Entries Tagged "hoaxes"

Page 5 of 6

Click Fraud and the Problem of Authenticating People

Google’s $6 billion-a-year advertising business is at risk because it can’t be sure that anyone is looking at its ads. The problem is called click fraud, and it comes in two basic flavors.

With network click fraud, you host Google AdSense advertisements on your own website. Google pays you every time someone clicks on its ad on your site. It’s fraud if you sit at the computer and repeatedly click on the ad or—better yet—write a computer program that repeatedly clicks on the ad. That kind of fraud is easy for Google to spot, so the clever network click fraudsters simulate different IP addresses, or install Trojan horses on other people’s computers to generate the fake clicks.

The other kind of click fraud is competitive. You notice your business competitor has bought an ad on Google, paying Google for each click. So you use the above techniques to repeatedly click on his ads, forcing him to spend money—sometimes a lot of money—on nothing. (Here’s a company that will commit click fraud for you.)

Click fraud has become a classic security arms race. Google improves its fraud-detection tools, so the fraudsters get increasingly clever … and the cycle continues. Meanwhile, Google is facing multiple lawsuits from those who claim the company isn’t doing enough. My guess is that everyone is right: It’s in Google’s interest both to solve and to downplay the importance of the problem.

But the overarching problem is both hard to solve and important: How do you tell if there’s an actual person sitting in front of a computer screen? How do you tell that the person is paying attention, hasn’t automated his responses, and isn’t being assisted by friends? Authentication systems are big business, whether based on something you know (passwords), something you have (tokens) or something you are (biometrics). But none of those systems can secure you against someone who walks away and lets another person sit down at the keyboard, or a computer that’s infected with a Trojan.

This problem manifests itself in other areas as well.

For years, online computer game companies have been battling players who use computer programs to assist their play: programs that allow them to shoot perfectly or see information they normally couldn’t see.

Playing is less fun if everyone else is computer-assisted, but unless there’s a cash prize on the line, the stakes are small. Not so with online poker sites, where computer-assisted players—or even computers playing without a real person at all—have the potential to drive all the human players away from the game.

Look around the internet, and you see this problem pop up again and again. The whole point of CAPTCHAs is to ensure that it’s a real person visiting a website, not just a bot on a computer. Standard testing doesn’t work online, because the tester can’t be sure that the test taker doesn’t have his book open, or a friend standing over his shoulder helping him. The solution in both cases is a proctor, of course, but that’s not always practical and obviates the benefits of internet testing.

This problem has even come up in court cases. In one instance, the prosecution demonstrated that the defendant’s computer committed some hacking offense, but the defense argued that it wasn’t the defendant who did it—that someone else was controlling his computer. And in another case, a defendant charged with a child porn offense argued that, while it was true that illegal material was on his computer, his computer was in a common room of his house and he hosted a lot of parties—and it wasn’t him who’d downloaded the porn.

Years ago, talking about security, I complained about the link between computer and chair. The easy part is securing digital information: on the desktop computer, in transit from computer to computer or on massive servers. The hard part is securing information from the computer to the person. Likewise, authenticating a computer is much easier than authenticating a person sitting in front of the computer. And verifying the integrity of data is much easier than verifying the integrity of the person looking at it—in both senses of that word.

And it’s a problem that will get worse as computers get better at imitating people.

Google is testing a new advertising model to deal with click fraud: cost-per-action ads. Advertisers don’t pay unless the customer performs a certain action: buys a product, fills out a survey, whatever. It’s a hard model to make work—Google would become more of a partner in the final sale instead of an indifferent displayer of advertising—but it’s the right security response to click fraud: Change the rules of the game so that click fraud doesn’t matter.

That’s how to solve a security problem.

This essay appeared on Wired.com.

EDITED TO ADD (7/13): Click Monkeys is a hoax site.

EDITED TO ADD (7/25): An evalution of Google’s anti-click-fraud efforts, as part of the Lane Gifts case. I’m not sure if this expert report was done for Google, for Lane Gifts, or for the judge.

Posted on July 13, 2006 at 5:22 AMView Comments

Movie Clip Mistaken for Al Qaeda Video

Oops:

Reuters quoted a Pentagon official, Dan Devlin, as saying, “What we have seen is that any video game that comes out… (al Qaeda will) modify it and change the game for their needs.”

The influential committee, chaired by Rep. Peter Hoekstra (R-MI), watched footage of animated combat in which characters depicted as Islamic insurgents killed U.S. troops in battle. The video began with the voice of a male narrator saying, “I was just a boy when the infidels came to my village in Blackhawk helicopters…”

Several GP readers immediately noticed that the voice-over was actually lifted from Team America: World Police, an outrageous 2004 satirical film produced by the creators of the popular South Park comedy series. At about the same time, gamers involved in the online Battlefield 2 community were pointing out the video footage shown to Congress was not a mod of BF2 at all, but standard game footage from EA’s Special Forces BF2 add-on module, a retail product widely available in the United States and elsewhere.

Posted on May 24, 2006 at 2:14 PMView Comments

People Trusting Uniforms

An improv group in New York dressed similarly to Best Buy employees and went into a store, secretly video taping the results.

My favorite part:

Security guards and managers started talking to each other frantically on their walkie-talkies and headsets. “Thomas Crown Affair! Thomas Crown Affair!,” one employee shouted. They were worried that were using our fake uniforms to stage some type of elaborate heist. “I want every available employee out on the floor RIGHT NOW!”

Since the people did not actually try to impersonate Best Buy employees, could they be charged with any crime?

Posted on May 4, 2006 at 1:39 PMView Comments

Graffiti on Air Force One?

Here’s a video of a bunch of graffiti artists breaching security at Andrew’s Air Force Base, and tagging an Air Force One plane.

I know there are multiple planes—four, I think—and that they are in different states of active service at any one time. And, presumably, the different planes have different security levels depending on their status. Still, part of me thinks this is a hoax.

One, this is the sort of stunt that can get you shot at. And two, posting a video of this can get you arrested.

Anyone know anything about this?

EDITED TO ADD (4/21): It’s a hoax.

Posted on April 18, 2006 at 1:10 PMView Comments

Basketball Prank

On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win.

Enter “Victoria.”

Victoria was a hoax UCLA co-ed, created by Cal’s Rally Committee. For the previous week, “she” had been chatting with Gabe Pruitt, USC’s starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends.

On Saturday, at the game, when Pruitt was introduced in the starting lineup, the chants began: “Victoria, Victoria.” One of the fans held up a sign with her phone number.

The look on Pruitt’s face when he turned to the bench after the first Victoria chant was priceless. The expression was unlike anything ever seen in collegiate or pro sports. Never did a chant by the opposing crowd have such an impact on a visiting player. Pruitt was in total shock. (This is the only picture I could find.)

The chant “Victoria” lasted all night. To add to his embarrassment, transcripts of their IM conversations were handed out to the bench before the game: “You look like you have a very fit body.” “Now I want to c u so bad.”

Pruitt ended up a miserable 3-for-13 from the field.

(See also here and here.)

Security morals? First, this is the cleverest social engineering attack I’ve read about in a long time. Second, authentication is hard in little text windows—but it’s no less important. (Although even if this were a real co-ed recruited for the ruse, authentication wouldn’t have helped.) And third, you can hoodwink college basketball players if you get them thinking with their hormones.

Posted on March 14, 2006 at 12:11 PMView Comments

Caller ID Spoofing

What’s worse than a bad authentication system? A bad authentication system that people have learned to trust. According to the Associated Press:

In the last few years, Caller ID spoofing has become much easier. Millions of people have Internet telephone equipment that can be set to make any number appear on a Caller ID system. And several Web sites have sprung up to provide Caller ID spoofing services, eliminating the need for any special hardware.

For instance, Spoofcard.com sells a virtual “calling card” for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display.

Near as anyone can tell, this is perfectly legal. (Although the FCC is investigating.)

The applications for Caller ID spoofing are not limited to fooling people. There’s real fraud that can be committed:

Lance James, chief scientist at security company Secure Science Corp., said Caller ID spoofing Web sites are used by people who buy stolen credit card numbers. They will call a service such as Western Union, setting Caller ID to appear to originate from the card holder’s home, and use the credit card number to order cash transfers that they then pick up.

Exposing a similar vulnerability, Caller ID is used by credit-card companies to authenticate newly issued cards. The recipients are generally asked to call from their home phones to activate their cards.

And, of course, harmful pranks:

In one case, SWAT teams surrounded a building in New Brunswick, N.J., last year after police received a call from a woman who said she was being held hostage in an apartment. Caller ID was spoofed to appear to come from the apartment.

It’s also easy to break into a cell phone voice mailbox using spoofing, because many systems are set to automatically grant entry to calls from the owner of the account. Stopping that requires setting a PIN code or password for the mailbox.

I have never been a fan of Caller ID. My phone number is configured to block Caller ID on outgoing calls. The number of phone numbers that refuse to accept my calls is growing, however.

Posted on March 3, 2006 at 7:10 AM

Story About "Little Red Book" and Federal Agents a Hoax

This is important news:

The UMass Dartmouth student who claimed to have been visited by Homeland Security agents over his request for “The Little Red Book” by Mao Zedong has admitted to making up the entire story.

The 22-year-old student tearfully admitted he made the story up to his history professor, Dr. Brian Glyn Williams, and his parents, after being confronted with the inconsistencies in his account.

Had the student stuck to his original story, it might never have been proved false.

But on Thursday, when the student told his tale in the office of UMass Dartmouth professor Dr. Robert Pontbriand to Dr. Williams, Dr. Pontbriand, university spokesman John Hoey and The Standard-Times, the student added new details.

The agents had returned, the student said, just last night. The two agents, the student, his parents and the student’s uncle all signed confidentiality agreements, he claimed, to put an end to the matter.

But when Dr. Williams went to the student’s home yesterday and relayed that part of the story to his parents, it was the first time they had heard it. The story began to unravel, and the student, faced with the truth, broke down and cried.

I don’t know what the moral is, here. 1) He’s an idiot. 2) Don’t believe everything you read. 3) We live in such an invasive political climate that such stories are easily believable. 4) He’s definitely an idiot.

Posted on December 24, 2005 at 8:53 AMView Comments

Armed Killer Dolphins

Whatever are we to make of this:

It may be the oddest tale to emerge from the aftermath of Hurricane Katrina. Armed dolphins, trained by the US military to shoot terrorists and pinpoint spies underwater, may be missing in the Gulf of Mexico.

To answer your first question: toxic dart guns.

EDITED TO ADD (12/5): Snopes, a reliable source in these matters, claims this to be a hoax.

Posted on December 5, 2005 at 7:33 AMView Comments

Exploding Baby Carriages in Subways

This is a great example of a movie-plot threat.

A terrorist plot to attack the subways with bomb-laden baby carriages and briefcases—the most specific threat ever made against the city—triggered a massive security crackdown yesterday.

This is not to say that there isn’t a real plot that was uncovered, but the specificity of the threat seems a bit ridiculous.

And if we ban baby carriages from the subways, and the terrorists put their bombs in duffel bags instead, have we really won anything?

EDITED TO ADD: The threat was a hoax.

Posted on October 11, 2005 at 8:12 AMView Comments

1 3 4 5 6

Sidebar photo of Bruce Schneier by Joe MacInnis.