Schneier on Security: Tagged social engineering

Entries Tagged "social engineering"

Page 4 of 11

F2P Monetization Tricks

This is a really interesting article about something I never even thought about before: how games (“F2P” means “free to play”) trick players into paying for stuff.

For example:

This is my favorite coercive monetization technique, because it is just so powerful. The technique involves giving the player some really huge reward, that makes them really happy, and then threatening to take it away if they do not spend. Research has shown that humans like getting rewards, but they hate losing what they already have much more than they value the same item as a reward. To be effective with this technique, you have to tell the player they have earned something, and then later tell them that they did not. The longer you allow the player to have the reward before you take it away, the more powerful is the effect.

This technique is used masterfully in Puzzle and Dragons. In that game the play primarily centers around completing “dungeons.” To the consumer, a dungeon appears to be a skill challenge, and initially it is. Of course once the customer has had enough time to get comfortable with the idea that this is a skill game the difficulty goes way up and it becomes a money game. What is particularly effective here is that the player has to go through several waves of battles in a dungeon, with rewards given after each wave. The last wave is a “boss battle” where the difficulty becomes massive and if the player is in the recommended dungeon for them then they typically fail here. They are then told that all of the rewards from the previous waves are going to be lost, in addition to the stamina used to enter the dungeon (this can be 4 or more real hours of time worth of stamina).

At this point the user must choose to either spend about $1 or lose their rewards, lose their stamina (which they could get back for another $1), and lose their progress. To the brain this is not just a loss of time. If I spend an hour writing a paper and then something happens and my writing gets erased, this is much more painful to me than the loss of an hour. The same type of achievement loss is in effect here. Note that in this model the player could be defeated multiple times in the boss battle and in getting to the boss battle, thus spending several dollars per dungeon.

This technique alone is effective enough to make consumers of any developmental level spend. Just to be safe, PaD uses the same technique at the end of each dungeon again in the form of an inventory cap. The player is given a number of “eggs” as rewards, the contents of which have to be held in inventory. If your small inventory space is exceeded, again those eggs are taken from you unless you spend to increase your inventory space. Brilliant!

It really is a piece about security. These games use all sorts of mental tricks to coerce money from people who would not have spent it otherwise. Tricks include misdirection, sunk costs, withholding information, cognitive dissonance, and prospect theory.

I am reminded of the cognitive tricks scammers use. And, of course, much of the psychology of security.

Posted on July 12, 2013 at 6:37 AM • View Comments

19th-Century Traffic Analysis

There’s a nice example of traffic analysis in the book No Name, by Wilkie Collins (1862). The attacker, Captain Wragge, needs to know whether a letter has been placed in the mail. He knows who it will have been addressed to if it has been mailed, and with that information, is able to convince the postmaster to tell him that it has, in fact, been mailed:

If she had gone to the admiral’s, no choice would be left him but to follow the coach, to catch the train by which she traveled, and to outstrip her afterward on the drive from the station in Essex to St. Crux. If, on the contrary, she had been contented with writing to her master, it would only be necessary to devise measures for intercepting the letter. The captain decided on going to the post-office, in the first place. Assuming that the housekeeper had written, she would not have left the letter at the mercy of the servant—she would have seen it safely in the letter-box before leaving Aldborough.

“Good-morning,” said the captain, cheerfully addressing the postmaster. “I am Mr. Bygrave of North Shingles. I think you have a letter in the box, addressed to Mr.—?”

The postmaster was a short man, and consequently a man with a proper idea of his own importance. He solemnly checked Captain Wragge in full career.

“When a letter is once posted, sir,” he said, “nobody out of the office has any business with it until it reaches its address.”

The captain was not a man to be daunted, even by a postmaster. A bright idea struck him. He took out his pocketbook, in which Admiral Bartram’s address was written, and returned to the charge.

“Suppose a letter has been wrongly directed by mistake?” he began. “And suppose the writer wants to correct the error after the letter is put into the box?”

“When a letter is once posted, sir,” reiterated the impenetrable local authority, “nobody out of the office touches it on any pretense whatever.”

“Granted, with all my heart,” persisted the captain. “I don’t want to touch it—I only want to explain myself. A lady has posted a letter here, addressed to ‘Noel Vanstone, Esq., Admiral Bartram’s, St. Crux-in-the-Marsh, Essex.’ She wrote in a great hurry, and she is not quite certain whether she added the name of the post-town, ‘Ossory.’ It is of the last importance that the delivery of the letter should not be delayed. What is to hinder your facilitating the post-office work, and obliging a lady, by adding the name of the post-town (if it happens to be left out), with your own hand? I put it to you as a zealous officer, what possible objection can there be to granting my request?”

The postmaster was compelled to acknowledge that there could be no objection, provided nothing but a necessary line was added to the address, provided nobody touched the letter but himself, and provided the precious time of the post-office was not suffered to run to waste. As there happened to be nothing particular to do at that moment, he would readily oblige the lady at Mr. Bygrave’s request.

Captain Wragge watched the postmaster’s hands, as they sorted the letters in the box, with breathless eagerness. Was the letter there? Would the hands of the zealous public servant suddenly stop? Yes! They stopped, and picked out a letter from the rest.

“‘Noel Vanstone, Esquire,’ did you say?” asked the postmaster, keeping the letter in his own hand.

“‘Noel Vanstone, Esquire,'” replied the captain, “‘Admiral Bartram’s, St. Crux-in-the-Marsh.'”

“Ossory, Essex,” chimed in the postmaster, throwing the letter back into the box. “The lady has made no mistake, sir. The address is quite right.”

Nothing but a timely consideration of the heavy debt he owed to appearances prevented Captain Wragge from throwing his tall white hat up in the air as soon as he found the street once more. All further doubt was now at an end. Mrs. Lecount had written to her master—therefore Mrs. Lecount was on her way to Zurich!

Posted on February 19, 2013 at 12:52 PM • View Comments

Amazon Replacement-Order Scam

Clever:

Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.

The scam hinged on the fact that Gmail addresses are “dot-blind” (foo@gmail.com is the same as f.oo@gmail.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren’t immediately apparent to Chris.

Details here:

If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.

[…]

It’s clear that there’s a scam going on and it’s probably going largely unnoticed. It doesn’t cost the end user anything, except perhaps suspicion if they ever have a legitimate fraud complaint. But it’s also highlighting that Amazon is entirely too lax with their customer support team. I was told by my rep earlier today that all you need is the name, email address, and billing address and they pretty much can let you do what you need to do. They’re unable to add payment methods or place new orders, or review existing payment methods, but they are able to read back order numbers and process refund/replacement requests.

There’s a great deal of potential for fraud here. For one thing, it would be dirt simple for me to get and receive a second camera for free. That’s the sort of thing you’re really only going to be able to pull off once a year or so, but still, they sent it basically no questions asked. (It was delivered Fedex Smartpost, which means handed off to the USPS, so perhaps the lack of tracking custody contributes to their willingness to push the replacement.) Why Amazon’s reps were willing to assign the replacement shipment to a different address is beyond me. I was told it’s policy to only issue them to the original address, but some clever social engineering (“I’m visiting family in Oregon, can you ship it there?”, for instance) will get around that.

EDITED TO ADD (1/14): Comments from the original author of the piece.

Posted on December 21, 2012 at 6:20 AM • View Comments

←Previous 1 2 3 4 5 6 … 11 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.