The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We [Stajano and Wilson] examine a variety of scams and “short cons” that were investigated, documented and recreated for the BBC TV programme The Real Hustle and we extract from them some general principles about the recurring behavioural patterns of victims that hustlers have learnt to exploit. We argue that an understanding of these inherent “human factors” vulnerabilities, and the necessity to take them into account during design rather than naïvely shifting the blame onto the “gullible users”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security.
I wasn’t blown away by the theoretical arguments in the article, but the scams are fascinating.
Many of them are so silly that they remind me of when I read, several years ago, about a classic con based on the so-called put-and-take top. I won’t go into the details except to say that it was a so-called “long con,” in which the mark is given a rigged spinning top that could be used to make money, and then at the end the conman fleeces the mark by switching in a different top. The con is fascinating, but my reaction upon reading it was: Who in the hell would go around betting money on a spinning top? And with a stranger in a bar, no less? It’s just not the world I live in. I had a similar feeling about the stories of crooked dice and the like.
Many of the scams described by Stajano and Wilson seem more plausible, but some of them seem a bit daggy, as John might say. The “ring reward rip-off” reminded me of something that happened to me in a fairly deserted part of the park a couple of months ago. A skinny young guy came up to me holding a ring and asked me if I’d dropped it. I said no and then went about my business. He kept trying to talk to me, though. It was really irritating. It took me about 5 seconds to realize that (a) he was trying to scam me in some way and (b) he was really bad at it. This guy was annoying and somewhat menacing. I was too lazy to try to find the cops, so I just looked in the other direction for awhile and eventually he walked away. I guess that’s part of the way that these criminals stay successful, that the non-marks just don’t want to put in the effort to stop them. All I could think of was, Couldn’t this guy just play a musical instrument and ask for money that way? But I guess not everybody has musical talent.
P.S. Unlike many presentations of this sort, they include some examples in which the mark does not need to be greedy for the scam to work. For example, the delightfully simple “Valet steal”:
Alex sneaks into a car park, dressed up in a fluorescent jacket and posing as a car park attendant, as soon as the real attendant leaves for a temporary break. A mark arrives with a luxury car; Alex collects the keys and parks it. As soon as the mark is out of sight, Alex drives away with the car. That would already be pretty good value for just a few minutes’ “work”, but that’s not all–the car has a sat-nav in the glove box, and the sat-nav has a “home address” pre-programmed into it. There’s even a copy of the home keys. All Alex has to do is drive to the mark’s home (in the mark’s car, knowing he’s not in) and empty it.
I wonder about this sort of thing, though: if you do it often enough, somebody’s gonna catch you, right? Or is the low risk of going to jail just part of the cost-benefit calculation?