Remember the old days of dialler Trojan horses?
Back when most of us didn't have broadband at home, and connected to the internet via a modem, we saw a type of malware which could take advantage of the phone line plugged into the back of your PC and dial an expensive premium rate number.
In this way, criminal hackers could make money out of your infected computer - and you might know anything about it until you received an expensive telephone bill.
Dialler Trojan horses went the way of the dinosaur as consumers turned their back on modem connections and adopted broadband en masse.
But, as F-Secure's Mikko Hypponen explained today at the Virus Bulletin conference, the threat may have returned in a different form through the use of virtual premium rate numbers.
Earlier this year I described the Terdial Trojan horse, which was distributed posing as a Windows mobile game called "3D Anti-terrorist action", but appeared to make calls to Antarctica, Dominican Republic, Somalia and Sao Tome and Principe without the owner's permission.
So how did it make money for the hackers?
Well, it transpires that although the Trojan did make phone calls to numbers associated with various far-flung corners of the world, the calls never made it that far.
That's because the phone numbers were what are known as virtual numbers. It's perfectly possible to find telephone operators on the web who will rent you premium phone number associated with, say, Antarctica, and pay you every time that a call is made.
Unlike other legitimate premium rate numbers (such as 1-900 in USA), there is no regulation preventing abuse of the virtual numbers, and the 'owner' of the number gets paid instantly rather than having to wait 30 days.
And your call never actually gets as far as Antarctica or North Korea. It's stopped in your own country, but you're still billed as though you rang that far away place.
The days of Trojan horses making money out of dial-up modem connections may be long gone, but here's a model for money-making that mobile malware authors could certainly exploit.
One of the big problems during the financial crisis was a bank run in the shadow banking system when doubts emerged about the safety of deposits.
In my last column at the Fiscal Times, I talked about an approach to solving the problem that involves having deposits in the shadow system backed (insured) by high quality collateral.
But high quality collateral is not the only option. Another way to do this is through a type of insurance along the lines of what the FDIC does for the traditional banking system, along with restrictions on eligibility for the insurance. In reaction to my column, and in support of the insurance approach, Morgan Ricks of Harvard Law School emails:
I enjoyed your Fiscal Times piece and am glad you're focused on this issue.
I'm a big admirer of Gary and Andrew's work, but I would encourage you to give some more thought to whether collateral requirements for repo are likely to do the trick. Here are a few things to consider:
- Many of the short-term liabilities of the shadow banking system were and are uncollateralized (think about Lehman's reliance on unsecured commercial paper -- the default of which caused the Reserve Fund to "break the buck," igniting the run on money market funds; and Citigroup's SIVs, which financed themselves in the unsecured markets).
- Money market investors do not want to take possession of collateral and dispose of it. Even if the collateral is high quality, they don't want the interest rate risk. That's not their business. They don't want to deal with the consequences of a counterparty default. This is why, in the crisis, many money market investors stopped rolling even those repos that were fully secured by Treasuries and agencies:
- See Chris Cox's testimony on Bear Stearns (here http://www.sec.gov/news/testimony/2008/ts040308cc.htm): "For the first time, a major investment bank that was well-capitalized and apparently fully liquid experienced a crisis of confidence that denied it not only unsecured financing, but short-term secured financing, even when the collateral consisted of agency securities with a market value in excess of the funds to be borrowed"
- See also FRBNY's repo task force report (here http://www.newyorkfed.org/prc/report_100517.pdf): “Discussions in the Task Force emphasized repeatedly that many Cash Investors focus primarily if not almost exclusively on counterparty concerns and that they will withdraw secured funding on the same or very similar timeframes as they would withdraw unsecured funding.”
- Even if collateral requirements reduce the likelihood of runs, how do we calibrate them -- what is the objective function? Presumably we think maturity transformation (fractional reserve banking) is a good thing -- it increases the supply of loanable funds by pooling otherwise idle cash reserves and deploying them toward productive investments. Risk constraints (such as collateral requirements) necessarily reduce this surplus -- there is a real social cost. How do we appraise the corresponding benefit? That is, how do we estimate the systemic instability associated with any given level of collateral requirements? My argument is that we can't. And by "we" I mean not just the government, but anybody.
My paper argues that we avoid these problems with an insurance regime; that financial firms outside the insurance regime should be disallowed from conducting maturity transformation (i.e., they would have to rely on term funding, not money market funding); and that we should develop functional criteria of eligibility for the insurance regime. (By the way, this is not the same thing as "extending" insurance to shadow banks.)
Anyway, these are things worth thinking about. I think the insurance approach needs more serious consideration than it has received -- it's a little lonely over here ...
Best,
Morgan Ricks
See here for nice summary of this approach and link to the underlying academic paper.
Arrowheadlines: Chiefs <b>News</b> 10/4 - Arrowhead Pride
However, there aren't many real stories because of the bye. I'd expect the hype to start soon. We're just a few days from the undefeated Chiefs playing the "struggling" Colts. Here's your Kansas City Chiefs news.
Blizzard dates Cataclysm launch as December 7 | <b>News</b>
Blizzard Entertainment has finally lifted the lid on plans for the launch of World of Warcraft's latest expansion - Catac...
This Week's Health Industry <b>News</b> - NYTimes.com
Decisions on several major drug treatments are expected.
eric seiger eric seiger
Remember the old days of dialler Trojan horses?
Back when most of us didn't have broadband at home, and connected to the internet via a modem, we saw a type of malware which could take advantage of the phone line plugged into the back of your PC and dial an expensive premium rate number.
In this way, criminal hackers could make money out of your infected computer - and you might know anything about it until you received an expensive telephone bill.
Dialler Trojan horses went the way of the dinosaur as consumers turned their back on modem connections and adopted broadband en masse.
But, as F-Secure's Mikko Hypponen explained today at the Virus Bulletin conference, the threat may have returned in a different form through the use of virtual premium rate numbers.
Earlier this year I described the Terdial Trojan horse, which was distributed posing as a Windows mobile game called "3D Anti-terrorist action", but appeared to make calls to Antarctica, Dominican Republic, Somalia and Sao Tome and Principe without the owner's permission.
So how did it make money for the hackers?
Well, it transpires that although the Trojan did make phone calls to numbers associated with various far-flung corners of the world, the calls never made it that far.
That's because the phone numbers were what are known as virtual numbers. It's perfectly possible to find telephone operators on the web who will rent you premium phone number associated with, say, Antarctica, and pay you every time that a call is made.
Unlike other legitimate premium rate numbers (such as 1-900 in USA), there is no regulation preventing abuse of the virtual numbers, and the 'owner' of the number gets paid instantly rather than having to wait 30 days.
And your call never actually gets as far as Antarctica or North Korea. It's stopped in your own country, but you're still billed as though you rang that far away place.
The days of Trojan horses making money out of dial-up modem connections may be long gone, but here's a model for money-making that mobile malware authors could certainly exploit.
One of the big problems during the financial crisis was a bank run in the shadow banking system when doubts emerged about the safety of deposits.
In my last column at the Fiscal Times, I talked about an approach to solving the problem that involves having deposits in the shadow system backed (insured) by high quality collateral.
But high quality collateral is not the only option. Another way to do this is through a type of insurance along the lines of what the FDIC does for the traditional banking system, along with restrictions on eligibility for the insurance. In reaction to my column, and in support of the insurance approach, Morgan Ricks of Harvard Law School emails:
I enjoyed your Fiscal Times piece and am glad you're focused on this issue.
I'm a big admirer of Gary and Andrew's work, but I would encourage you to give some more thought to whether collateral requirements for repo are likely to do the trick. Here are a few things to consider:
- Many of the short-term liabilities of the shadow banking system were and are uncollateralized (think about Lehman's reliance on unsecured commercial paper -- the default of which caused the Reserve Fund to "break the buck," igniting the run on money market funds; and Citigroup's SIVs, which financed themselves in the unsecured markets).
- Money market investors do not want to take possession of collateral and dispose of it. Even if the collateral is high quality, they don't want the interest rate risk. That's not their business. They don't want to deal with the consequences of a counterparty default. This is why, in the crisis, many money market investors stopped rolling even those repos that were fully secured by Treasuries and agencies:
- See Chris Cox's testimony on Bear Stearns (here http://www.sec.gov/news/testimony/2008/ts040308cc.htm): "For the first time, a major investment bank that was well-capitalized and apparently fully liquid experienced a crisis of confidence that denied it not only unsecured financing, but short-term secured financing, even when the collateral consisted of agency securities with a market value in excess of the funds to be borrowed"
- See also FRBNY's repo task force report (here http://www.newyorkfed.org/prc/report_100517.pdf): “Discussions in the Task Force emphasized repeatedly that many Cash Investors focus primarily if not almost exclusively on counterparty concerns and that they will withdraw secured funding on the same or very similar timeframes as they would withdraw unsecured funding.”
- Even if collateral requirements reduce the likelihood of runs, how do we calibrate them -- what is the objective function? Presumably we think maturity transformation (fractional reserve banking) is a good thing -- it increases the supply of loanable funds by pooling otherwise idle cash reserves and deploying them toward productive investments. Risk constraints (such as collateral requirements) necessarily reduce this surplus -- there is a real social cost. How do we appraise the corresponding benefit? That is, how do we estimate the systemic instability associated with any given level of collateral requirements? My argument is that we can't. And by "we" I mean not just the government, but anybody.
My paper argues that we avoid these problems with an insurance regime; that financial firms outside the insurance regime should be disallowed from conducting maturity transformation (i.e., they would have to rely on term funding, not money market funding); and that we should develop functional criteria of eligibility for the insurance regime. (By the way, this is not the same thing as "extending" insurance to shadow banks.)
Anyway, these are things worth thinking about. I think the insurance approach needs more serious consideration than it has received -- it's a little lonely over here ...
Best,
Morgan Ricks
See here for nice summary of this approach and link to the underlying academic paper.
Arrowheadlines: Chiefs <b>News</b> 10/4 - Arrowhead Pride
However, there aren't many real stories because of the bye. I'd expect the hype to start soon. We're just a few days from the undefeated Chiefs playing the "struggling" Colts. Here's your Kansas City Chiefs news.
Blizzard dates Cataclysm launch as December 7 | <b>News</b>
Blizzard Entertainment has finally lifted the lid on plans for the launch of World of Warcraft's latest expansion - Catac...
This Week's Health Industry <b>News</b> - NYTimes.com
Decisions on several major drug treatments are expected.
eric seiger eric seiger
No comments:
Post a Comment