Lecture 6 – Psychology:From Usability and Risk to Scams

Security

Computer Science Tripos part 2

Ross Anderson

Usability and Psychology• ‘Why Johnny Can’t Encrypt’ – study of

encryption program PGP – showed that 90% of users couldn’t get it right give 90 minutes

• Private / public, encryption / signing keys, plus trust labels was too much – people would delete private keys, or publish them, or whatever

• Security is hard – unmotivated users, abstract security policies, lack of feedback …

• Much better to have safe defaults (e.g. encrypt and sign everything)

• But economics often push the other way …

Usability and Psychology (2)

• 1980s concerns with passwords: technical (crack /etc/passwd, LAN sniffer, retry counter)

• 1990s concerns: weak defaults, attacks at point of entry (vertical ATM keypads), can the user choose a good password and not write it down?

• Our 1998 password trial: control group, versus random passwords, versus passphrase

• The compliance problem; and can someone who chooses a bad password harm only himself?

Social Engineering

• Use a plausible story, or just bully the target• ‘What’s your PIN so I can cancel your card?’• NYHA case• Patricia Dunn case• Kevin Mitnick ‘Art of Deception’• Traditional responses:

– mandatory access control

– operational security

Social Engineering (2)

• Social psychology:– Solomon Asch, 1951: two-thirds of subjects would

deny obvious facts to conform to group

– Stanley Milgram, 1964: a similar number will administer torture if instructed by an authority figure

– Philip Zimbardo, 1971: you don’t need authority: the subjects’ situation / context is enough

• The Officer Scott case• And what about users you can’t train (customers)?

Phishing

• Started in 2003 with six reported (there had been isolated earlier attacks on AOL passwords)

• By 2006, UK banks lost £35m (£33m by one bank) and US banks maybe $200m

• Early phish crude and greedy but phishermen learned fast

• E.g. ‘Thank you for adding a new email address to your PayPal account’

• The banks make it easy for them – e.g. Halifax

Phishing (2)

• Banks pay firms to take down phishing sites• A couple have moved to two-factor authentication

(CAP) – we’ll discuss later• At present, the phished banks are those with poor

back-end controls and slow asset recovery• One gang (Rockphish) is doing half to two-thirds

of the business• Mule recruitment seems to be a serious bottleneck

Types of phishing website

• Misleading domain namehttp://www.banckname.com/

http://www.bankname.xtrasecuresite.com/

• Insecure end userhttp://www.example.com/~user/www.bankname.com/

• Insecure machinehttp://www.example.com/bankname/login/

http://49320.0401/bankname/login/

• Free web hostinghttp://www.bank.com.freespacesitename.com/

• Compromised machines run a proxy

• Domains do not infringe trademarks– name servers usually done in similar style

• Distinctive URL stylehttp://session9999.bank.com.lof80.info/signon/

• Some usage of “fast-flux” from Feb’07 onwards– viz: resolving to 5 (or 10…) IP addresses at once

Rock-phish is different!

Phishing website lifetimes (hours)

# sites(8 weeks)

Mean lifetime

Medianlifetime

Non-rock 1695 62 20

Rock-phishdomains

421 95 55

Fast-flux rock-phishdomains

57 196 111

Rock-phishIP addresses

125 172 26

Fast-flux rock-phish IP addresses

4287 139 18

Site lifetimes (hours) January 2008 sites mean median

eBay sites on free web-hosting 395 47.6 0

if eBay aware 240 4.3 0

if eBay not aware 155 114.7 29

eBay sites on compromised hosts 193 49.2 0

if eBay aware 105 3.5 0

if eBay not aware 88 103.8 10

Rock-phish domains (all targets) 821 70.3 33

Fast-flux domains (all targets) 314 96.1 25.5

Mule recruitment

• Proportion of spam devoted to recruitment shows that this is a significant bottleneck

• Aegis, Lux Capital, Sydney Car Centre, etc– mixture of real firms and invented ones– some “fast-flux” hosting involved

• Only the vigilantes are taking these down– impersonated are clueless and/or unmotivated

• Long-lived sites usually indexed by Google

Fake banks

• These are not “phishing”– no-one takes them down, apart from the vigilantes

• Usual pattern of repeated phrases on each new site, so googling finds more examples– sometimes old links left in (hand-edited!)

• Sometimes part of a “419” scheme– inconvenient to show existence of dictator’s

$millions in a real bank account!

• Or sometimes part of a lottery scam

Fraud and Phishing Patterns

• Fraudsters do pretty well everything that normal marketers do

• The IT industry has abandoned manuals – people learn by doing, and marketers train them in unsafe behaviour (click on links…)

• Banks’ approach is ‘blame and train’ – long known to not work in safety critical systems

• Their instructions ‘look for the lock’, ‘click on images not URLs’, ‘parse the URL’ are easily turned round, and discriminate against nongeeks

Results

• Ability to detect phishing is correlated with SQ-EQ

• It is (independently) correlated with gender

• So the gender HCI issue applies to security too