Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 6 – Psychology: From Usability and Risk to Scams Security Computer Science Tripos part 2 Ross Anderson.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 6 – Psychology: From Usability and Risk to Scams Security Computer Science Tripos part 2 Ross Anderson."— Presentation transcript:

1 Lecture 6 – Psychology: From Usability and Risk to Scams Security Computer Science Tripos part 2 Ross Anderson

2 Usability and Psychology ‘Why Johnny Can’t Encrypt’ – study of encryption program PGP – showed that 90% of users couldn’t get it right give 90 minutes Private / public, encryption / signing keys, plus trust labels was too much – people would delete private keys, or publish them, or whatever Security is hard – unmotivated users, abstract security policies, lack of feedback … Much better to have safe defaults (e.g. encrypt and sign everything) But economics often push the other way …

3 Usability and Psychology (2) 1980s concerns with passwords: technical (crack /etc/passwd, LAN sniffer, retry counter) 1990s concerns: weak defaults, attacks at point of entry (vertical ATM keypads), can the user choose a good password and not write it down? Our 1998 password trial: control group, versus random passwords, versus passphrase The compliance problem; and can someone who chooses a bad password harm only himself?

4 Social Engineering Use a plausible story, or just bully the target ‘What’s your PIN so I can cancel your card?’ NYHA case Patricia Dunn case Kevin Mitnick ‘Art of Deception’ Traditional responses: –mandatory access control –operational security

5 Social Engineering (2) Social psychology: –Solomon Asch, 1951: two-thirds of subjects would deny obvious facts to conform to group –Stanley Milgram, 1964: a similar number will administer torture if instructed by an authority figure –Philip Zimbardo, 1971: you don’t need authority: the subjects’ situation / context is enough The Officer Scott case And what about users you can’t train (customers)?

6 Phishing Started in 2003 with six reported (there had been isolated earlier attacks on AOL passwords) By 2006, UK banks lost £35m (£33m by one bank) and US banks maybe $200m Early phish crude and greedy but phishermen learned fast E.g. ‘Thank you for adding a new email address to your PayPal account’ The banks make it easy for them – e.g. Halifax

7 Phishing (2) Banks pay firms to take down phishing sites A couple have moved to two-factor authentication (CAP) – we’ll discuss later At present, the phished banks are those with poor back-end controls and slow asset recovery One gang (Rockphish) is doing half to two-thirds of the business Mule recruitment seems to be a serious bottleneck

8 Types of phishing website Misleading domain name http://www.banckname.com/ http://www.bankname.xtrasecuresite.com/ Insecure end user http://www.example.com/~user/www.bankname.com/ Insecure machine http://www.example.com/bankname/login/ http://49320.0401/bankname/login/ Free web hosting http://www.bank.com.freespacesitename.com/

9 Compromised machines run a proxy Domains do not infringe trademarks –name servers usually done in similar style Distinctive URL style http://session9999.bank.com.lof80.info/signon/ Some usage of “fast-flux” from Feb’07 onwards –viz: resolving to 5 (or 10…) IP addresses at once Rock-phish is different!

10 Phishing website lifetimes (hours) # sites (8 weeks) Mean lifetime Median lifetime Non-rock1695 62 20 Rock-phish domains 421 95 55 Fast-flux rock-phish domains 57196111 Rock-phish IP addresses 125172 26 Fast-flux rock-phish IP addresses 4287139 18

11 Site lifetimes (hours) January 2008 sitesmeanmedian eBay sites on free web-hosting 395 47.6 0 if eBay aware 240 4.3 0 if eBay not aware 155114.7 29 eBay sites on compromised hosts 193 49.2 0 if eBay aware 105 3.5 0 if eBay not aware 88103.8 10 Rock-phish domains (all targets) 821 70.3 33 Fast-flux domains (all targets) 314 96.1 25.5

12

13

14

15 Mule recruitment Proportion of spam devoted to recruitment shows that this is a significant bottleneck Aegis, Lux Capital, Sydney Car Centre, etc –mixture of real firms and invented ones –some “fast-flux” hosting involved Only the vigilantes are taking these down –impersonated are clueless and/or unmotivated Long-lived sites usually indexed by Google

16

17

18

19

20

21

22 Fake banks These are not “phishing” –no-one takes them down, apart from the vigilantes Usual pattern of repeated phrases on each new site, so googling finds more examples –sometimes old links left in (hand-edited!) Sometimes part of a “419” scheme –inconvenient to show existence of dictator’s $millions in a real bank account! Or sometimes part of a lottery scam

23

24

25

26

27

28 Fraud and Phishing Patterns Fraudsters do pretty well everything that normal marketers do The IT industry has abandoned manuals – people learn by doing, and marketers train them in unsafe behaviour (click on links…) Banks’ approach is ‘blame and train’ – long known to not work in safety critical systems Their instructions ‘look for the lock’, ‘click on images not URLs’, ‘parse the URL’ are easily turned round, and discriminate against nongeeks

29

30 Results Ability to detect phishing is correlated with SQ-EQ It is (independently) correlated with gender So the gender HCI issue applies to security too

Download ppt "Lecture 6 – Psychology: From Usability and Risk to Scams Security Computer Science Tripos part 2 Ross Anderson."

Similar presentations

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.
Searching for Evil Ross Anderson Joint work with Richard Clayton, Tyler Moore, Steven Murdoch & Shishir Nagaraja Nottingham 25 th April 2008.

Searching for Evil Ross Anderson Joint work with Richard Clayton, Tyler Moore, Steven Murdoch & Shishir Nagaraja Nottingham 25 th April 2008.
Lecture 5 – Getting Physical Security Computer Science Tripos part 2 Ross Anderson.

Lecture 5 – Getting Physical Security Computer Science Tripos part 2 Ross Anderson.
The Future of Phishing Ross Anderson Security Group USEC 2007 15 Feb 2007.

The Future of Phishing Ross Anderson Security Group USEC Feb 2007.
ECrime Research Richard Clayton Luxembourg 11 th May 2010.

ECrime Research Richard Clayton Luxembourg 11 th May 2010.
1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.

1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.

October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.

Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.
Searching for Evil Professor Ross Anderson Dr Richard Clayton Joint work with Tyler Moore, Steven Murdoch & Shishir Nagaraja Google, London 14 th August.

Searching for Evil Professor Ross Anderson Dr Richard Clayton Joint work with Tyler Moore, Steven Murdoch & Shishir Nagaraja Google, London 14 th August.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Evolution, Deception and Terror Ross Anderson Cambridge.

Evolution, Deception and Terror Ross Anderson Cambridge.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.

Similar presentations

Ads by Google