1. 6

  2. 18

    It doesn’t sound as clickbaity if rephrased that fraud prevention gets unreasonably expensive and/or burdensome when it has to prevent 100% of the fraud.

    1. 2

      Agreed. Or perhaps also re-phrased “The optimal point on the security-convenience trade off axis(es) is not at any boundary.” But the optimal amount of headline deception is also probably not at perfect fairness / honesty / etc. ;-)

    2. 6

      I completely agree with the argument but not with the claim that the argument sufficiently supports the conclusion. The argument can be summarised as ‘fraud prevention techniques introduce friction and, as friction increases, at some point the cost in lost sales will outweigh the cost of fraud’. That doesn’t mean that the optimal amount of fraud is non-zero, it means that usability is an essential component in designing anti-fraud devices. It does not exclude the possibility of an anti-fraud mechanism that does not reduce sales, it just suggests that one is unlikely.

      This is fairly well known as a principle in computer security and security economics. The goal of a security system is not to prevent attacks, it’s to ensure that:

      • The cost of a breach is less than the cost of the techniques that you deploy to prevent a breach.
      • The cost of mounting an attack is greater than the value of a successful attack

      The first is easy to observe in the extreme case: we can prevent almost all computer-security incidents by unplugging the computers and burying them in concrete. That would cost most businesses a lot more than any compromise. The cost of a breach depends a lot on the situation. If you’re looking at nuclear launch codes, then you’re willing to put up with a huge amount of inconvenience to prevent attackers from getting them because the cost of a breach is, to a rough approximation, the value of your country. If you’re securing someone’s cat photos, then security that costs a few seconds of extra effort may be too expensive.

      1. 2

        This hits very close to home (have witnessed the impact of fraud at a payments company). This is a tough pill to swallow, but this is exactly what you observe in practice: you could theoretically prevent all fraud, you just would have a very painful process for all involved.

        All financial companies have an allowable buffer for fraud / people just straight up not paying their bill. It is crazy when you think about it.