Second SHB Workshop Liveblogging (3)

The second session was about fraud. (These session subjects are only general. We tried to stick related people together, but there was the occasional oddball -- and scheduling constraint -- to deal with.)

Julie Downs, Carnegie Mellon University (suggested reading: Behavioral Response to Phishing Risk; Parents' vaccination comprehension and decisions; The Psychology of Food Consumption), is a psychologist who studies how people make decisions, and talked about phishing. To determine how people respond to phishing attempts -- what e-mails they open and when they click on links -- she watched as people interacted with their e-mail. She found that most people's strategies to deal with phishing attacks might have been effective 5-10 years ago, but are no longer sufficient now that phishers have adapted. She also found that educating people about phishing didn't make them more effective at spotting phishing attempts, but made them more likely to be afraid of doing anything on line. She found this same overreaction among people who were recently the victims of phishing attacks, but again people were no better separating real e-mail from phishing attempts. What does make a difference is contextual understanding: how to parse a URL, how and why the scams happen, what SSL does and doesn't do.

Jean Camp, Indiana University (suggested reading: Experimental Evaluation of Expert and Non-expert Computer Users' Mental Models of Security Risks), studies people taking risks online. Four points: 1) "people create mental models from internal narratives about risk," 2) "risk mitigating action is taken only if the risk is perceived as relevant," 3) "contextualizing risk can show risks as relevant," and 4) "narrative can increase desire and capacity to use security tools." Stories matter: "people are willing to wash out their cat food cans and sweep up their sweet gum balls to be a good neighbor, but allow their computers to join zombie networks" because there's a good story in the former and none in the latter. She presented two experiments to demonstrate this. One was a video experiment watching business majors try to install PGP. No one was successful: there was no narrative, and the mixed metaphor of physical and cryptographic "key" confused people.

Matt Blaze, University of Pennsylvania (his blog), talked about electronic voting machines and fraud. He related this anecdote about actual electronic voting machine vote fraud in Kentucky. In the question session, he speculated about the difficulty of having a security model that would have captured the problem, and how to know whether that model was complete enough.

Jeffrey Friedberg, Microsoft (suggested reading: Internet Fraud Battlefield; End to End Trust and the Trust User Experience; Testimony on "spyware"), discussed research at Microsoft around the Trust User Experience (TUX). He talked about the difficulty of verifying SSL certificates. Then he talked about how Microsoft added a "green bar" to signify trusted sites, and how people who learned to trust the green bar were fooled by "picture in picture attacks": where a hostile site embedded a green-bar browser window in its page. Most people don't understand that the information inside the browser window is arbitrary, but that the stuff around it is not. The user interface, user experience, mental models all matter. Designing and evaluating TUX is hard. From the questions: training doesn't help much, because given a plausible story, people will do things counter to their training.

Stuart Schechter, Microsoft, presented this research on secret questions. Basically, secret questions don't work. They're easily guessable based on the most common answers; friends and relatives of people can easily predict unique answers; and people forget their answers. Even worse, the more memorable the question/answers are, the easier they are to guess. Having people write their own questions is no better: "What's my blood type?" "How tall am I?"

Tyler Moore, Harvard University (suggested reading: The Consequences of Non-Cooperation in the Fight against Phishing; Information Security Economics -- and Beyond), discussed his empirical studies on online crime and defense. Fraudsters are good at duping users, but they're also effective at exploiting failures among IT professionals to perpetuate the infrastructure necessary to carry out these exploits on a large scale (hosting fake web pages, sending spam, laundering the profits via money mules, and so on). There is widespread refusal among the defenders to cooperate with each other, and attackers exploit these limitations. We are better at removing phishing websites than we are at defending against the money mules. Defenders tend to fix immediate problems, but not underlying problems.

In the discussion phase, there was a lot of talk about the relationships between websites, like banks, and users -- and how that affects security for both good and bad. Jean Camp doesn't want a relationship with her bank, because that unduly invests her in the bank. (Someone from the audience pointed out that, as a U.S. taxpayer, she is already invested in her bank.) Angela Sasse said that the correct metaphor is "rules of engagement," rather than relationships.

Adam Shostack's liveblogging. Ross Anderson's liveblogging is in his blog post's comments.

Matt Blaze is taping the sessions -- except for the couple of presenters who would rather not be taped -- I'll post his links as soon as the files are online.

EDITED TO ADD (6/11): Audio of the session is here.

Posted on June 11, 2009 at 11:42 AM • 9 Comments

Comments

spiceJune 11, 2009 12:24 PM

thanks for blogging about this, i'm finding it really interesting and appreciate that you're taking the time!!

bobJune 11, 2009 2:38 PM

For years I have tried to teach my mom the difference between a browser and a website. Still trying.

ZianJune 11, 2009 3:02 PM

@Bob
Have you tried explaining that the browser is a window and that using a browser is like looking through a window?

mooJune 11, 2009 5:13 PM

"Someone from the audience pointed out that, as a U.S. taxpayer, she is already invested in her bank."

That is excellent. =)

bobJune 12, 2009 9:38 AM

In one of the cited studies, they talk about secret word account access. I believe the thought process of people when they set up the word in the first place is very important. For example, which does a given user consider higher priority: always being able to gain access to the account themselves OR preventing others from gaining access even if it means they themselves are blocked for some unknown period of time (for example until they can physically phone the provider and unlock the account verbally).

@Zian: Hehe. Yes I have. the computer sits right next to the window and I have tried to use the fact that what appears to me to be a 2-dimension image of a house (its flat, i know it is - I can touch it and none of it is any farther than any other part) is actually the light reflected off a 3-dimensional object in the distance, owned by someone else even though I perceive it as an image within the pane of a window which I (well, she) owns.

Too technical, I think she got lost at 2 v 3 dimensional, or why would I perceive the neighbor's house as merely an image when it is clearly an actual house next door.

Explaining the difference between files and folders (directories) didn't take either (and thats on Windows, imagine Linux!) I considered myself to have reached the plateau of success when I got my dad to stop shutting down the computer by simply switching off the power strip to the computer without exiting running programs first (granted it is much faster that way). Plus she keeps worrying about backing up her PC hard drive so she doesn't lose her webmail...

AppSecJune 12, 2009 10:14 AM

@Bob:
The browser is the book -- you see the final thoughts of the author...

Those with interaction, are your choose your own adventure books..

You don't need to back up your web mail because the server records the authors thoughts and just sends them back when needed.

JasonJune 12, 2009 11:12 AM

I was recently walking someone through creating a new key with PGP 9 and came across it's "personal question" section.

"Who was the second person I ever held hands with?"

"Enter my favorite HipHop song title from the 1980s?"

"Enter an old musical chorus that reminds you hvae when you first met your spouse?"

They are pretty obscure. So obscure that you probably wouldn't answer them the same way twice.

Does having border-line ridiculous security questions make them any more secure?

Nobody knows the brand name of the first pair of shoes I bought for myself. Does that make it more secure?

Andrew SJune 13, 2009 4:47 PM

For years I have tried to teach my mom the difference between a browser and a website.

Hack the browser window to be fluorescent pink with green polkadots. The chances that someone will design a phishing web site that mimics that look is quite low.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..