Lecture 6 – Psychology: From Usability and Risk to Scams Security Computer Science Tripos part 2 Ross Anderson
Usability and Psychology <ul><li>‘ Why Johnny Can’t Encrypt’ – study of encryption program PGP – showed that 90% of users ...
Usability and Psychology (2) <ul><li>1980s concerns with passwords: technical (crack /etc/passwd, LAN sniffer, retry count...
Social Engineering <ul><li>Use a plausible story, or just bully the target </li></ul><ul><li>‘ What’s your PIN so I can ca...
Social Engineering (2) <ul><li>Social psychology: </li></ul><ul><ul><li>Solomon Asch, 1951: two-thirds of subjects would d...
Phishing <ul><li>Started in 2003 with six reported (there had been isolated earlier attacks on AOL passwords) </li></ul><u...
Phishing (2) <ul><li>Banks pay firms to take down phishing sites </li></ul><ul><li>A couple have moved to two-factor authe...
Types of phishing website <ul><li>Misleading domain name </li></ul><ul><ul><li>http://www.banckname.com/ </li></ul></ul><u...
<ul><li>Compromised machines run a proxy </li></ul><ul><li>Domains do not infringe trademarks </li></ul><ul><ul><li>name s...
111 196 57 Fast-flux rock-phish domains Median lifetime Mean lifetime # sites (8 weeks) Phishing website lifetimes (hours)...
0 49.2 193 eBay sites on compromised hosts 25.5 96.1 314 Fast-flux domains (all targets) 33 70.3 821 Rock-phish domains (a...
 
 
 
Mule recruitment <ul><li>Proportion of spam devoted to recruitment shows that this is a significant bottleneck </li></ul><...
 
 
 
 
 
 
Fake banks <ul><li>These are not “phishing” </li></ul><ul><ul><li>no-one takes them down, apart from the vigilantes </li><...
 
 
 
 
 
Fraud and Phishing Patterns <ul><li>Fraudsters do pretty well everything that normal marketers do </li></ul><ul><li>The IT...
 
Results <ul><li>Ability to detect phishing is correlated with SQ-EQ </li></ul><ul><li>It is (independently) correlated wit...
Upcoming SlideShare
Loading in...5
×

Lecture 6 – Psychology: From Usability and Risk to Scams

204

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
204
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Lecture 6 – Psychology: From Usability and Risk to Scams"

  1. 1. Lecture 6 – Psychology: From Usability and Risk to Scams Security Computer Science Tripos part 2 Ross Anderson
  2. 2. Usability and Psychology <ul><li>‘ Why Johnny Can’t Encrypt’ – study of encryption program PGP – showed that 90% of users couldn’t get it right give 90 minutes </li></ul><ul><li>Private / public, encryption / signing keys, plus trust labels was too much – people would delete private keys, or publish them, or whatever </li></ul><ul><li>Security is hard – unmotivated users, abstract security policies, lack of feedback … </li></ul><ul><li>Much better to have safe defaults (e.g. encrypt and sign everything) </li></ul><ul><li>But economics often push the other way … </li></ul>
  3. 3. Usability and Psychology (2) <ul><li>1980s concerns with passwords: technical (crack /etc/passwd, LAN sniffer, retry counter) </li></ul><ul><li>1990s concerns: weak defaults, attacks at point of entry (vertical ATM keypads), can the user choose a good password and not write it down? </li></ul><ul><li>Our 1998 password trial: control group, versus random passwords, versus passphrase </li></ul><ul><li>The compliance problem; and can someone who chooses a bad password harm only himself? </li></ul>
  4. 4. Social Engineering <ul><li>Use a plausible story, or just bully the target </li></ul><ul><li>‘ What’s your PIN so I can cancel your card?’ </li></ul><ul><li>NYHA case </li></ul><ul><li>Patricia Dunn case </li></ul><ul><li>Kevin Mitnick ‘Art of Deception’ </li></ul><ul><li>Traditional responses: </li></ul><ul><ul><li>mandatory access control </li></ul></ul><ul><ul><li>operational security </li></ul></ul>
  5. 5. Social Engineering (2) <ul><li>Social psychology: </li></ul><ul><ul><li>Solomon Asch, 1951: two-thirds of subjects would deny obvious facts to conform to group </li></ul></ul><ul><ul><li>Stanley Milgram, 1964: a similar number will administer torture if instructed by an authority figure </li></ul></ul><ul><ul><li>Philip Zimbardo, 1971: you don’t need authority: the subjects’ situation / context is enough </li></ul></ul><ul><li>The Officer Scott case </li></ul><ul><li>And what about users you can’t train (customers)? </li></ul>
  6. 6. Phishing <ul><li>Started in 2003 with six reported (there had been isolated earlier attacks on AOL passwords) </li></ul><ul><li>By 2006, UK banks lost £35m (£33m by one bank) and US banks maybe $200m </li></ul><ul><li>Early phish crude and greedy but phishermen learned fast </li></ul><ul><li>E.g. ‘Thank you for adding a new email address to your PayPal account’ </li></ul><ul><li>The banks make it easy for them – e.g. Halifax </li></ul>
  7. 7. Phishing (2) <ul><li>Banks pay firms to take down phishing sites </li></ul><ul><li>A couple have moved to two-factor authentication (CAP) – we’ll discuss later </li></ul><ul><li>At present, the phished banks are those with poor back-end controls and slow asset recovery </li></ul><ul><li>One gang (Rockphish) is doing half to two-thirds of the business </li></ul><ul><li>Mule recruitment seems to be a serious bottleneck </li></ul>
  8. 8. Types of phishing website <ul><li>Misleading domain name </li></ul><ul><ul><li>http://www.banckname.com/ </li></ul></ul><ul><ul><li>http://www.bankname.xtrasecuresite.com/ </li></ul></ul><ul><li>Insecure end user </li></ul><ul><ul><li>http://www.example.com/~user/www.bankname.com/ </li></ul></ul><ul><li>Insecure machine </li></ul><ul><ul><li>http://www.example.com/bankname/login/ </li></ul></ul><ul><ul><li>http://49320.0401/bankname/login/ </li></ul></ul><ul><li>Free web hosting </li></ul><ul><ul><li>http://www.bank.com.freespacesitename.com/ </li></ul></ul>
  9. 9. <ul><li>Compromised machines run a proxy </li></ul><ul><li>Domains do not infringe trademarks </li></ul><ul><ul><li>name servers usually done in similar style </li></ul></ul><ul><li>Distinctive URL style </li></ul><ul><ul><li>http://session9999.bank.com.lof80.info/signon/ </li></ul></ul><ul><li>Some usage of “fast-flux” from Feb’07 onwards </li></ul><ul><ul><li>viz: resolving to 5 (or 10…) IP addresses at once </li></ul></ul>Rock-phish is different!
  10. 10. 111 196 57 Fast-flux rock-phish domains Median lifetime Mean lifetime # sites (8 weeks) Phishing website lifetimes (hours) 20 62 1695 Non-rock 18 139 4287 Fast-flux rock-phish IP addresses 26 172 125 Rock-phish IP addresses 55 95 421 Rock-phish domains
  11. 11. 0 49.2 193 eBay sites on compromised hosts 25.5 96.1 314 Fast-flux domains (all targets) 33 70.3 821 Rock-phish domains (all targets) 10 103.8 88 if eBay not aware 0 3.5 105 if eBay aware 29 114.7 155 if eBay not aware 0 4.3 240 if eBay aware 0 47.6 395 eBay sites on free web-hosting median mean sites Site lifetimes (hours) January 2008
  12. 15. Mule recruitment <ul><li>Proportion of spam devoted to recruitment shows that this is a significant bottleneck </li></ul><ul><li>Aegis, Lux Capital, Sydney Car Centre, etc </li></ul><ul><ul><li>mixture of real firms and invented ones </li></ul></ul><ul><ul><li>some “fast-flux” hosting involved </li></ul></ul><ul><li>Only the vigilantes are taking these down </li></ul><ul><ul><li>impersonated are clueless and/or unmotivated </li></ul></ul><ul><li>Long-lived sites usually indexed by Google </li></ul>
  13. 22. Fake banks <ul><li>These are not “phishing” </li></ul><ul><ul><li>no-one takes them down, apart from the vigilantes </li></ul></ul><ul><li>Usual pattern of repeated phrases on each new site, so googling finds more examples </li></ul><ul><ul><li>sometimes old links left in (hand-edited!) </li></ul></ul><ul><li>Sometimes part of a “419” scheme </li></ul><ul><ul><li>inconvenient to show existence of dictator’s $millions in a real bank account! </li></ul></ul><ul><li>Or sometimes part of a lottery scam </li></ul>
  14. 28. Fraud and Phishing Patterns <ul><li>Fraudsters do pretty well everything that normal marketers do </li></ul><ul><li>The IT industry has abandoned manuals – people learn by doing, and marketers train them in unsafe behaviour (click on links…) </li></ul><ul><li>Banks’ approach is ‘blame and train’ – long known to not work in safety critical systems </li></ul><ul><li>Their instructions ‘look for the lock’, ‘click on images not URLs’, ‘parse the URL’ are easily turned round, and discriminate against nongeeks </li></ul>
  15. 30. Results <ul><li>Ability to detect phishing is correlated with SQ-EQ </li></ul><ul><li>It is (independently) correlated with gender </li></ul><ul><li>So the gender HCI issue applies to security too </li></ul>
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×