Monday, November 30, 2009

How Scams Work

There's a really cool report (PDF) titled "Understanding scam victims: seven principles for systems security" that explains how and why many scams work.

Here's the abstract:

The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We examine a variety of scams and “short cons” that were investigated, documented and recreated for the BBC TV program The Real Hustle and we extract from them some general principles about the recurring behavioral patterns of victims that hustlers have learned to exploit.

We argue that an understanding of these inherent “human factors” vulnerabilities, and the necessity to take them into account during design rather than naïvely shifting the blame onto the “gullible users”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security.


It's a fun read--unless, of course, you're the one being scammed. Since it's set in England it's a bit topical, but I think you'll get the gist of it.

Here's one example:

Alex visits a pub posing as a police officer. His story is that there are many people in the area who are passing off counterfeit money, so the local police want to protect the local shops by supplying them with a special detector pen. He demonstrates to the barman (his mark) how the detector pen writes in green on the special paper of a genuine note but in grey on a fake note or on standard paper. He gives the mark a pen, advising him to use it before accepting any notes into the till.

After this setup phase, Jess goes in and, with her usual feminine charm, exchanges three (counterfeit) £20 notes for six £10 notes. The barman carefully checks her three twenties with the pen and finds them ok, but doesn’t realize that Alex actually gave him an ordinary green marker that writes in green ink on any piece of paper, whether genuine or counterfeit.

No comments: