245 comments

[ 4.5 ms ] story [ 325 ms ] thread
Is this something that could be argued about other sorts of crime as well? In particular, in the ongoing fight against encryption that has been widely commented on HN multiple times, can (or should) one (safely) argue that e.g. the optimal amount of online sex trafficking and child abuse is greater than zero? What would be the consequences of taking such a stance once it inevitably reaches public discourse?
You could argue that but as you expect your opponents would quickly paint you as being pro-X. Every decent person would prefer zero child abuse, but few people would support having mandatory police surveillance cameras installed in every room in their house, even if such a panopticon would be proven to reduce significantly child abuse. Us meatbags are irrational like that.
Governments do make that choice through prosecutorial discretion
Its not a choice of amount to leave out there, its a choice of how much defense to allocate.
> can one argue that the optimal amount of online sex trafficking and child abuse is greater than zero?

No, this fraud argument does not apply to child abuse or sex trafficking. The reason is because the fraud argument is talking only about direct financial loss of fraud compared to direct financial loss of enforcement. The fraud argument doesn’t actually work if we’re talking about individuals losing their savings, it only makes sense if you assume the cost of fraud is borne by banks, and that it’s a marginal cost and does not bankrupt anyone.

There is no amount of money that makes the damage done by sex trafficking or child abuse okay, and there is no reasonable way to convert the damage done by these crimes into money. To suggest that the optimal amount is non-zero would only be an externalizing of the damage and costs of such crimes, and to essentially reduce our morals to money. And that’s exactly what this very argument does in other contexts; it externalizes non-financial damage, and sometimes financial damage too. This argument is made in other contexts, and it’s sometimes wrong and/or full of assumptions that aren’t true.

We could imagine extreme hypothetical situations that might clarify the argument or how to think about it - is it equivalent if 1% of people suffer a 100mm knife wound or 100% of people suffer a 1mm knife wound? The 1% would all die. In the other case, everyone suffers a mild inconvenience they forget about by tomorrow. Despite the equal amount of flesh damage, these are not remotely equivalent, and thus can’t be compared or declared as optimal. The type of damage done matters, and the number of people affected and amount of damage done to individuals matters.

Beware arguments that reduce negative outcomes to money. These tend to favor businesses (who are biased to prefer less regulation) and tend to externalize all the indirect costs and the costs to society. This is exactly what has been done with regard to pollution over the last century - it has been successfully argued that the optimal amount of pollution is non-zero, and we’re starting to see the consequences of that and pay costs for decisions made long ago. There was a pretty good paper I read [1] that re-evaluated these arguments for several specific large public works projects in the 50s through 70s, where the post-facto costs and outcome benefits calculations were shown to be different by orders of magnitude compared to when the decisions were being debated. IOW there is good historical precedent-based reason not to trust someone who claims the damage will be minimal or equivalent to the case where we put some effort into minimizing it.

[1] https://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?a...

Thanks for the in-depth reply - that's exactly the sort of fuel for the mind that I hoped for when posing my questions.
I feel like this starts with an agreeable premise. Some fraud is egregious, costly, and/or easy to detect. These low-hanging or high-impact cases are most worth pursuing. At some point you reach diminishing returns, where the amount of time / effort / capital you're putting in to eliminating fraud outstrips the losses from the fraud itself.

I don't know that I agree with the ethical conclusion that the optimal amount of fraud is therefore non-zero. The leap from "anti-fraud efforts are expensive" to these sentences in the final paragraph was not, in my opinion, convincingly made here:

>We should, as a society, accept non-zero amounts of benefits fraud. We should accept non-zero amounts of cheating on taxes.

I don’t know if that statement is backed by the article, which I will admit to not having read, but in general I agree. Completely eradicating benefit fraud will necessarily increase the burden on legitimate claimants to prove that they are in fact legitimate. Doing that is going to place enough burden on some people who should otherwise be able to claim that it results in them not doing so, or failing to do so because they were unable to provide the required evidence.

I’d much rather see a few people who didn’t need benefits manage to claim them than see people who do need them be left without. The first option costs tax payers a bit more money. The second results in people’s lives being made significantly worse, and in some cases in deaths.

Also, not means testing universal benefits means everybody appreciates them as just something their society does, so that reduces stigma for the beneficiaries and increases pride in your society. "We ensure children in this country have nutritious food" not "Why are my taxes going to feed this 10 year old whose mother has a full time job".

I grew up in an area where many parents could afford (maybe if they budget carefully, maybe just anyway) to privately educate a child. But they mostly didn't, because the government funded schools were pretty good. In fact, as children it was actually a minor stigma to be privately educated, because if your parents are spending a lot of money on the fancy school, either they don't know how to spend their cash (so they're stupid) or you're really stupid and they sent you to that school in the hope of making up for it. It was seen as like easy mode. Smart kids don't go to private school, why would they waste the money?

> The first option costs tax payers a bit more money.

The first option costs taxpayers significantly more than a ‘bit’.

Just look at how much it cost when they basically turned off all the checks in order to get covid relief into the hands of people who really needed it. In Arizona, after a while, they made it so you had to sit on (virtual) hold for 8-10 hours to verify your identity with a human or they would cut you off. Which worked well enough to ensure only the people who really needed it went through all the hassle. It really sucked for those people but they stopped sending billions of dollars overseas to people who just googled someone’s address.

Yes, we should not accept the existence of fraud. We should simply be able to recognize the situations where fighting fraud is more costly than letting it exist. Not that it really matters in most places since we are quite far from that point anyways.
This is not an ethical conclusion. This is a pragmatic and utilitarian conclusion where 'optimal' means minimising the cost/benefit ratio.

Incidentally, this shows that the 'perfect' ethical stance is not necessarily the one that delivers the most benefits at the least cost, aka when ideals meet the real world...

It feels like a very subtle is-ought distinction, where the author is discussing something that unavoidably is the case and therefore concludes that it ought to be the case and therefore ought to be accepted if not even welcomed. The marketing example makes this pretty clear. Of course no one thinks the marketing directory could spend zero on marketing. But…surely they would love to spend zero if they could still get what they wanted for zero money.
> I don't know that I agree with the ethical conclusion that the optimal amount of fraud is therefore non-zero. The leap from "anti-fraud efforts are expensive" to these sentences in the final paragraph was not, in my opinion, convincingly made here

It’s like saying that the optimal dirtiness after cleaning your house is non-zero (greater than zero) because cleaning it perfectly takes much more effort than it is worth!

That’s not counter-intuitive at all. It’s just an obvious fact stated in a silly way (for clicks or whatever else).

It's like cleaning old painted metal with a scouring pad; You want to clean thoroughly enough to take off the grime, but if you scour too long or too hard you'll end up taking off the paint itself. You'll always either leave a littke dirt behind, or take off some paint, never perfection. You could strip all the paint and repaint it, but that's so much more costly in terms of time and materials that it's a whole different task.

And the argument that more stringent anti-fraud protections increase the burdon on legitimate claimants is absolutely spot on, and has parallels in all sorts of other legal, financial, and market situations c:

That doesn't mean that the optimal amount is nonzero. Taken in isolation, the optimal amount is clearly zero. The optimal amount doesn't change based on the cost, the optimal amount of effort to expend is a different answer.

It's not just stated in a silly way, it's stated in a way that's incorrect because they didn't mean what they said. "The optimal amount of fraud is nonzero" does not actually mean the exact same thing as "in an optimally-beneficial fraud prevention effort, the amount of fraud is non-zero".

>Taken in isolation, the optimal amount is clearly zero.

But the very point of the article is to not take zero-fraud in isolation and instead, explain how non-zero-fraud is an unavoidable tradeoff when balancing 2 simultaneous goals:

- (1) prevent fraud transactions as much as practically possible

- (2) make legitimate transactions as easy as possible

If one accepts the premise of pursuing those 2 goals at the same time, then by definition, we're no longer talking about "in isolation". You've now unavoidably entered non-zero fraud territory.

Perhaps it's the author's particular wordsmithing of what he's trying to convey that just rubs many readers the wrong way.

> "in an optimally-beneficial fraud prevention effort, the amount of fraud is non-zero".

Yeah, but that phrase won't get any clicks.

I gave up about half way through the article and just skimmed through the rest.

> Taken in isolation, the optimal amount is clearly zero.

The post makes it clear that the discussion is not about theory or taking anything in isolation - it's about fraud in the real world. In that context, the way it's stated is correct - if you have zero fraud in the real world, that means that you designed the tradeoffs wrong and that the cost of your fraud prevention (in terms of actual dollars as well as inconvenience to customers, etc.) is greater than the overall cost would be if you allowed a small amount of fraud to occur (looking at the total cost of that fraud as well as the cost of preventing additional fraud).

I suppose the problem is that whether or not the title of the post is true or not depends on the context in which it's taken, and the title itself doesn't have any context. Since the post does offer context, though, I think it's reasonable to take the title in that context.

Good point. I agree with the overall thesis; there are a lot of things that get increasingly expensive as you approach perfection. (Perfection is still a useful guidestar, but each step toward it has to be made with costs in mind.)

However, I'm not nearly as breezy about $20 billion annually in fraud. Maybe that's fine from the perspective of the merchants and credit card networks. But from the societal perspective, that's subsidizing bad actors. People and groups who will not stop at one kind of crime as they try to grow. People who will divert other people into being parasitic. That's not healthy for society or for the individuals who end up living lives of crime.

So I think the society-optimal level of fraud is way below the merchant-acceptable amount of fraud.

One problem with credit card fraud is that it subsidizes the payment networks. Without it, most of their reason to exist would disappear.
> At some point you reach diminishing returns, where the amount of time / effort / capital you're putting in to eliminating fraud outstrips the losses from the fraud itself.

That's not quite what I got from the article. I read it as the more friction you put in place to prevent fraud, the harder it is for legitimate transactions to happen. Therefore, it's not so much about the cost of the fraud, but the opportunity cost of legitimate transactions which don't happen in the zero-fraud environment.

I appreciate how you phrased this. It has me thinking about how it might be similar for privacy and security in terms of information or even physical security. Yes, one can be super secure and safe from harm if one puts tons of locks on everything, but it also keeps out people who we might want to let in.

Actually, now I'm thinking about it emotionally as well. Best way to prevent myself from getting hurt is to close off as much as I can. Also the best way to prevent myself from feeling joy and all the other things I want to feel.

So thank you for this reminder.

Emotions are a little different though. The more you know how deep the lows can go, the more you appreciate even the smallest highs. There is a little utility in getting hurt.
The problem with accepting it is that people figure out repeatable tricks to get around the system.

If we view those repeated tricks as business as usual - we should probably make them accessible to everyone. Otherwise the small fraud becomes rampant.

Not an ethical conclusion but a pragmatic one. The ethical part is what you do after the fact:

1. Pass the cost towards self regulation of people, using client facing measures e.g. prove their innocence if they are an outlier

2. Catch a couple of cases and over market your policing ability to disadvantage the most gullible.

3. Catch a couple of cases, even minor infractions and destroy them with disproportionate fines or jail sentences, economy of randomness or economy of those who have the best lawyers.

Fraud against government, as above but add:

4. Add arbitrary constraints, you don't really want the system to work, you just fake it for political reasons

It’s also, in some sense, a formulation of Blackstone’s ratio:

“It is better that ten guilty persons escape than that one innocent suffer”

At some point in pursuit of “0 crime” you will be imprisoning 10 innocent men to capture 1 criminal.

not if letting 10 guilty esacpe breeds more and more bad actors. you can make the argument that a few innocent suffer is a net benefit for society in tne same way. in pursuit of 0 innocent suffering you will capture no bad actors

To put it another way you're forgetting the victims. The 10 fraudsters made 10 people suffer. their suffering needs to added to the equation

(comment deleted)
Nobody’s pursuing 0 innocent wrongfully convicted though.

The current system from that perspective works great. You have to get pretty unlucky to get convicted as an innocent, especially in this day and age where a cop’s testimony isn’t worth nowhere near as much as it used to be.

And morally alone it’s far worse to wrongfully convict an innocent person than to let a guilty one go free.

How do you achieve zero fraud in a transaction?

We can start with payment. What would someone pay with? Credit/debit numbers can be stolen. Checks can be stolen or forged. Cash can be counterfeit. What form of transaction has zero chance of fraud?

To make transactions available to people you need to introduce systems that can have fraud in them. There is a balance between availability/ease and fraud.

Bitcoin. It can easily be confirmed as valid (zero chance of counterfeit), and is otherwise a bearer instrument with no further settlement, and impossible to reverse (like cash).
Ah yes, and there’s a 0% rate of peoples wallets being stolen.
You are talking about simple theft, not fraud. Theft is always possible. Fraud is not possible with bitcoin. Not sure why I was downvoted.
The problem is not merely that the anti-fraud efforts are costly but that the anti-fraud surveillance apparatus will itself be value destroying. (In the tax case, it’s “people in democracies don’t enjoy their government having total visibility into their activities and society, in its judgment, says this is more important than tax collection at some margins.”)
I would think the strategy would be to encourage low impact fraud with lazy compliance and making a customer whole (Credit card chargebacks). And then hunt out and destroy high impact fraud.

With the intent to incentivize and train criminals to stay small and low impact.

If you're a retail platform, and you have a few scammers making a few grand of 20-100 dollar scams. You can play wack a mole with them and then that keeps people doing that small fraud rather than leveling up and potentially doing crimes that could endanger the whole business with the exposure.

Targeting zero is an immature approach that is self-destructive in most cases.

If your incentive is to have zero fraud, the organization will find ways to not detect fraud or add so many controls and audits that the cost of doing whatever will go up.

There’s a balance. In the tax world, the de-clawing of the IRS for certain things have dramatically impacted compliance. You want enough enforcement that you’re discouraging median cheater, but not so much the cure is more expensive.

The ethical issues of accepting nonzero fraud are that striving for zero fraud creates program design changes that lock people out of benefits. If you design a health care system that aims for 0% fraud, some measurable number of people are going to be deprived of care because the registration and billing procedures are too onerous. With taxes, aiming for 0% noncompliance will prevent people from taking advantage of deductions and credits.

This isn't hypothetical; it's the issue underling the "program design" controversies about means-testing in public policy.

Not to mention that enforcement has rapidly diminishing returns. Even if your only goal was to maximize tax revenue (minus cost of tax administration), and you didn't care at all about people being able to take advantage of deductions, the optimal amount of fraud is almost certainly non-zero.

(And of course, if you did want to maximize tax revenue, you'd focus enforcement on the big fish.)

It's analogous - reaching zero benefit fraud would impact legitimate recipients.

And benefits are for helping people who are in poverty.

That's a lot of words to say "to make fraud harder you have to make buying from you harder, the optimal amount of fraud is the amount of fraud you get when any additional measure you could take against fraud would lower your revenue more from lost business than it would lower your costs from people committing less fraud"
The title is wrong. The argument is actually that the optimal amount of fraud prevention is non-100-percent.
Exactly. The optimum amount of fraud is really zero. But in order to achieve last 0.00001% you may end up screwing up experience for about 99% of your customers by asking them to 10-factor auth and what not.
I guess this applies to all crimes, even major ones likes murder and child abuse. We can monitor everyone all the time, or make sacrifices to live in a more free society.

If you think the optimal amount of crime is greater than zero, at some point we are clearly using different applications of the word optimal. One person is talking about the level under the optimal “solution”, while the other is talking about one constraint that still must be balanced against other constraints. The optimal amount of fraud spending is zero, but then we’d be left with a ton of fraud.

This is an extremely long-winded article/blog to say the following

> the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff of lowering fraud against the ease for legitimate users to transact.

You encounter well known tension pattern several places. For instance, in safety critical systems there's a tension between safety and progress. Or take IT-sec industry; tension between usability and being secure.

It's like a braindump of a thought-train trying to reach a simple conclusion rather than just stating the simple conclusion itself.
patio11 is good at many things, brevity is not one.
I work in IT/AppSec, and this came to mind immediately. Implementing perfect security would be "don't connect to the internet and don't let anyone use the computer". Clearly not an option, so my job is to analyze the cost and risks against the benefits and help choose a path of balance. A specific example: we can only heuristically detect the difference between legitimate and malicious calls to the public endpoints. Is that spike in traffic trying to DDOS us, or is it close to Black Friday so customers are in go-go mode? Setting the rate limits somewhere meaningful is a tradeoff.
Great analogy re. appsec.

Risk is never zero and achieving it prevents everything.

(comment deleted)
You could also use this reasoning to say that the optimal number of rapes is greater than zero.

I would disagree with the world “optimal”. The optimal number of fraud and rapes is both zero, but unfortunately we don’t really have the realistic ability to achieve that.

Obviously the optimal number of rapes is 0, but the optimal amount of rapes we should try to prevent is not infinite, and thus the optimal amount of rapes we accept as a consequence of the above policy is non-zero.

It's really a simple cost-benefit calculation; the cost of preventing the last 0.1% rape on earth is surveillance cameras in every home and egregious violations of privacy, obviously the cost of such a scheme is probably not worth it.

The simple observation is that there are tradeoffs: in exchange of preventing <bad thing>, we have to give up <good thing>, at some sort non-linear curve. The cost of rape prevention goes up with each rape prevented, there reaches a point where the cost is no longer worth it and we should call it a day.

People can (and do) argue all day about the point where the marginal cost of rape prevention is too great, but I'm fairly certain most would agree that it's not infinite.

The conclusion/title talks about fraud without any context, which is the misleading thing here. What he means to say is that we have to accept to not fight some fraud because it would be too expensive. The most expensive option perhaps being to not run a business at all, eliminating both fraud and proper sales.
When I worked Starbucks retail, we were subject to a "just say yes" policy. So when a couple came in and said they had forgotten some item, or never received it earlier in the day, I gave one to them without hesitation. It helped that I also recognized them as repeat customers. A co-worker said "you just got scammed" with disapproval. And I explained that I probably did, but we were required to do it even if we didn't want to. Otherwise we risked pissing off honest customers. Or maybe it just made more sense to spend the time serving the next 2 customers faster instead of being suspicious with 1 customer.

Later on, though, I remember pissing one off when he had to wait in line behind people buying drinks and he declared he would not be buying the $300 espresso machine he had come in to buy. I wonder if my actions resulted in a net gain or loss to the store...

When I worked retail, I would give customers whatever they asked for because 1) it's not my stuff, 2) it belonged to a soulless corporation that did not need it, 3) I am not paid enough to be a store's loss prevention agent.
But Starbucks had this explicit corporate policy anyway, which lines up with the article and its principles.

And it takes a while to become that realistically cynical about retail work. We were actually treated pretty well, had mostly friendly customers, and got along with management. At least at the time.

I’m fairly brand-loyal to Starbucks precisely because of their relaxed attitude towards customers. I remember a few times in grad school going there to work for a few hours, using their wifi, and leaving without buying a single item. I never intended to do so, I just got lost in my work. I don’t think the baristas even noticed.
It's coffee with like 1000% markup, unsurprising they don't nickle-and-dime you further.
> he declared he would not be buying the $300 espresso machine he had come in to buy

FWIW I strongly doubt that people who say things like that ever really intended to buy the thing. If you were really planning on buying a $300 expresso machine today, are you actually going to change your mind because you had to wait an extra 5 minutes?

Oh I don't doubt it at all. Especially if all he had to do was go into any other Starbucks, or even Best Buy, on his commute or errands.
> Later on, though, I remember pissing one off when he had to wait in line behind people buying drinks and he declared he would not be buying the $300 espresso machine he had come in to buy. I wonder if my actions resulted in a net gain or loss to the store...

Sorry, I didn’t understand this part. Did he expect to cut in line because he wanted to buy the machine rather than a drink? I don’t get what you were supposed to have done differently. Or maybe I do, but the expectation doesn’t make sense to me, I have never seen anything like that done anywhere.

Our store had a couple registers on either end of an L-shaped counter. We didn't always open both. Our main register near the drinks was open and had a line. He approached me as I was doing some task near the other, closed register, which was also near where we stored the espresso machines for sale. So he didn't want to cut in line so much as to have me/us start a parallel flow for his purchase.

It's not a crazy idea; we appeared to have some spare capacity for it (although we really didn't). And he may have spoken to someone else about it earlier. It also wouldn't have been unreasonable to expect that once he got to the front of the line he would have been directed to the other register to wait anyway. He may have been trying to minimize the disruption he caused to the line. He may have also thought the line was too long and we should have already opened up the second register. We were very efficient with a single-register flow, but customers always tried to start up a second line before it was really necessary.

I'm not confident I did the right thing by him; just that there may be situations where losing a $300 sale may be the most profitable choice.

(comment deleted)
There's 2 different things going on here:

- The optimal amount of fraud in society is 0

- The optimal amount of fraud a business/industry should accept is non-zero

The simple observation that the cost to prevent each marginal fraud attempt increases; the last 0.1% of fraud costs way too much to prevent compared to the first 99%. Obviously society would be better off if fraud didn't exist, but since it does the effort expended is only worth it up until when the marginal cost of prevention exceeds an acceptable threshold (when it starts to lose you money).

The optimal amount of fraud is still 0, but the optimal amount of fraud prevention lies somewhere on the margin.

This is why important transactions like banking have KYC checks, and buying a pair of sneakers don't.

this explains things significantly better than the article, which seems to be little more than dragging out a surprising-sounding headline with a pretty obvious concept
The reason I went to the trouble of writing it was that many, many people in both business and the finance industry do not agree it is obvious and a good portion do not agree it is true, and they take actions consistent with those beliefs, which harm themselves and others.
To be more specific, the article mimics the topic of a counter-intuitive "surprising" truth (like, for example the goat problem; or flaws in human cognition), while letting the reader down by making an obvious, easy to understand truth unnecessarily complicated.

"Clickbait light"

That you think something is obvious is a fact about you, not about the world. People are not downvoting you because your English has any problems. They are downvoting you because they you’re wrong and arrogant.
(comment deleted)
That's your understanding of a discussion. Good one. Go pester someone else.
"optimal amount of fraud in society is 0" - are you sure? why?

Bad Things(tm) are useful for testing and improving safety/security, and when I see people/institutions with no experience reacting to Bad Things(tm), I know they're in for a world of hurt when it does happen.

Perhaps you mean, the optimal amount of fraud that isn't prosecuted... or not detected... ? Even then, I'd argue that there's a tiny percentage that's useful for keeping the safety/security industry on its toes and at the ready.

As a proof point, if you believe that war (world peace) is not a solved problem, then it's only a matter of time before your city/region/civilization/race faces an existential threat, for which the only true preparation is to be ready to innovate and mobilize.

Sorry if this comes across as dark. I mean it in the same vein as having a small percentage of farmers is desirable.

By contrast, I visited a traditional silk factory in Stockholm (amazing btw) and the craft has been lost to the point where they're struggling to find craftspeople able to work their looms and other old equipment. See Jonathan Blow's excellent talk about lost technology: https://www.youtube.com/watch?v=ZSRHeXYDLko

(comment deleted)
Your explanation is so much more succinct than the article!

I believe buried in there is one other factor that is somewhat related:

- reducing friction helps drive more legitimate business. Accordingly, over-aggressive anti-fraud practices can result in reduced sales.

A toy example: a business could eliminate exposure to credit card fraud by not accepting credit cards. That would however reduce overall sales.

I guess this can all fit within a “marginal cost” explanation though.

> I guess this can all fit within a “marginal cost” explanation though.

Yes, but it undermines the first point, a bit. There's costs-- direct and social costs-- to making transactions hard; so perhaps optimal for a society is still not 0.

Also, there's nothing to say that the amount of fraud is stable and that we can't find a world where we have better mechanisms to reduce it for the same cost. (Improved technology, legal structures, norms, etc).

>reducing friction helps drive more legitimate business.

A very real example in retail. I can minimize the possibility that I'll be hit with fraudulent returns. Require a receipt, short window, store credit only, must be in like new condition with all packaging, etc. (Or just sell everything on an all sales are final basis.) Different stores do many of these things to a greater or lesser degree on at least some merchandise. But you'd probably better be offering really good prices if you do.

And with all that effort all that friction, you still get hit with chargebacks no matter your policy for returns.
Yeah, the system is set up so the payment processors benefit from fraud.
> a business could eliminate exposure to credit card fraud by not accepting credit cards

A business could eliminate all fraud, abuse and theft of every type by shutting down completely.

Right, more generally:

- X is ipso facto bad. The optimal amount is zero.

- X is traded off against Y actually, so in general equilibrium with Y, it's nonzero.

And the above pair could be:

(Covid risk, attending fun parties)

(Risk of getting hit by a car, being able to walk anywhere)

(Discrimination in society, administrative costs of anti-discrimination laws).

The list goes on. It's a simple concept in decision theory, rehashed with an attractive title.

Some of those aren’t analogous. Your Covid example: there’s also the cost _to others _ of you catching and spreading it, even if the risk to you is lower.

Speeding is another example: the cost (or risk) might be acceptable to you but not to the person you have an increased likelihood of hitting and doing serious injury to.

At a societal level, it holds, which is why we invest in measures to increase the cost of doing the wrong thing (speeding tickets, removing licenses).

More generally--the cost to eliminate bad outcomes goes up exponentially as you deal with the easy bad outcomes. Credit card fraud is simply one example.

Or consider a simple non-financial example: I left half a dozen pears on the tree this year--getting those last few pears would have required hauling a 50 pound ladder around the house and then struggle with setting it up. (Due to it's size it's a lot harder to handle than it's weight indicates.)

This, definitely. But also - at the social policy level, there are two additional issues:

- Outsiders: It's good to keep members of your society fraud-savvy enough that they can safely travel & do business outside your society...without being easy marks for fraudsters.

- Stability over time: If your society somehow gets fraud down to ~0, that'll lead to big cut-backs in anti-fraud efforts, "end of history" dreamers proclaiming that fraud has died, etc. Which is obviously a set-up for a sudden huge resurgence in fraud.

Great explanation. But I'm not so sure about "The optimal amount of fraud in society is 0".

Especially if we broaden fraud to include other crimes. There are costs to prevent other badness in society as well. Firstly it's the cost in taxes/allocating resources to its prevention: Do we really want to allocate a really large chunk of our shared human capital to police marginal criminal activity? How much more polices, judges, attorneys, lock makers, etc would we need to stop the last bike theft?

Secondly and arguably more importantly is the cost of freedom. A lot of the digital surveillance initiatives that are discussed and dismissed here on HN are enforced in the name of zero tolerance against (really bad) badness in society.

I think its hard, or impossible, to create a somewhat large society with zero crime rate. At least if we still want even just a sliver of the freedoms we are accustomed to in liberal democracies.

If you want something to be legal, make it legal.

Don't make it illegal-but-not-enforced. Because then, whoever is in power can selectively enforce the law against any group they choose.

Hmm. I think my mental model is more that it should be "randomly" enforced. The probability of getting caught is higher than some certain threshold, but that it's not necessarily bad if that threshold is lower than 100%.

I can't think of any resonable society that have taken actions to show that they want the probability to be 100%. I would even argue that the most harsh dictatorships probably have the highest enforcement, but that laws were/are very selectively enforced in the favor of e.g regime officials.

Okay, I see your point, I think we were talking about different things.
I think the point is that in a theoretical society in whcih there are no bad actors, and there is no cost to prevent fraud, the optimal amount of fraud is zero. That is, there isn't a reason you would want to encourage fraud, because a little bit of fraud is good. But when you also consider the cost of reducing fraud the optimal state for the system as a whole will have a non-zero amount of fraud. And of course, bad actors do exist, so in a real system you want to accept some amount of fraud.

The difference is significant, because if you discover a way to significantly reduce fraud for a low cost (including cost of freedoms and similar), it will be worth implementating. And there isn't some point where you say "we are already down to x% fraud, we don't want to go any lower than that, even if it doesn't cost us anything".

There will always be people in society that think it is their job to drive us to zero risk, even if they have nothing to offer other than a downvote.
I think you’re conflating the terms optimal and ideal. The ideal amount of fraud in society is zero. The optimal amount of fraud in society is not defined, because optimization problems are always subject to a set of constraints.

So then we may ask: “what is the optimal amount of fraud in society such that the costs of legislation, education, and enforcement do not exceed X% of GDP?” and that is a different question. You might also throw technology and R&D in there because new tools make it easier to investigate fraud. Of course new technologies also open up new possibilities for fraud, so this is a very complicated exercise. But I think it’s fair to say that given any reasonable constraints, the optimal amount of fraud is nonzero.

The way this is phrased, I expected to learn there was some benefit to a low amount of fraud, as such. There is not. There is a benefit to a high amount of trust, which necessitates accepting some amount of fraud.
We don’t need there to be a benefit to a low amount of fraud to optimize for it. Optimization is a purely mathematical exercise [1]. Once we construct the problem with a chosen set of constraints then we apply mathematical techniques to solve it. Of course, many types of optimization problems (especially non-linear or non-convex) can be extremely difficult to solve optimally without relaxing some constraints or settling for approximations to the optimal solution.

But, besides that, the task of interpreting the results and of potentially selecting new constraints or even a new objective function is a separate matter. Perhaps we should be seeking to maximize trust rather than minimize fraud in society. But then we have to ask ourselves: “what would that look like?”

[1] https://en.wikipedia.org/wiki/Mathematical_optimization

There does not need to be a set of constraints for optimisation to be defined. You can talk about optimisation on an unconstrained domain, for example all of ℝ⨯ℝ. But there DOES need to be a measure function that measures what you are optimising for. The benefit of fraud would be one such function you could optimise for, and that seems to be what GP is after. The pure amount of fraud is a different one, which seems to be what you are interested in.
Even without trust, you will reach an optimal amount because preventing fraud tends to become more expensive than the fraud itself, once you cover the simple and easy cases
The optimal amount of crime in a society is non-zero because a society with zero crime would be a dystopian police state where innocent people sometimes get caught up in the justice system's net to make sure it catches all of the criminals.

The classic principle of Anglosphere common law is that its better to let 10 criminals get away with it than to convict 1 innocent person. The same idea applies to fraud because overzealous fraud prevention causes problems for legitimate users whose actions incorrectly get detected as possible fraud. The benefit to tolerating a low amount of fraud is that your product won't be hostile to your legitimate users. The benefit to tolerating a low amount of crime is that you will live in a free society rather than a dystopian tyranny. Freedom is good and it is worth giving up quite a bit of safety for the sake of being free.

> The optimal amount of crime in a society is non-zero because a society with zero crime would be a dystopian police state where innocent people sometimes get caught up in the justice system's net to make sure it catches all of the criminals.

At this point you're just playing with the definition of crime. I would argue that it is criminal to deprive an innocent person of their freedom, and challenge that your proposed scenario is actually "zero crime".

Secondly, you talk of catching "all of the criminals". In a "zero crime" environment there are no criminals - by definition if there is a criminal, then a crime has been committed at some point.

All that said I agree with your larger point - the cost of freedom is that people are not constrained before the fact from committing crime, and that's a good thing on the whole.

i hope you’re trolling

do you see how with the framing your proposing it’s extremely difficult to reason? might even be impossible.

I’d argue that the optimal amount of crime is zero but the optimal amount of possibility of crime should be non-zero. That’s a necessary escape hatch out of a police state or authoritarian government. After all, the resistance against the Nazis was technically criminal at that time, even though now we’d all agree it was a good thing it occurred anyway.

It is especially important nowadays because unlike back then where technology was limited and surveilling 100% of the population was impossible, it is very much possible today and is already being done in certain places such as China.

I like this view: you take care of a lot of the conventional concern we while also some futuristic ones like Pre-Crime in Minority Report.
If you define crime as violating the anarchist non-aggression principle, then it makes more sense. The only problem is that the state would be the largest offender.

Nazi laws weren't moral, as it's not moral today to demand half of my profits or I go to jail.

You just picked your own idea of morality and decided to elevate it above others: you chose the "anarchist non-aggression principle" as somehow morally superior to other ideas about how crimes should be defined, and decided that with that definition, targeting zero crimes makes more sense.

But the whole point is that we will never universally agree on a morality because society's overall preferences shift over time. So targeting zero crimes never makes sense.

Exactly.

But patio’s argument is that since he works for the fraud department at Stripe payments, he wants fraud to exist so he can keep his cushy job.

Ask the police about the optimal amount of speeding tickets.

Exactly. Everybody seems to be throwing around the word "optimal" but not asking "optimal to whom?".

The article was kind of long-winded so I didn't read it all. But has a catchy title. So is the title about

a) Optimal amount of fraud to the society at large?

b) Optimal amount of fraud to the businesses which suffer a loss because of it?

c) Optimal amount of fraud to the customers of such businesses?

d) Optimal amount of fraud to the chief of fraud-prevention department?

e) Optimal amount of fraud to the fraudsters?

Does he mention this somewhere? Last time I spoke to him, he was working on Stripe Press, his interest in fraud and spam prevention long predates his work at Stripe.
repeating myself but

> ts better to let 10 criminals get away with it than to convict 1 innocent person.

is arguably false. it forgets that 10 criminals had 10 or more victims. If you optimize for the least number of victims then it's easily possible that convicting a few innocent people has a net positive in lowering the total number of victims including the victims of being wrongly convicted

to put it another way, perfect is the enemy of good. In this case if in pursuit of perfection of having zero wrongly convicted you end up causing more victims of criminals then you've arguably failed

Since perfect accuracy is impossible, you must choose a balance between precision and recall.
That’s debatable.

I also believe that it’s better to let 10 criminals get away with it than it is to wrongly convict 1 innocent person. And I’m fairly sure that all the innocent people who were unfortunate enough to go through the court system would agree with me.

Also, not every crime must have a victim. There are a million victimless crimes.

Yes, it’s also debatable whether those should even be crimes (in my opinion - no), but the argument that 1 crime = at least 1 victim is flat out false.

1 crime can easily be more than one vicitm.

also you too made the exact same error. you discounted the victims of the criminals. yes the 1 innocent wrongly convicted is bad but what about all the innocents that are victims of the criminals. You absolutely have to add those innocents to your total of how many innocents you helped

if you catch 10 serial killers and 1 happens to be innocent you still saved 9-18-27 lives in exchange for one innocent. If because of over zealousness of zero innocents being caught you only catch 5 serial killers you saved 1 extra life and forfeited 5 to 15 others

You arguably believe what I'm saying. no law enforcement can be perfect so it's guaranteed that innocent people will be mistakenly convicted. The only logical conclusion is if you truly believe there must be zero innocents convicted then you believe law enforcement should not exist since there will never be perfect law enforcement

> 1 crime can easily be more than one vicitm.

Yes, but 10000 crimes can also have 0 victims.

it doesn't forget that. it implies that you shouldn't optimize for the least number of victims. it's cool to disagree with that and think about why or why not, but please actually engage with the idea rather than just assuming they didn't think it through at all.
I said this somewhere else, but there’s 2 things at play here:

- A utopia where people don’t defect in prisoners dilemmas (most types of crimes like shoplifting: the store won’t have to hire loss prevention and cashiers, and you pay less for their reduced costs) is ideal, but:

- Such a utopia doesn’t and can’t exist because defection individually increases utility at the cost of everybody else. Hence cashiers, loss prevention, KYC, etc.

Thus the real world is a careful optimisation problem where we have to search for an equilibrium at which society as a whole benefits the most. People can argue all day about where this is, because the trade offs involved are non-obvious:

- More surveillance means, all else being equal, less crime, but police officers can defect too and only arrest minorities and use said surveillance for something else, etc.

The problem is walking through a very high-dimensional search space, and we humans are had at it. There’s no real solution though, because individual incentives don’t line up to solve it.

It's funny that you bring up the Prisoner's Dilemma:

Because its canonical formulation uses defection as a way for law enforcement to catch criminals.

Similarly, people who reliably cooperate in prisoner's dilemmas can run cartels and conspiracies much easier.

The benefit to a low level of fraud is that people are still looking out for fraud, so the society is more robust. If there was no fraud, and someone just invent fraud (it will happen), the damage could be devastating.
they would have to be Moriarty level like in their inventiveness, most people start low and then expand their inventiveness with experience, the low early frauds would establish the new invention in the society.

Also The invention of Lying: https://www.imdb.com/title/tt1058017/

I think you're conflating the standard english word "optimal" with mathematical optimization.
user5678 is correct; this isn't a case where the mathematical use of the word differs from the normal use.
> So then we may ask: “what is the optimal amount of fraud in society such that the costs of legislation, education, and enforcement do not exceed X% of GDP?” and that is a different question.

It's also not a question of any particular interest; you're interested in what maximizes (good - bad), not what maximizes (good / bad).

(comment deleted)
I meant optimal fraud at 0 as in a utopia would have no fraud whatsoever; a utopia where everybody cooperates in prisoner’s dilemmas, where I can lend a stranger my phone and not worry they’ll run off with it, and where cashiers don’t exist because you can count on people leaving money as they walk out the store. Obviously this utopia doesn’t and can’t exist: people defect because it works against cooperators. Fraudsters are people who defect in the societal game of iterated prisoners dilemma, and thus we have to build defences against them until some sort of Nash equilibria is reached.

So I guess I did mean optimal in two different ways. One is a utopian cooperative paradise, the other an optimisation problem for an optima where businesses make the most money and society overall is richer than if business activity got crippled.

The word “optimal” just means “best” or “most favourable”. It doesn’t necessarily apply a formal optimisation.

Eg here’s an online free source but any dictionary will tell you the same. https://www.wordnik.com/words/optimal

> This is why important transactions like banking have KYC checks, and buying a pair of sneakers don't.

Banks do KYC checks because it is required by law, not because it does anything to reduce fraud. Fake IDs are a thing. Requiring identification does not make transactions safer without a lot of other stuff happening too.

An optimal amount is an amount that can be achieved. The only way to achieve zero fraud is to have zero financial transactions.
This optimal (#) can and probably will change soon. We all carry around phones capable of trivial non-reputable verification, and centralised digital cash (not bitcoin but BankOfEnglandCoin) is technically feasible. So it's quite technically feasible for every day to day transaction to be completed with with the sort of KYC verification currently reserved for say house purchases.

It's just the political / societal implications. These are beyond "hey it's expensive for banks to cut down on fraud"

I disagree with the "banks should allow certain levels of bank fraud because X" for the simple reason we don't have "banks should provide interest free funding to murderers, sex traffickers, pornographers and drug ring" even though that is often the same thing. (And in a two page HN thread I am sure I am not the first to say that)

(#) someone else mentioned the difference between ideal and optimal which is a very good distinction.

I would not call anything in the fragmented, legacy US financial system “trivial.”

It took us a decade and counting to get chipped cards, longer to get contactless pay, and even then we don’t really use the PIN part of chip+pin. Something like FedNow is only coming next year.

Anything I am describing is a decade plus away.

I mean every central bank could tomorrow just put up a non-permissive (#) blockchain and just make a virtual coin for every cent out there. And this would cause utter chaos. It would essentially end fractional reserve banking. That makes loans ... difficult.

The impacts are enormous, but a digital native currency is so simple, so attractive we may well try it. And then have to rethink our financial regulations. It will look a lot like ICOs.

I still think it is inevitable.

(#) ok the terminology I find either dubious or I misunderstand but basically every wallet holder gets their private / public key registered, then there is a known state of money globally, and the Bank is a verifying party to each transaction. Something like that anyway. Theee are many options but essentially if we all "trust" the money printer then the technical problems simplify.

I doubt it. The current system is a local optimum. Better local optimums already exist elsewhere.

In The Netherlands, direct online payments using debit cards are very common. These are secure payments, verified through a bank’s mobile banking app or internet banking with 2FA.

https://en.m.wikipedia.org/wiki/IDEAL

This means there is no risk for the seller that a payment gets reversed. There is fraud, but it centers mostly on social engineering people to authorise payments for others, or to mail their debit card to “the bank” for “recycling”.

Cost per payment: about 30 cents.

Meanwhile, in other countries, credit cards are the common online payment option. Security? A number on the front of the card and a “secret” second number on the back of the card.

Cost: 1.5-3.5% of payment.

Better security is possible, but it’s hard to move from a local optimum when you’re locked into a certain ecosystem.

The credit card no-security scheme works because everyone gets reimbursed for fraud. It comes at the cost of retailers handing a few percent of every transaction to intermediaries, instead of just a few pennies.

At some point (maybe already) we will perform 50% of GDP online. That makes the Visa network essentially a seperate private tax collecting entity. I get the "local optimum" - it's hard to break. But if anything motivates governments it's competition
> and centralised digital cash (not bitcoin but BankOfEnglandCoin) is technically feasible.

Not only is it feasible, we've had it forever. BankOfEnglandCoin is more commonly known as the pound sterling.

Yeah but there is not a digital version, issued by the BoE. It's not a digital native so has all these layers on top.

I think a clean simple version is appealing - it's kind of the case for Bitcoin as a whole. Unfortunately they people attracted to that case did not realise that 75%+ of regulation and layers is trying to protect people from sharks.

> The optimal amount of fraud a business/industry should accept is non-zero

Let's make that: "The optimal amount of fraud a business should accept under the current credit card online payment system is non-zero".

There is absolutely nothing intrinsic about online commerce that requires fraud. Online business routinely operate with a money first, zero consumer trust paradigm. They ask for my payment credentials first, and only then deliver the products.

If we were to design the online payment system from scratch, we would use cryptography to completely remove the notion of credit card theft, and escrow to settle consumer complaints, with an option for paid arbitration when things go bad. I guess you can call some of those cases "fraud" and some customers are so unreasonable that they border on criminal, yes, you can't make that segment zero, but I don't think that's the kind of fraud they are referring to.

The reason we can't have those nice things is because of immense momentum of the current system designed in the 60s by companies that have very little reason to change anything. In fact, an online payment reform would most likely strip them of their oligopoly. So yes, the optimal fraud level is non-zero because Mastercard, Visa etc. can push that fraud onto consumers (via retailers), and they are making much more money anyway from the current situation.

An analogy that may resonate with readers here is that targeting zero fraud is like targeting 100% uptime in a computer system. You evaluate the business trade-offs and decide how many 9s of non-fraud are appropriate, knowing that (1) each additional 9 is more expensive than the last but only gives you 1/10 of the benefit, and therefore (2) infinity 9s (equivalent to zero fraud/100% uptime) is a useless aspiration for all practical purposes.
That's incomplete, though. The business running the computer system would bear all the costs in attempting to target 100% uptime.

Targeting zero payments fraud does mean the business has to bear the costs of the fraud prevention measures, but their customers also have to bear intangible costs, like the annoyance of a detailed, invasive know-your-customer process before being able to buy anything.

But if I'm a user of this computer system that targets 100% uptime, I don't have to see any of the downsides/costs that the business incurs to try to get that uptime. I just see great uptime, and it's all rosy for me.

I think it's important to acknowledge that, in pursuing lower (or zero) fraud, both the business and its customers have to bear costs related to that goal.

There are also arguments that a certain amount of rule breaking is neccesary in society to support innovation. A society with no rule breaking becomes static.
(comment deleted)
> - The optimal amount of fraud in society is 0

If you had zero fraud in society then nobody would build in any defenses against fraud at all.

You'd have a society of completely naive and trusting souls, which sounds blissful until someone wakes up one day and realizes that they can commit as much fraud as they like since society has no defenses against it.

It is like saying that the optimal amount of disease is zero, but if you have never had your immune system challenged by any kind of disease, then the first virus you come across will probably kill you.

Your suffering from childhood colds and getting burned by something like the car-out-of-gas scam help build defenses.

If then someone came and did the fraud, there wouldn't be an amount of 0.
Not a perfect analogy with disease. And maybe it should suggest to you that maybe in fact, the optimal amount of fraud is zero.

With disease, the optimal amount is likely still zero. The immune system we have is not great, its only selection criteria is to keep people alive long enough to have children and keep them alive long enough so they can. We're beginning to understand, like with HPV, that anything from a life threatening case to an asymptomatic one can cause lifelong changes in the immune system and either cause or increase lifelong risk of non-infectious diseases.

And that's setting aside that we can, for example, just eradicate certain diseases if we set ourselves to it. Polio, smallpox, and hopefully malaria.

If we could eliminate certain kinds of fraud - through education, through making it impractical - that seems good, yeah?

But I think you just showed that its really pretty similar.

And my gut reaction to the title of the article is that we really need less fraud and that we're very, very far from optimal right now. Although I'm not very concerned at all about fraud against government programs to help the disenfranchised. I'm more concerned about the endless e-mail, phone scams, door to door scams and all the stuff that prey on the elderly and vulnerable.

Similarly with the immune system it would be interesting to consider wiping out Epstein Barr and maybe eliminate Multiple Sclerosis, along with exterminating the mosquitoes that bite humans and cause disease.

But zero is likely not achievable or a stable optimum, and we're probably not going to cure the common cold or wipe out influenza and we may not want to (at least not without quite a bit of science fiction, global access to medicine and nearly 100% acceptance of vaccination in the population).

I think we're in agreement - the analogy to disease was flawed because eradicating some (perhaps many, all?) kind of disease would have widespread, uniformly positive effects.

The person I replied to seemed to think that exposure to disease helps in youth? Certainly seems like a widespread idea, but I don't know how true it is.

I like to think of it prisoner's dilemma style: the optimal amount of fraud is zero, the same way the optimal outcome for both prisoners is to both cooperate. But the equilibrium at 2-cooperate is not stable, somebody will gain more utility for themselves by defecting, the same way with 0 KYC on any and all transactions fraud is laughably easy.

Thus, the global optima is one where there is no fraud and everybody cooperates, but it's not a stable optima and we slide to the real world where there are tradeoffs for preventing fraud, and there reaches a point where rational actors deem the tradeoff unacceptable and thus accept some level of fraud.

I'm not sure your definition of optimal makes sense if you don't take into account the cost of reducing it?
This is the thesis of the excellent book on financial fraud “Lying for Money”
Potentially controversial take: this general idea also applies to other areas such as elections. Any sufficiently large election will have to contend with fraud and human error, but this is acceptable as long as the numbers aren't large enough to change the outcome.

If you carefully scrutinize any large election you can almost certainly find at least one example of fraud. However, isolated cases of fraud or human error are not evidence of widescale election rigging.

A lot of the elections in the US in the last 25 years have been pretty close, that's the problem. I guess if they were less close or had some sort of proportional system, it might be less of a problem.
If it's the merchants who carry the burden of credit card fraud why is it that almost all fraud prevention efforts seem to be done by banks/card issuers rather than by merchants ?

Except for a small number of cases involving pre-paid cards, I have never seen a merchant refuse to accept a valid credit card payment for an online purchase. I have however encountered and heard of cases of banks declining transactions they considered possibly fraudulent.

Because the card services are in the business of selling their service to merchants in exchange for a fee, and they have competition in that space. Merchants will (in theory) refuse to work with - or pay as much to - a card service which does insufficient work to prevent fraud.
That explanation doesn't make sense because the fraud prevention/transaction denials are being done by the card holders bank, not by the merchant or payment processor and merchants don't get to decide what issuing banks they will be doing business with. For the most part they either have to accept all Visa cards or none (except maybe for some very broad categories like country of origin or pre-paid vs. non pre-paid).
I personally can't stand PSD2[0]. It has completely ruined the online shopping experience in the EU (for me at least).

I loved the way American Express implemented it. They sent you a one-time passcode on your first purchase with the merchant, and then you could also choose for them to not bother you with any further purchases from the same merchant. I had this enabled by default, it made the experience a million times more enjoyable.

Unfortunately not everyone took AmEx, and I no longer live in UK (or a country where AmEx has presence for that matter), and the way banks in my current country of residence have implemented it is absolutely abysmal.

1. The billing address must be a match 100% of the time, which is painful in situations where you can't specify separate billing and shipping addresses and you want the item shipped to a different address (could be 3 for me)

2. Mandatory 2FA on every transaction, depends on the exact implementation, but typically you must wait for a notification on your phone, and then type in a PIN. In some implementations you have to scan a QR code, and then type in the said PIN. Sometimes the solution they use for this is down.

3. If anything is wrong at all (billing address/mistyped CVV/whatever), the transaction just gets refused at the end of this loop. Was it something you did wrong? Is some system down? Let's try again.

And sometimes this even messes up recurring subscriptions. My Microsoft 365 Business sub that's billed monthly on a credit card GETS REJECTED EVERY TIME UNTIL I MANUALLY GO THROUGH THIS STUPID PROCESS.

It has made paying for things online a chore. I couldn't care one bit about all the fraud this presents, because I was never liable for it in the first place. That decision was previously up to the merchants (who could have implemented all of this if they wanted to). Now it's forced on everyone.

[0] https://www.bbva.com/en/everything-need-know-psd2/

tbf that's more an issue with incompetent software devs and more importantly (lest someone accuses me of shifting the blame on devs like a clown would) horrible business product owners. My hope is that Biden's executive order on SBOMs and whatever thing like it which the EU probably has in the works will (unfortunately only slowly) shift the way in which the way business treats software development affects software development culture. (SBOMs may sound completely tangential to this, but in the long run they have a pretty important role to play here.)
Two-factor authentication is my least favorite thing about PSD2. Back in the day I would simply memorize my credit card data, and was free to buy anything online, anytime. It also gave me confidence during the vacations abroad that if i get mugged on the street I will still have access to my money. Now I need to keep my phone close for SMS codes / mobile app authorization, and I need to keep a backup phone just in case my primary phone breaks/gets lost/is stolen.
There was a study done on a tribe of wild monkeys where mutual grooming to remove ticks/fleas/lice happened. Some monkeys 'cheated' and didn't pay forwards the grooming they received. The study concluded that as long as cheaters were less than 5% of the population then mutual grooming continued. when the number of cheats exceeded 5% the system broke down and no mutual grooming happened for some time.

It seems that a society can bear a certain amount of cheating before the system breaks down, a 'tipping point' of sorts. As long as we keep the cheating below the tipping point, the game continues, which is after all the most important aspect, I think.

There surely is a game theory model for this.
I'm surprised the grooming monkeys didn't retaliate by refusing to groom the shirkers.
Maybe they didn't know. It seems to me like it's not "you scratch mine, I'll scratch yours" but more like "we all scratch each others."

Like the whole troop owes one groom per day. But nobody can pinpoint who was the shirker.

From the title, I thought it was a reference to the book Lying for Money by Dan Davis. Anyways, the book is an brilliant exploration of this premise and also makes the case for why trust is necessary.
I thought the article was going to go in another equally compelling direction. If there is no fraud, measures to prevent it become lax because they are unnecessary costs. With no measures in place, fraud comes back because there is no cost to the fraudster.
What an extremely, needlessly elaborate way of saying "security vs. convenience is a tradeoff." Indeed it is, and that's not a particularly novel insight.
"security vs. convenience is a tradeoff" is an extremely glib and meaningless aphorism that is instinctively innate to almost every living organism.

The statement obliterates the nuance of which tradeoffs need to be made and the cost and impact of those tradeoffs from an economic and social perspective that are foundational to being able to reason about risk.

I wouldn't put it that way, but I would agree with anyone saying that statement omits a lot of information. Sure, it does, and it's pretty much the most general and abstract possible way of saying that. My beef with the article is that, despite its truly gargantuan word count, it hasn't added any new information on top of that statement. Once you know the thesis of the article is "The optimal amount of fraud is non-zero because security is a tradeoff and you want users to have convenience," everything in the article is pretty predictable.

I would have liked to see, say, some nuts-and-bolts discussion od fraud handling in some particular industry -- that would be novel and interesting to me.

It sounds more morally acceptable to say, "The optimum level of anti-fraud enforcement does not eliminate all fraud." It's not that there's a nonzero amount of fraud that is optimal — all fraud is bad — but rather that the return on efforts to eliminate the last bit of fraud is negative.
I wouldn't even go as far as saying "level of anti-fraud enforcement", because "anti-fraud enforcement" ain't exactly formally well defined
Well, I needed some noun. Any recommendations?
The optimal number of terms to "formally well define" is pretty damn close to zero in an HN comment. Ignore that guy.
Unfortunately this is mostly an American issue. CC fraud in Europe is minimal because cards have an embedded PIN required for each transaction. In addition, when purchasing online, an instant pop-up on your mobile phone asks you to approve or decline the transaction within 2 minutes. Contactless transactions under $25 do not require PIN or pop-up verification. These options are considered inconvenient for American consumers so we eat the fraud and sign receipts like is 1989 :-)
This sort of thinking has been prevalent in the payments industry for a long time, and I find it infuriating.

The article is specifically limiting its discussion to situations where a payment credential is stolen. Those cases cost $10-20B per year.

This is HN, so most people here can figure out how to secure payment credentials, especially given the assumption that each credit card contains a tamper resistant computer with durable storage (as they currently do).

Instead of ending credential theft (at least in cases that don't involve violence/coercion), the payment networks pass the cost on to vendors, then advertise fraud protection as a feature to card holders.

This only works because the payment processors' monopoly prevents the merchants from fixing the underlying security issue.

So, the payment networks charge the merchants a large percentage of sales (imagine what your local government could implement if it increased sales taxes by 3-5%!) to supposedly pay for fraud protection.

This is exactly like a classic protection racket, except that the thugs that smash up the business don't actually work for the credit card companies.

(I do agree with the premise that driving crime to zero is usually not worth the cost, but that's just "Innocent until proven guilty", and not the subject of the article.)

Merchants are even more lax about card fraud than banks. The National Retail Federation complained about the cost of upgrading to chip readers. They asked the government to force banks to eliminate PCI DSS which would make it even easier to commit credit card fraud. PCI DSS is compliance not security but without it retailers would literally do nothing. Some retailers tried to get customers to switch to QR code payments linked directly to your bank account. One of these payment apps CurrentC was immediately breached.
Smart cards were also breached before the US switched to them.

I'd object to paying for PCI DSS if I were them, to be honest. The idea that every merchant (or credit card reader) even has access to credentials is ludicrous.

The currentc was of email lists, not the payment flow. It's embarrassing, but still a better track record than the existing payment processors (which probably suffered 10,000s of payment flow breaches as I typed this.)

Especially if the burden of proof of fraud falls mostly on the consumer. This is how it works, we don't know the actual ratio of fraudulent vs ok cases so we compare accross institutions. If one institution is an outlier than arbitrarily changes the acceptance threshold pushing the cost to the grieving consumer.

If on the other hand the cost of misidentifying a case fell on the institution then they would simply accept only personally identified payments e.g. sms or other 2fa at virtually no cost for them and effectively zeroing fraud

In some places with more modern banking, this is pretty common