The Psychology of Being Scammed
I’ve always been fascinated by how criminals – both online and offline – are able to manipulate victims into being conned. A couple of weeks ago, Bruce Schneier referenced an article that talks about exactly this topic: “Understanding scam victims: seven principles for systems security.”
While the article describes many of the psychological implications that most of us who fight online crime know intimately, it was intriguing to see them all written down in one place. And the fact that one of the authors of the article is the producer and star of “The Real Hustle” – a British show that cons people on camera – makes it even more compelling. Who knew academia and tv stars would be able to produce such interesting work?
The six principles that con artists use are:
1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.
3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.
4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.
5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.
6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.
Something that came to mind for me is where phishing fits into the above 6 categories. It’s well known that phishers often use scare tactics. For example, the phishing email might say “You must update your password and social security number within the next two hours or we will close your account and take all of your money.” Is that part of the “Distraction principle”? To me it seems more like “urgency” – giving people very little time to think so that they don’t process the red flags that might exist.
Does there need to be another principle added for urgency? Maybe some of you have some other principles that need to be added.
Gartner emphasizes the need for monitoring the behavior on all web traffic
This article talks about a report recently released by Gartner. The summary of the report is:
Fraudsters have been raiding user accounts by beating strong two-factor authentication methods. A layered fraud prevention approach can mitigate these attacks.
Although I haven’t seen the report myself, the article talks about how it goes into detail on what the layered approach should be. “Gartner recommends that organisations firstly monitor user access behaviour, by analysing all of a user’s web traffic and spotting any automated programs.”
In case anyone was wondering, this is exactly what Silver Tail’s Forensics product does! We monitor all website traffic for anomalous behavior including that by automated programs.
It’s exciting to see analysts talking about how what we are doing is the next thing that websites need to protect themselves from fraud!
See the Recording of Silver Tail’s Webinar on Proactively Identifying New Fraud Threats
The webinar this week was another resounding success. For those of you who missed it, you can get to a recording of it here.
In the webinar we talk through 5 case studies of how criminals are able to make money in “unexpected ways” through websites. Then we talk about how critical it is to detect these threats as soon as possible. Finally, we show a demo of our system and how it can be used to proactively detect these threats and investigate them quickly so that the cost of having the threats live for weeks is significantly reduced.
This was a great webinar and if you are facing fraud threats, I recommend you take the time to watch the recording.
Silver Tail Best of Show Video
At long last, the video of our Best of Show presentation at Finovate has been posted online. The Finovate format was 7 minutes of demo – no power point slides allowed. In this presentation we gave a first look at our Mitigation product. I’m happy to say the product has gotten a lot better since this presentation (September), but if you are interested in an early version of Silver Tail’s Mitigation product, it might be worth checking out this video.
Enjoy!
Webinar: Proactively Detecting New Online Threats
Silver Tail’s next webinar will be on the proactive detection of new online threats.
When asked, “What keeps you up at night?” Risk Managers invariably respond: “The threat I don’t know about.” In today’s world, this is the right answer. Javelin Strategy and Research showed 50% of identity theft will be detected by consumers. It is apparent that the unseen threat will cause tomorrow’s pain. If you worry about the undetected attack vector, how long it will take your organization to discover the threat, and the cost and duration of the investigation, this webinar is for you!
Silver Tail founders fought online fraud at eBay and PayPal for years, which inspired the creation of Silver Tail’s Forensics product to identify and stop fraud attacks as they emerge. Unlike products requiring signatures to detect attacks, Silver Tail notifies website analysts about attacks in real time – whether or not a signature was known ahead of time. Silver Tail also provides an immediate view of the full session of the attack and the context of that attack within the rest of the website’s traffic, enabling the analyst to quickly understand the impact of the attack and determine next steps for addressing it.
In previous webinars we explained Man in the Browser attacks, dissected Zeus and shared our battle with Zeus. Now we turn our attention to the methods to stop these attacks in real time.
This is guaranteed to be a fascinating overview of one of the best tools for quickly identifying new threats on your website.
In previous webinars we explained Man in the Browser attacks, dissected Zeus and shared our battle with Zeus. Now we turn our attention to the methods to stop these attacks in real time.
This is guaranteed to be a fascinating overview of one of the best tools for quickly identifying new threats on your website.
Bad guys on Social Network sites
I’ve posted about this a few times before, but I’m always encouraged when I see others picking up on the risks posed on social networking sites. Although it’s not surprising, it seems the criminals have increased their deviousness (there I go – making up words!) again.
Larry Magid wrote an article on how the criminals are using the latest social networking features to victimize innocent social network users. Some of the threats are as “benign” as signing you up for additional cell phone services, but others attempt to perpetrate various forms of identity theft by asking for personal information or gaining access to information that is on your profile.
There is some general advice offered in the article:
…beware of applications that don’t seem to have any purpose other than to spread themselves. Some of these applications automatically send notices to all your friends, telling them that you’re using the applications and encouraging others to install them as well. In addition to spamming your friends, these applications could be gaining access to your profile information and displaying unwanted advertising to all who sign up.
Seems like a good idea.
This is probably my last post before the holiday. Happy Thanksgiving, everyone!
Rick Astley and the Hail Mary: The convergence of password guessing and pop culture
There has been a flurry of posts and articles lately that talk about the Rick Astley worm that is infecting iPhones in Australia. (For example, this one.) It sounds like the worm is similar to the Melissa virus: there was no malicious intent initially. Unfortunately, it’s difficult to say what the bad guys will do with it.
The part about this that fascinates me is how this has morphed into a discussion about online criminals doing password guessing. This blog gives several references to a cloud of computers that is doing brute force password guessing against ssh accounts. Paul Raven points out that password guessing is still useful. Of course, most of your attempts to guess a password will be wrong, but if you perform a lot of guesses, even a small percentage of those guesses results in a fair amount of exploits. (Hence the reference to the Hail Mary – it’s unlikely, but when it happens the payoff can be big.)
Who knew that Rick Astley would gain his second wave of popularity from a mobile phone virus?
“60 Minutes” Video: Sabotaging the System
Several people have mentioned the 60 Minutes episode that aired last Sunday night. I watched it and was fascinated by a lot of it.
First, it’s very rare that the government will talk about possible threats against its infrastructure. To hear people talking about how you could manipulate the programming of a power generator to get it to self destruct was much more information than I’m used to seeing on tv – especially prime-time.
Second, the discussion about how other governments have very likely already infiltrated our government’s systems was amazing.
I agree that all of this has very likely already happened, but I was surprised to see it discussed so openly. I’m torn – is it a good thing to raise awareness about these types of issues? Maybe. I suppose it might help increase the funding around protection mechanisms, etc. Is it better to not talk about it? Maybe. That means the attackers don’t know what we know and it also makes it more difficult for new attackers to identify these vulnerabilities.
My opinion is that these vulnerabilities and potential exploits need to be kept somewhat secret. There are a select set of people who could help defuse the problem if they are “in the know”, but making it public is very risky. I look at what happened around the Kaminsky vulnerability and, more recently, the SSL MitM hole. For a while, these issues were kept very secret while a select set of organizations and individuals labored to resolve them. Obviously, they didn’t stay totally secret. But I think something along those lines is the better way to handle these threats than to expose them on tv.
In case you want to see what the government is talking about on tv, you can watch the 60 Minutes video here.
Comment on ICANN’s Malicious Domain Mitigation Policy
In case you didn’t know, ICANN is working on allowing people to create new Top Level Domains (TLDs). Some possible new domains include .bank, or .ny, or .health.
For those of you in the security and fraud spaces, I’m sure you can recognize the risk inherent in this. Not only will there be TLDs that could allow for fraud and security risks, but having many more TLD operators can add a huge amount of complexity to those of us fighting the good fight.
To that end, my friend and colleague – Dave Piscitello – has written a blog about the requirements being proposed in the new TLD guidebook. You can see Dave’s blog here. He does a great job explaining the nine requirements in the current draft of the guidebook and why they are important.
Dave’s call to action, and mine as well, is that if you are concerned about these new TLDs (as you should be) and want to contribute to the effort to maintain the safety and security of the internet after this new TLD process is launched, then you should submit a comment to ICANN about why they should keep these nine mitigation policies in the TLD guidebook. You might feel more strongly about some than others, or have suggestions about omissions that should also be included. If so, feel free to comment about that as well.
You can see other’s comments and submit your comments here. Comments from individuals and organizations are both appreciated. The key is submitting lots of comments so that the ICANN community is sure to enforce the appropriate policies with these new TLDs. Thanks for your help!
“Gaming” the games on social network sites
For those of you who haven’t seen it, there is a fascinating post on TechCrunch by Michael Arrington about how various types of ads on social network sites makes millions of dollars by scamming users.
While most of the post talks about how innocent gamers are lured into scams where they are charged money just because they participated in an online survey or game, there is a part of the post that talks about how the super-savvy group has figured out how to game the system.
From the post:
The games that scam the most, win.
And some users aren’t dumb, either. For every user who gets tricked into some fake mobile subscription, there’s another who can beat the system. That’s where the legitimate advertisers, like Netflix and Blockbuster, get hit. Users sign up for a free trial with a credit card, get their game currency, then cancel the membership and start over. Netflix has a policy of only paying for a user once. But game developers use a complex set of partner chains to launder these leads and try to get them through for payment. Netflix sees an overall lowering of quality and pays less for leads. Game developers, desperate to monetize, then search for ever more questionable offers to make up the difference. In the end, the decent advertisers are out, and only the worst of the worst remain.
Left alone, the system really will slide into a full blown disaster.
Of course, gaming these systems is merely a form of business logic abuse – the use of legitimate webpages to perpetrate bad behavior. But can that be detected?
The problem comes from the fact that there are too many layers in the system. I don’t know exactly how the ads work – when someone clicks on the ad who sees that click? The advertiser? The publisher? How many networks in between those two?
If there were some way to see all of the behavior on the legitimate ads, it might be possible to determine who was gaming the system. It would sure be fun to try!
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- December 2009 (5)
- November 2009 (7)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
