Frank Stajano and Paul Wilson have written an intriguing paper on learning from scams. The abstract reads:
The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We examine a variety of scams and “short cons” that were investigated, documented and recreated for the BBC TV programme The Real Hustle and we extract from them some general principles about the recurring behavioural patterns of victims that hustlers have learnt to exploit.
We argue that an understanding of these inherent “human factors” vulnerabilities, and the necessity to take them into account during design rather than naïvely shifting the blame onto the “gullible users”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security.
They give a detailed description of each scam scenario they studied. They’re all fascinating and repellent in equal measure. For example:
Jess identifies a young and wealthy mark in a café and descends on him with her charms. Once the mark
believes he’s making an impression on the pretty girl, Alex turns up, posing as a Bulgarian builder who
knows Jess. He has a lottery ticket which has won a prize of £2,800 but he can’t cash it because the
winner must show some ID and he, as an illegal alien, fears he will be deported if he shows his. So he
asks Jess to cash it in for him: in fact, he’ll let her keep all the winnings if she just gives him £1,000
cash. Alex leaves temporarily and, while he is away, Jess phones the National Lottery helpline to check
whether (or rather to prove to the mark that) it’s actually a winning ticket. It turns out that not only it is
but, thanks to the “bonus number”, it has actually won not just a couple of thousand but over a hundred
thousand pounds! And Alex doesn’t know! Poor Jess doesn’t have the thousand pounds cash that Alex
wants in exchange for the winning ticket, but perhaps her new friend the mark is interested in a piece of
the action? They’d pay Alex the thousand pounds he asked for and pocket the huge difference! Yes, the
mark is quite willing to side with Jess in defrauding Alex. Jess and the mark each pay Alex one half of
what he asked for and he gives them the winning ticket. Jess is happy for the mark to cash the ticket and
give her her share of the money later because it’s actually a worthless fake that Paul made earlier on his
inkjet printer after the winning numbers had been announced on TV.
Bruce Schneier (who provided the link to the paper) summarises the scenarios in his monthly newsletter (which is itself required reading IMHO).
1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.
2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.
3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.
4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.
5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.
6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.
Inexplicably, Bruce misses out the seventh ‘principle’:
7. The Time principle
When you are under time pressure to make an important choice, you use a different decision strategy.
Hustlers steer you towards a strategy involving less reasoning.
As it happens, I know (and admire) Frank Stajano. He’s smart and charming and — if I remember rightly — an expert in martial arts. But he keeps such odd company!