optimal outcome for both prisoners is to both cooperate. But the equilibrium at 2-cooperate is not stable, somebody will gain more utility for themselves by defecting, the same way with 0 KYC on any and all transactions fraud is laughably easy.
Thus, the global optima is one where there is no fraud and everybody cooperates, but it's not a stable optima and we slide to the real world where there are tradeoffs for preventing fraud, and there reaches a point where rational actors deem the tradeoff unacceptable and thus accept some level of fraud.
Potentially controversial take: this general idea also applies to other areas such as elections. Any sufficiently large election will have to contend with fraud and human error, but this is acceptable as long as the numbers aren't large enough to change the outcome.
If you carefully scrutinize any large election you can almost certainly find at least one example of fraud. However, isolated cases of fraud or human error are not evidence of widescale election rigging.
A lot of the elections in the US in the last 25 years have been pretty close, that's the problem. I guess if they were less close or had some sort of proportional system, it might be less of a problem.
If it's the merchants who carry the burden of credit card fraud why is it that almost all fraud prevention efforts seem to be done by banks/card issuers rather than by merchants ?
Except for a small number of cases involving pre-paid cards, I have never seen a merchant refuse to accept a valid credit card payment for an online purchase. I have however encountered and heard of cases of banks declining transactions they considered possibly fraudulent.
Because the card services are in the business of selling their service to merchants in exchange for a fee, and they have competition in that space. Merchants will (in theory) refuse to work with - or pay as much to - a card service which does insufficient work to prevent fraud.
That explanation doesn't make sense because the fraud prevention/transaction denials are being done by the card holders bank, not by the merchant or payment processor and merchants don't get to decide what issuing banks they will be doing business with. For the most part they either have to accept all Visa cards or none (except maybe for some very broad categories like country of origin or pre-paid vs. non pre-paid).
I personally can't stand PSD2[0]. It has completely ruined the online shopping experience in the EU (for me at least).
I loved the way American Express implemented it. They sent you a one-time passcode on your first purchase with the merchant, and then you could also choose for them to not bother you with any further purchases from the same merchant. I had this enabled by default, it made the experience a million times more enjoyable.
Unfortunately not everyone took AmEx, and I no longer live in UK (or a country where AmEx has presence for that matter), and the way banks in my current country of residence have implemented it is absolutely abysmal.
1. The billing address must be a match 100% of the time, which is painful in situations where you can't specify separate billing and shipping addresses and you want the item shipped to a different address (could be 3 for me)
2. Mandatory 2FA on every transaction, depends on the exact implementation, but typically you must wait for a notification on your phone, and then type in a PIN. In some implementations you have to scan a QR code, and then type in the said PIN. Sometimes the solution they use for this is down.
3. If anything is wrong at all (billing address/mistyped CVV/whatever), the transaction just gets refused at the end of this loop. Was it something you did wrong? Is some system down? Let's try again.
And sometimes this even messes up recurring subscriptions. My Microsoft 365 Business sub that's billed monthly on a credit card GETS REJECTED EVERY TIME UNTIL I MANUALLY GO THROUGH THIS STUPID PROCESS.
It has made paying for things online a chore. I couldn't care one bit about all the fraud this presents, because I was never liable for it in the first place. That decision was previously up to the merchants (who could have implemented all of this if they wanted to). Now it's forced on everyone.
tbf that's more an issue with incompetent software devs and more importantly (lest someone accuses me of shifting the blame on devs like a clown would) horrible business product owners. My hope is that Biden's executive order on SBOMs and whatever thing like it which the EU probably has in the works will (unfortunately only slowly) shift the way in which the way business treats software development affects software development culture. (SBOMs may sound completely tangential to this, but in the long run they have a pretty important role to play here.)
Two-factor authentication is my least favorite thing about PSD2. Back in the day I would simply memorize my credit card data, and was free to buy anything online, anytime. It also gave me confidence during the vacations abroad that if i get mugged on the street I will still have access to my money. Now I need to keep my phone close for SMS codes / mobile app authorization, and I need to keep a backup phone just in case my primary phone breaks/gets lost/is stolen.
There was a study done on a tribe of wild monkeys where mutual grooming to remove ticks/fleas/lice happened. Some monkeys 'cheated' and didn't pay forwards the grooming they received. The study concluded that as long as cheaters were less than 5% of the population then mutual grooming continued. when the number of cheats exceeded 5% the system broke down and no mutual grooming happened for some time.
It seems that a society can bear a certain amount of cheating before the system breaks down, a 'tipping point' of sorts. As long as we keep the cheating below the tipping point, the game continues, which is after all the most important aspect, I think.
From the title, I thought it was a reference to the book Lying for Money by Dan Davis. Anyways, the book is an brilliant exploration of this premise and also makes the case for why trust is necessary.
I thought the article was going to go in another equally compelling direction. If there is no fraud, measures to prevent it become lax because they are unnecessary costs. With no measures in place, fraud comes back because there is no cost to the fraudster.
What an extremely, needlessly elaborate way of saying "security vs. convenience is a tradeoff." Indeed it is, and that's not a particularly novel insight.
"security vs. convenience is a tradeoff" is an extremely glib and meaningless aphorism that is instinctively innate to almost every living organism.
The statement obliterates the nuance of which tradeoffs need to be made and the cost and impact of those tradeoffs from an economic and social perspective that are foundational to being able to reason about risk.
I wouldn't put it that way, but I would agree with anyone saying that statement omits a lot of information. Sure, it does, and it's pretty much the most general and abstract possible way of saying that. My beef with the article is that, despite its truly gargantuan word count, it hasn't added any new information on top of that statement. Once you know the thesis of the article is "The optimal amount of fraud is non-zero because security is a tradeoff and you want users to have convenience," everything in the article is pretty predictable.
I would have liked to see, say, some nuts-and-bolts discussion od fraud handling in some particular industry -- that would be novel and interesting to me.
It sounds more morally acceptable to say, "The optimum level of anti-fraud enforcement does not eliminate all fraud." It's not that there's a nonzero amount of fraud that is optimal — all fraud is bad — but rather that the return on efforts to eliminate the last bit of fraud is negative.
Unfortunately this is mostly an American issue. CC fraud in Europe is minimal because cards have an embedded PIN required for each transaction. In addition, when purchasing online, an instant pop-up on your mobile phone asks you to approve or decline the transaction within 2 minutes. Contactless transactions under $25 do not require PIN or pop-up verification. These options are considered inconvenient for American consumers so we eat the fraud and sign receipts like is 1989 :-)
This sort of thinking has been prevalent in the payments industry for a long time, and I find it infuriating.
The article is specifically limiting its discussion to situations where a payment credential is stolen. Those cases cost $10-20B per year.
This is HN, so most people here can figure out how to secure payment credentials, especially given the assumption that each credit card contains a tamper resistant computer with durable storage (as they currently do).
Instead of ending credential theft (at least in cases that don't involve violence/coercion), the payment networks pass the cost on to vendors, then advertise fraud protection as a feature to card holders.
This only works because the payment processors' monopoly prevents the merchants from fixing the underlying security issue.
So, the payment networks charge the merchants a large percentage of sales (imagine what your local government could implement if it increased sales taxes by 3-5%!) to supposedly pay for fraud protection.
This is exactly like a classic protection racket, except that the thugs that smash up the business don't actually work for the credit card companies.
(I do agree with the premise that driving crime to zero is usually not worth the cost, but that's just "Innocent until proven guilty", and not the subject of the article.)
Merchants are even more lax about card fraud than banks. The National Retail Federation complained about the cost of upgrading to chip readers. They asked the government to force banks to eliminate PCI DSS which would make it even easier to commit credit card fraud. PCI DSS is compliance not security but without it retailers would literally do nothing. Some retailers tried to get customers to switch to QR code payments linked directly to your bank account. One of these payment apps CurrentC was immediately breached.
Smart cards were also breached before the US switched to them.
I'd object to paying for PCI DSS if I were them, to be honest. The idea that every merchant (or credit card reader) even has access to credentials is ludicrous.
The currentc was of email lists, not the payment flow. It's embarrassing, but still a better track record than the existing payment processors (which probably suffered 10,000s of payment flow breaches as I typed this.)
Especially if the burden of proof of fraud falls mostly on the consumer. This is how it works, we don't know the actual ratio of fraudulent vs ok cases so we compare accross institutions. If one institution is an outlier than arbitrarily changes the acceptance threshold pushing the cost to the grieving consumer.
If on the other hand the cost of misidentifying a case fell on the institution then they would simply accept only personally identified payments e.g. sms or other 2fa at virtually no cost for them and effectively zeroing fraud
In some places with more modern banking, this is pretty common
245 comments
[ 4.5 ms ] story [ 325 ms ] threadNo, this fraud argument does not apply to child abuse or sex trafficking. The reason is because the fraud argument is talking only about direct financial loss of fraud compared to direct financial loss of enforcement. The fraud argument doesn’t actually work if we’re talking about individuals losing their savings, it only makes sense if you assume the cost of fraud is borne by banks, and that it’s a marginal cost and does not bankrupt anyone.
There is no amount of money that makes the damage done by sex trafficking or child abuse okay, and there is no reasonable way to convert the damage done by these crimes into money. To suggest that the optimal amount is non-zero would only be an externalizing of the damage and costs of such crimes, and to essentially reduce our morals to money. And that’s exactly what this very argument does in other contexts; it externalizes non-financial damage, and sometimes financial damage too. This argument is made in other contexts, and it’s sometimes wrong and/or full of assumptions that aren’t true.
We could imagine extreme hypothetical situations that might clarify the argument or how to think about it - is it equivalent if 1% of people suffer a 100mm knife wound or 100% of people suffer a 1mm knife wound? The 1% would all die. In the other case, everyone suffers a mild inconvenience they forget about by tomorrow. Despite the equal amount of flesh damage, these are not remotely equivalent, and thus can’t be compared or declared as optimal. The type of damage done matters, and the number of people affected and amount of damage done to individuals matters.
Beware arguments that reduce negative outcomes to money. These tend to favor businesses (who are biased to prefer less regulation) and tend to externalize all the indirect costs and the costs to society. This is exactly what has been done with regard to pollution over the last century - it has been successfully argued that the optimal amount of pollution is non-zero, and we’re starting to see the consequences of that and pay costs for decisions made long ago. There was a pretty good paper I read [1] that re-evaluated these arguments for several specific large public works projects in the 50s through 70s, where the post-facto costs and outcome benefits calculations were shown to be different by orders of magnitude compared to when the decisions were being debated. IOW there is good historical precedent-based reason not to trust someone who claims the damage will be minimal or equivalent to the case where we put some effort into minimizing it.
[1] https://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?a...
I don't know that I agree with the ethical conclusion that the optimal amount of fraud is therefore non-zero. The leap from "anti-fraud efforts are expensive" to these sentences in the final paragraph was not, in my opinion, convincingly made here:
>We should, as a society, accept non-zero amounts of benefits fraud. We should accept non-zero amounts of cheating on taxes.
I’d much rather see a few people who didn’t need benefits manage to claim them than see people who do need them be left without. The first option costs tax payers a bit more money. The second results in people’s lives being made significantly worse, and in some cases in deaths.
I grew up in an area where many parents could afford (maybe if they budget carefully, maybe just anyway) to privately educate a child. But they mostly didn't, because the government funded schools were pretty good. In fact, as children it was actually a minor stigma to be privately educated, because if your parents are spending a lot of money on the fancy school, either they don't know how to spend their cash (so they're stupid) or you're really stupid and they sent you to that school in the hope of making up for it. It was seen as like easy mode. Smart kids don't go to private school, why would they waste the money?
The first option costs taxpayers significantly more than a ‘bit’.
Just look at how much it cost when they basically turned off all the checks in order to get covid relief into the hands of people who really needed it. In Arizona, after a while, they made it so you had to sit on (virtual) hold for 8-10 hours to verify your identity with a human or they would cut you off. Which worked well enough to ensure only the people who really needed it went through all the hassle. It really sucked for those people but they stopped sending billions of dollars overseas to people who just googled someone’s address.
Incidentally, this shows that the 'perfect' ethical stance is not necessarily the one that delivers the most benefits at the least cost, aka when ideals meet the real world...
It’s like saying that the optimal dirtiness after cleaning your house is non-zero (greater than zero) because cleaning it perfectly takes much more effort than it is worth!
That’s not counter-intuitive at all. It’s just an obvious fact stated in a silly way (for clicks or whatever else).
And the argument that more stringent anti-fraud protections increase the burdon on legitimate claimants is absolutely spot on, and has parallels in all sorts of other legal, financial, and market situations c:
It's not just stated in a silly way, it's stated in a way that's incorrect because they didn't mean what they said. "The optimal amount of fraud is nonzero" does not actually mean the exact same thing as "in an optimally-beneficial fraud prevention effort, the amount of fraud is non-zero".
But the very point of the article is to not take zero-fraud in isolation and instead, explain how non-zero-fraud is an unavoidable tradeoff when balancing 2 simultaneous goals:
- (1) prevent fraud transactions as much as practically possible
- (2) make legitimate transactions as easy as possible
If one accepts the premise of pursuing those 2 goals at the same time, then by definition, we're no longer talking about "in isolation". You've now unavoidably entered non-zero fraud territory.
Perhaps it's the author's particular wordsmithing of what he's trying to convey that just rubs many readers the wrong way.
Yeah, but that phrase won't get any clicks.
I gave up about half way through the article and just skimmed through the rest.
The post makes it clear that the discussion is not about theory or taking anything in isolation - it's about fraud in the real world. In that context, the way it's stated is correct - if you have zero fraud in the real world, that means that you designed the tradeoffs wrong and that the cost of your fraud prevention (in terms of actual dollars as well as inconvenience to customers, etc.) is greater than the overall cost would be if you allowed a small amount of fraud to occur (looking at the total cost of that fraud as well as the cost of preventing additional fraud).
I suppose the problem is that whether or not the title of the post is true or not depends on the context in which it's taken, and the title itself doesn't have any context. Since the post does offer context, though, I think it's reasonable to take the title in that context.
However, I'm not nearly as breezy about $20 billion annually in fraud. Maybe that's fine from the perspective of the merchants and credit card networks. But from the societal perspective, that's subsidizing bad actors. People and groups who will not stop at one kind of crime as they try to grow. People who will divert other people into being parasitic. That's not healthy for society or for the individuals who end up living lives of crime.
So I think the society-optimal level of fraud is way below the merchant-acceptable amount of fraud.
That's not quite what I got from the article. I read it as the more friction you put in place to prevent fraud, the harder it is for legitimate transactions to happen. Therefore, it's not so much about the cost of the fraud, but the opportunity cost of legitimate transactions which don't happen in the zero-fraud environment.
Actually, now I'm thinking about it emotionally as well. Best way to prevent myself from getting hurt is to close off as much as I can. Also the best way to prevent myself from feeling joy and all the other things I want to feel.
So thank you for this reminder.
If we view those repeated tricks as business as usual - we should probably make them accessible to everyone. Otherwise the small fraud becomes rampant.
1. Pass the cost towards self regulation of people, using client facing measures e.g. prove their innocence if they are an outlier
2. Catch a couple of cases and over market your policing ability to disadvantage the most gullible.
3. Catch a couple of cases, even minor infractions and destroy them with disproportionate fines or jail sentences, economy of randomness or economy of those who have the best lawyers.
Fraud against government, as above but add:
4. Add arbitrary constraints, you don't really want the system to work, you just fake it for political reasons
“It is better that ten guilty persons escape than that one innocent suffer”
At some point in pursuit of “0 crime” you will be imprisoning 10 innocent men to capture 1 criminal.
To put it another way you're forgetting the victims. The 10 fraudsters made 10 people suffer. their suffering needs to added to the equation
The current system from that perspective works great. You have to get pretty unlucky to get convicted as an innocent, especially in this day and age where a cop’s testimony isn’t worth nowhere near as much as it used to be.
And morally alone it’s far worse to wrongfully convict an innocent person than to let a guilty one go free.
We can start with payment. What would someone pay with? Credit/debit numbers can be stolen. Checks can be stolen or forged. Cash can be counterfeit. What form of transaction has zero chance of fraud?
To make transactions available to people you need to introduce systems that can have fraud in them. There is a balance between availability/ease and fraud.
With the intent to incentivize and train criminals to stay small and low impact.
If you're a retail platform, and you have a few scammers making a few grand of 20-100 dollar scams. You can play wack a mole with them and then that keeps people doing that small fraud rather than leveling up and potentially doing crimes that could endanger the whole business with the exposure.
If your incentive is to have zero fraud, the organization will find ways to not detect fraud or add so many controls and audits that the cost of doing whatever will go up.
There’s a balance. In the tax world, the de-clawing of the IRS for certain things have dramatically impacted compliance. You want enough enforcement that you’re discouraging median cheater, but not so much the cure is more expensive.
This isn't hypothetical; it's the issue underling the "program design" controversies about means-testing in public policy.
(And of course, if you did want to maximize tax revenue, you'd focus enforcement on the big fish.)
And benefits are for helping people who are in poverty.
I really enjoyed the whole thing.
If you think the optimal amount of crime is greater than zero, at some point we are clearly using different applications of the word optimal. One person is talking about the level under the optimal “solution”, while the other is talking about one constraint that still must be balanced against other constraints. The optimal amount of fraud spending is zero, but then we’d be left with a ton of fraud.
> the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff of lowering fraud against the ease for legitimate users to transact.
You encounter well known tension pattern several places. For instance, in safety critical systems there's a tension between safety and progress. Or take IT-sec industry; tension between usability and being secure.
Risk is never zero and achieving it prevents everything.
I would disagree with the world “optimal”. The optimal number of fraud and rapes is both zero, but unfortunately we don’t really have the realistic ability to achieve that.
It's really a simple cost-benefit calculation; the cost of preventing the last 0.1% rape on earth is surveillance cameras in every home and egregious violations of privacy, obviously the cost of such a scheme is probably not worth it.
The simple observation is that there are tradeoffs: in exchange of preventing <bad thing>, we have to give up <good thing>, at some sort non-linear curve. The cost of rape prevention goes up with each rape prevented, there reaches a point where the cost is no longer worth it and we should call it a day.
People can (and do) argue all day about the point where the marginal cost of rape prevention is too great, but I'm fairly certain most would agree that it's not infinite.
Later on, though, I remember pissing one off when he had to wait in line behind people buying drinks and he declared he would not be buying the $300 espresso machine he had come in to buy. I wonder if my actions resulted in a net gain or loss to the store...
And it takes a while to become that realistically cynical about retail work. We were actually treated pretty well, had mostly friendly customers, and got along with management. At least at the time.
FWIW I strongly doubt that people who say things like that ever really intended to buy the thing. If you were really planning on buying a $300 expresso machine today, are you actually going to change your mind because you had to wait an extra 5 minutes?
Sorry, I didn’t understand this part. Did he expect to cut in line because he wanted to buy the machine rather than a drink? I don’t get what you were supposed to have done differently. Or maybe I do, but the expectation doesn’t make sense to me, I have never seen anything like that done anywhere.
It's not a crazy idea; we appeared to have some spare capacity for it (although we really didn't). And he may have spoken to someone else about it earlier. It also wouldn't have been unreasonable to expect that once he got to the front of the line he would have been directed to the other register to wait anyway. He may have been trying to minimize the disruption he caused to the line. He may have also thought the line was too long and we should have already opened up the second register. We were very efficient with a single-register flow, but customers always tried to start up a second line before it was really necessary.
I'm not confident I did the right thing by him; just that there may be situations where losing a $300 sale may be the most profitable choice.
- The optimal amount of fraud in society is 0
- The optimal amount of fraud a business/industry should accept is non-zero
The simple observation that the cost to prevent each marginal fraud attempt increases; the last 0.1% of fraud costs way too much to prevent compared to the first 99%. Obviously society would be better off if fraud didn't exist, but since it does the effort expended is only worth it up until when the marginal cost of prevention exceeds an acceptable threshold (when it starts to lose you money).
The optimal amount of fraud is still 0, but the optimal amount of fraud prevention lies somewhere on the margin.
This is why important transactions like banking have KYC checks, and buying a pair of sneakers don't.
"Clickbait light"
Bad Things(tm) are useful for testing and improving safety/security, and when I see people/institutions with no experience reacting to Bad Things(tm), I know they're in for a world of hurt when it does happen.
Perhaps you mean, the optimal amount of fraud that isn't prosecuted... or not detected... ? Even then, I'd argue that there's a tiny percentage that's useful for keeping the safety/security industry on its toes and at the ready.
As a proof point, if you believe that war (world peace) is not a solved problem, then it's only a matter of time before your city/region/civilization/race faces an existential threat, for which the only true preparation is to be ready to innovate and mobilize.
Sorry if this comes across as dark. I mean it in the same vein as having a small percentage of farmers is desirable.
By contrast, I visited a traditional silk factory in Stockholm (amazing btw) and the craft has been lost to the point where they're struggling to find craftspeople able to work their looms and other old equipment. See Jonathan Blow's excellent talk about lost technology: https://www.youtube.com/watch?v=ZSRHeXYDLko
I believe buried in there is one other factor that is somewhat related:
- reducing friction helps drive more legitimate business. Accordingly, over-aggressive anti-fraud practices can result in reduced sales.
A toy example: a business could eliminate exposure to credit card fraud by not accepting credit cards. That would however reduce overall sales.
I guess this can all fit within a “marginal cost” explanation though.
Yes, but it undermines the first point, a bit. There's costs-- direct and social costs-- to making transactions hard; so perhaps optimal for a society is still not 0.
Also, there's nothing to say that the amount of fraud is stable and that we can't find a world where we have better mechanisms to reduce it for the same cost. (Improved technology, legal structures, norms, etc).
A very real example in retail. I can minimize the possibility that I'll be hit with fraudulent returns. Require a receipt, short window, store credit only, must be in like new condition with all packaging, etc. (Or just sell everything on an all sales are final basis.) Different stores do many of these things to a greater or lesser degree on at least some merchandise. But you'd probably better be offering really good prices if you do.
A business could eliminate all fraud, abuse and theft of every type by shutting down completely.
- X is ipso facto bad. The optimal amount is zero.
- X is traded off against Y actually, so in general equilibrium with Y, it's nonzero.
And the above pair could be:
(Covid risk, attending fun parties)
(Risk of getting hit by a car, being able to walk anywhere)
(Discrimination in society, administrative costs of anti-discrimination laws).
The list goes on. It's a simple concept in decision theory, rehashed with an attractive title.
Speeding is another example: the cost (or risk) might be acceptable to you but not to the person you have an increased likelihood of hitting and doing serious injury to.
At a societal level, it holds, which is why we invest in measures to increase the cost of doing the wrong thing (speeding tickets, removing licenses).
Or consider a simple non-financial example: I left half a dozen pears on the tree this year--getting those last few pears would have required hauling a 50 pound ladder around the house and then struggle with setting it up. (Due to it's size it's a lot harder to handle than it's weight indicates.)
- Outsiders: It's good to keep members of your society fraud-savvy enough that they can safely travel & do business outside your society...without being easy marks for fraudsters.
- Stability over time: If your society somehow gets fraud down to ~0, that'll lead to big cut-backs in anti-fraud efforts, "end of history" dreamers proclaiming that fraud has died, etc. Which is obviously a set-up for a sudden huge resurgence in fraud.
Especially if we broaden fraud to include other crimes. There are costs to prevent other badness in society as well. Firstly it's the cost in taxes/allocating resources to its prevention: Do we really want to allocate a really large chunk of our shared human capital to police marginal criminal activity? How much more polices, judges, attorneys, lock makers, etc would we need to stop the last bike theft?
Secondly and arguably more importantly is the cost of freedom. A lot of the digital surveillance initiatives that are discussed and dismissed here on HN are enforced in the name of zero tolerance against (really bad) badness in society.
I think its hard, or impossible, to create a somewhat large society with zero crime rate. At least if we still want even just a sliver of the freedoms we are accustomed to in liberal democracies.
Don't make it illegal-but-not-enforced. Because then, whoever is in power can selectively enforce the law against any group they choose.
I can't think of any resonable society that have taken actions to show that they want the probability to be 100%. I would even argue that the most harsh dictatorships probably have the highest enforcement, but that laws were/are very selectively enforced in the favor of e.g regime officials.
The difference is significant, because if you discover a way to significantly reduce fraud for a low cost (including cost of freedoms and similar), it will be worth implementating. And there isn't some point where you say "we are already down to x% fraud, we don't want to go any lower than that, even if it doesn't cost us anything".
So then we may ask: “what is the optimal amount of fraud in society such that the costs of legislation, education, and enforcement do not exceed X% of GDP?” and that is a different question. You might also throw technology and R&D in there because new tools make it easier to investigate fraud. Of course new technologies also open up new possibilities for fraud, so this is a very complicated exercise. But I think it’s fair to say that given any reasonable constraints, the optimal amount of fraud is nonzero.
But, besides that, the task of interpreting the results and of potentially selecting new constraints or even a new objective function is a separate matter. Perhaps we should be seeking to maximize trust rather than minimize fraud in society. But then we have to ask ourselves: “what would that look like?”
[1] https://en.wikipedia.org/wiki/Mathematical_optimization
The classic principle of Anglosphere common law is that its better to let 10 criminals get away with it than to convict 1 innocent person. The same idea applies to fraud because overzealous fraud prevention causes problems for legitimate users whose actions incorrectly get detected as possible fraud. The benefit to tolerating a low amount of fraud is that your product won't be hostile to your legitimate users. The benefit to tolerating a low amount of crime is that you will live in a free society rather than a dystopian tyranny. Freedom is good and it is worth giving up quite a bit of safety for the sake of being free.
At this point you're just playing with the definition of crime. I would argue that it is criminal to deprive an innocent person of their freedom, and challenge that your proposed scenario is actually "zero crime".
Secondly, you talk of catching "all of the criminals". In a "zero crime" environment there are no criminals - by definition if there is a criminal, then a crime has been committed at some point.
All that said I agree with your larger point - the cost of freedom is that people are not constrained before the fact from committing crime, and that's a good thing on the whole.
do you see how with the framing your proposing it’s extremely difficult to reason? might even be impossible.
It is especially important nowadays because unlike back then where technology was limited and surveilling 100% of the population was impossible, it is very much possible today and is already being done in certain places such as China.
Nazi laws weren't moral, as it's not moral today to demand half of my profits or I go to jail.
But the whole point is that we will never universally agree on a morality because society's overall preferences shift over time. So targeting zero crimes never makes sense.
But patio’s argument is that since he works for the fraud department at Stripe payments, he wants fraud to exist so he can keep his cushy job.
Ask the police about the optimal amount of speeding tickets.
The article was kind of long-winded so I didn't read it all. But has a catchy title. So is the title about
a) Optimal amount of fraud to the society at large?
b) Optimal amount of fraud to the businesses which suffer a loss because of it?
c) Optimal amount of fraud to the customers of such businesses?
d) Optimal amount of fraud to the chief of fraud-prevention department?
e) Optimal amount of fraud to the fraudsters?
> ts better to let 10 criminals get away with it than to convict 1 innocent person.
is arguably false. it forgets that 10 criminals had 10 or more victims. If you optimize for the least number of victims then it's easily possible that convicting a few innocent people has a net positive in lowering the total number of victims including the victims of being wrongly convicted
to put it another way, perfect is the enemy of good. In this case if in pursuit of perfection of having zero wrongly convicted you end up causing more victims of criminals then you've arguably failed
I also believe that it’s better to let 10 criminals get away with it than it is to wrongly convict 1 innocent person. And I’m fairly sure that all the innocent people who were unfortunate enough to go through the court system would agree with me.
Also, not every crime must have a victim. There are a million victimless crimes.
Yes, it’s also debatable whether those should even be crimes (in my opinion - no), but the argument that 1 crime = at least 1 victim is flat out false.
also you too made the exact same error. you discounted the victims of the criminals. yes the 1 innocent wrongly convicted is bad but what about all the innocents that are victims of the criminals. You absolutely have to add those innocents to your total of how many innocents you helped
if you catch 10 serial killers and 1 happens to be innocent you still saved 9-18-27 lives in exchange for one innocent. If because of over zealousness of zero innocents being caught you only catch 5 serial killers you saved 1 extra life and forfeited 5 to 15 others
You arguably believe what I'm saying. no law enforcement can be perfect so it's guaranteed that innocent people will be mistakenly convicted. The only logical conclusion is if you truly believe there must be zero innocents convicted then you believe law enforcement should not exist since there will never be perfect law enforcement
Yes, but 10000 crimes can also have 0 victims.
- A utopia where people don’t defect in prisoners dilemmas (most types of crimes like shoplifting: the store won’t have to hire loss prevention and cashiers, and you pay less for their reduced costs) is ideal, but:
- Such a utopia doesn’t and can’t exist because defection individually increases utility at the cost of everybody else. Hence cashiers, loss prevention, KYC, etc.
Thus the real world is a careful optimisation problem where we have to search for an equilibrium at which society as a whole benefits the most. People can argue all day about where this is, because the trade offs involved are non-obvious:
- More surveillance means, all else being equal, less crime, but police officers can defect too and only arrest minorities and use said surveillance for something else, etc.
The problem is walking through a very high-dimensional search space, and we humans are had at it. There’s no real solution though, because individual incentives don’t line up to solve it.
Because its canonical formulation uses defection as a way for law enforcement to catch criminals.
Similarly, people who reliably cooperate in prisoner's dilemmas can run cartels and conspiracies much easier.
Also The invention of Lying: https://www.imdb.com/title/tt1058017/
It's also not a question of any particular interest; you're interested in what maximizes (good - bad), not what maximizes (good / bad).
So I guess I did mean optimal in two different ways. One is a utopian cooperative paradise, the other an optimisation problem for an optima where businesses make the most money and society overall is richer than if business activity got crippled.
Eg here’s an online free source but any dictionary will tell you the same. https://www.wordnik.com/words/optimal
Banks do KYC checks because it is required by law, not because it does anything to reduce fraud. Fake IDs are a thing. Requiring identification does not make transactions safer without a lot of other stuff happening too.
It's just the political / societal implications. These are beyond "hey it's expensive for banks to cut down on fraud"
I disagree with the "banks should allow certain levels of bank fraud because X" for the simple reason we don't have "banks should provide interest free funding to murderers, sex traffickers, pornographers and drug ring" even though that is often the same thing. (And in a two page HN thread I am sure I am not the first to say that)
(#) someone else mentioned the difference between ideal and optimal which is a very good distinction.
It took us a decade and counting to get chipped cards, longer to get contactless pay, and even then we don’t really use the PIN part of chip+pin. Something like FedNow is only coming next year.
I mean every central bank could tomorrow just put up a non-permissive (#) blockchain and just make a virtual coin for every cent out there. And this would cause utter chaos. It would essentially end fractional reserve banking. That makes loans ... difficult.
The impacts are enormous, but a digital native currency is so simple, so attractive we may well try it. And then have to rethink our financial regulations. It will look a lot like ICOs.
I still think it is inevitable.
(#) ok the terminology I find either dubious or I misunderstand but basically every wallet holder gets their private / public key registered, then there is a known state of money globally, and the Bank is a verifying party to each transaction. Something like that anyway. Theee are many options but essentially if we all "trust" the money printer then the technical problems simplify.
In The Netherlands, direct online payments using debit cards are very common. These are secure payments, verified through a bank’s mobile banking app or internet banking with 2FA.
https://en.m.wikipedia.org/wiki/IDEAL
This means there is no risk for the seller that a payment gets reversed. There is fraud, but it centers mostly on social engineering people to authorise payments for others, or to mail their debit card to “the bank” for “recycling”.
Cost per payment: about 30 cents.
Meanwhile, in other countries, credit cards are the common online payment option. Security? A number on the front of the card and a “secret” second number on the back of the card.
Cost: 1.5-3.5% of payment.
Better security is possible, but it’s hard to move from a local optimum when you’re locked into a certain ecosystem.
The credit card no-security scheme works because everyone gets reimbursed for fraud. It comes at the cost of retailers handing a few percent of every transaction to intermediaries, instead of just a few pennies.
Not only is it feasible, we've had it forever. BankOfEnglandCoin is more commonly known as the pound sterling.
I think a clean simple version is appealing - it's kind of the case for Bitcoin as a whole. Unfortunately they people attracted to that case did not realise that 75%+ of regulation and layers is trying to protect people from sharks.
Let's make that: "The optimal amount of fraud a business should accept under the current credit card online payment system is non-zero".
There is absolutely nothing intrinsic about online commerce that requires fraud. Online business routinely operate with a money first, zero consumer trust paradigm. They ask for my payment credentials first, and only then deliver the products.
If we were to design the online payment system from scratch, we would use cryptography to completely remove the notion of credit card theft, and escrow to settle consumer complaints, with an option for paid arbitration when things go bad. I guess you can call some of those cases "fraud" and some customers are so unreasonable that they border on criminal, yes, you can't make that segment zero, but I don't think that's the kind of fraud they are referring to.
The reason we can't have those nice things is because of immense momentum of the current system designed in the 60s by companies that have very little reason to change anything. In fact, an online payment reform would most likely strip them of their oligopoly. So yes, the optimal fraud level is non-zero because Mastercard, Visa etc. can push that fraud onto consumers (via retailers), and they are making much more money anyway from the current situation.
Targeting zero payments fraud does mean the business has to bear the costs of the fraud prevention measures, but their customers also have to bear intangible costs, like the annoyance of a detailed, invasive know-your-customer process before being able to buy anything.
But if I'm a user of this computer system that targets 100% uptime, I don't have to see any of the downsides/costs that the business incurs to try to get that uptime. I just see great uptime, and it's all rosy for me.
I think it's important to acknowledge that, in pursuing lower (or zero) fraud, both the business and its customers have to bear costs related to that goal.
If you had zero fraud in society then nobody would build in any defenses against fraud at all.
You'd have a society of completely naive and trusting souls, which sounds blissful until someone wakes up one day and realizes that they can commit as much fraud as they like since society has no defenses against it.
It is like saying that the optimal amount of disease is zero, but if you have never had your immune system challenged by any kind of disease, then the first virus you come across will probably kill you.
Your suffering from childhood colds and getting burned by something like the car-out-of-gas scam help build defenses.
With disease, the optimal amount is likely still zero. The immune system we have is not great, its only selection criteria is to keep people alive long enough to have children and keep them alive long enough so they can. We're beginning to understand, like with HPV, that anything from a life threatening case to an asymptomatic one can cause lifelong changes in the immune system and either cause or increase lifelong risk of non-infectious diseases.
And that's setting aside that we can, for example, just eradicate certain diseases if we set ourselves to it. Polio, smallpox, and hopefully malaria.
If we could eliminate certain kinds of fraud - through education, through making it impractical - that seems good, yeah?
And my gut reaction to the title of the article is that we really need less fraud and that we're very, very far from optimal right now. Although I'm not very concerned at all about fraud against government programs to help the disenfranchised. I'm more concerned about the endless e-mail, phone scams, door to door scams and all the stuff that prey on the elderly and vulnerable.
Similarly with the immune system it would be interesting to consider wiping out Epstein Barr and maybe eliminate Multiple Sclerosis, along with exterminating the mosquitoes that bite humans and cause disease.
But zero is likely not achievable or a stable optimum, and we're probably not going to cure the common cold or wipe out influenza and we may not want to (at least not without quite a bit of science fiction, global access to medicine and nearly 100% acceptance of vaccination in the population).
The person I replied to seemed to think that exposure to disease helps in youth? Certainly seems like a widespread idea, but I don't know how true it is.
Thus, the global optima is one where there is no fraud and everybody cooperates, but it's not a stable optima and we slide to the real world where there are tradeoffs for preventing fraud, and there reaches a point where rational actors deem the tradeoff unacceptable and thus accept some level of fraud.
If you carefully scrutinize any large election you can almost certainly find at least one example of fraud. However, isolated cases of fraud or human error are not evidence of widescale election rigging.
Except for a small number of cases involving pre-paid cards, I have never seen a merchant refuse to accept a valid credit card payment for an online purchase. I have however encountered and heard of cases of banks declining transactions they considered possibly fraudulent.
I loved the way American Express implemented it. They sent you a one-time passcode on your first purchase with the merchant, and then you could also choose for them to not bother you with any further purchases from the same merchant. I had this enabled by default, it made the experience a million times more enjoyable.
Unfortunately not everyone took AmEx, and I no longer live in UK (or a country where AmEx has presence for that matter), and the way banks in my current country of residence have implemented it is absolutely abysmal.
1. The billing address must be a match 100% of the time, which is painful in situations where you can't specify separate billing and shipping addresses and you want the item shipped to a different address (could be 3 for me)
2. Mandatory 2FA on every transaction, depends on the exact implementation, but typically you must wait for a notification on your phone, and then type in a PIN. In some implementations you have to scan a QR code, and then type in the said PIN. Sometimes the solution they use for this is down.
3. If anything is wrong at all (billing address/mistyped CVV/whatever), the transaction just gets refused at the end of this loop. Was it something you did wrong? Is some system down? Let's try again.
And sometimes this even messes up recurring subscriptions. My Microsoft 365 Business sub that's billed monthly on a credit card GETS REJECTED EVERY TIME UNTIL I MANUALLY GO THROUGH THIS STUPID PROCESS.
It has made paying for things online a chore. I couldn't care one bit about all the fraud this presents, because I was never liable for it in the first place. That decision was previously up to the merchants (who could have implemented all of this if they wanted to). Now it's forced on everyone.
[0] https://www.bbva.com/en/everything-need-know-psd2/
It seems that a society can bear a certain amount of cheating before the system breaks down, a 'tipping point' of sorts. As long as we keep the cheating below the tipping point, the game continues, which is after all the most important aspect, I think.
Like the whole troop owes one groom per day. But nobody can pinpoint who was the shirker.
The statement obliterates the nuance of which tradeoffs need to be made and the cost and impact of those tradeoffs from an economic and social perspective that are foundational to being able to reason about risk.
I would have liked to see, say, some nuts-and-bolts discussion od fraud handling in some particular industry -- that would be novel and interesting to me.
https://www.zdnet.com/article/chip-and-pin-is-broken-say-res...
The mobile popup is a reasonable mitigation though; it seems likely to limit fraud to small purchases, or encourage sim swapping, etc.
The article is specifically limiting its discussion to situations where a payment credential is stolen. Those cases cost $10-20B per year.
This is HN, so most people here can figure out how to secure payment credentials, especially given the assumption that each credit card contains a tamper resistant computer with durable storage (as they currently do).
Instead of ending credential theft (at least in cases that don't involve violence/coercion), the payment networks pass the cost on to vendors, then advertise fraud protection as a feature to card holders.
This only works because the payment processors' monopoly prevents the merchants from fixing the underlying security issue.
So, the payment networks charge the merchants a large percentage of sales (imagine what your local government could implement if it increased sales taxes by 3-5%!) to supposedly pay for fraud protection.
This is exactly like a classic protection racket, except that the thugs that smash up the business don't actually work for the credit card companies.
(I do agree with the premise that driving crime to zero is usually not worth the cost, but that's just "Innocent until proven guilty", and not the subject of the article.)
I'd object to paying for PCI DSS if I were them, to be honest. The idea that every merchant (or credit card reader) even has access to credentials is ludicrous.
The currentc was of email lists, not the payment flow. It's embarrassing, but still a better track record than the existing payment processors (which probably suffered 10,000s of payment flow breaches as I typed this.)
If on the other hand the cost of misidentifying a case fell on the institution then they would simply accept only personally identified payments e.g. sms or other 2fa at virtually no cost for them and effectively zeroing fraud
In some places with more modern banking, this is pretty common