HOWTO use con-games to improve information security Boing Boing

"Understanding scam victims: seven principles for systems security" by Cambridge University's Frank Stajano and Paul Wilson is an excellent look at the principles involved in "short cons" (confidence games that only take a few minutes to "play") and how they can be applied to information security. The authors examine the mechanics of scams demonstrated in the BBC show "The Real Hustle" and then extract the principles that drive them and show how they are also used in online ripoffs:

This illustrates something important. Many people feel that they are wise to certain scams or take steps to protect their property; but, often, these steps don't go far enough. A con artist can easily answer people's concerns or provide all sorts of proof to put minds at ease. In order to protect oneself, it's essential to remove all possibility of compromise. There's no point parking your own car if you then give the valet your keys. Despite this, the mark felt more secure when, in actual fact, he had made the hustler's job easier....
...Much of systems security boils down to "allowing certain principals to perform certain actions on the system while disallowing anyone else from doing them"; as such, it relies implicitly on some form of authentication--recognizing which principals should be authorized and which ones shouldn't. The lesson for the security engineer is that the security of the whole system often relies on the users also performing some authentication, and that they may be deceived too, in ways that are qualitatively differ- ent from those in which computer systems can be deceived. In online banking, for example, the role of verifier is not just for the web site (which clearly must authenticate its customers): to some extent, the customers themselves should also authenticate the web site before entering their credentials, otherwise they might be phished. However it is not enough just to make it "technically possible"18 : it must also be humanly doable by non-techies. How many banking customers check (or even understand the meaning of) the https padlock?19

Understanding scam victims: seven principles for systems security (via Schneier)

Previously:

Leave a comment

Anonymous

Email Address

Remember personal info?

Speech is free, but Boing Boing is moderated. Comments may be deleted or disemvoweled. Anonymous comments are not automatically published. Please don't make racist, sexist or homophobic remarks or use associated offensive terms. Please don't talk politics in unrelated threads. Please don't cuss or harass other commenters. Please don't post signatures, spam, astroturf or copypasta. Link to your website only on your profile page. Wheedling accomplishes nothing. Stay on topic. Read the full moderation policy. Thank you!

IRS goes after mother who makes $10 an hour

The Internal Revenue Service (IRS) is going after a single mother with two kids who makes $10 an hour at Supercuts. When she asked why she was being audited, the IRS told her: "You made eighteen thousand, and our data show a family of three needs at least thirty-six thousand to get by in Seattle." ... More.

Starfish Eating a Baby Seal

From the "Cute Animals Devouring Other Cute Animals" file, I bring you this BBC video showing a mob of starfish ravaging the carcass of a seal pup. (That starfish covered mound in the picture? Seal pup.) Granted, they do this very, very slowly. The video speeds things up with time-lapse photograph... More.

Just look at this awesome banana peeler.

Just look at it. Banana Splitter® Banana Peeler -- 'Flip the top off a banana and peel it with ease' (Thanks, Bennett!) Previously: Just look at this awesome banana peeling simulator. Boing Boing Just look at this awesome banana slicer. Boing Boing Just look at this awesome banana saver clip.... More.

The Art of Tony Millionaire

The Art of Tony Millionaire is a beautiful and demented treasury of the works of Tony "Maakies" Millionaire, who manages to turn out some of the weirdest and angriest comic strips in the business while simultaneously writing sweet and lovely children's books employing the same characters (some tri... More.