Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Understanding Scam Victims

Understanding Scam Victims

Ratings: (0)|Views: 243|Likes:
Published by Ken Connor

More info:

Published by: Ken Connor on Jul 03, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Technical Report 
Number 754
Computer Laboratory
UCAM-CL-TR-754ISSN 1476-2986
Understanding scam victims:seven principles for systems security
Frank Stajano, Paul Wilson
August 2009
15 JJ Thomson AvenueCambridge CB3 0FDUnited Kingdomphone +44 1223 763500
2009 Frank Stajano, Paul WilsonTechnical reports published by the University of CambridgeComputer Laboratory are freely available via the Internet:
ISSN 1476-2986
Understanding scam victims:seven principles for systems security
Frank Stajano
and Paul Wilson
University of Cambridge Computer Laboratory
The Real Hustle
The success of many attacks on computer systems can be traced back to the security engineersnot understanding the psychology of the system users they meant to protect. We examine a vari-ety of scams and “short cons” that were investigated, documented and recreated for the BBC TVprogramme
The Real Hustle
and we extract from them some general principles about the recurringbehavioural patterns of victims that hustlers have learnt to exploit.We argue that an understanding of these inherent “human factors” vulnerabilities, and the neces-sity to take them into account during design rather than naïvely shifting the blame onto the “gullibleusers”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead tostronger and more resilient systems security.
1 Introduction and motivation
Experienceshowsthatreal-worldsystemsremainvulnerabletoattackeventhoughtheyareprotectedbyavariety of technical security safeguards. Stronger security can only be achieved through an understandingof the failure modes [3]. In many instances, though, the weakest point in the system’s defences is thehuman element and the attack is made possible by the fact that the security engineers only thought about
way of protecting the system, not about how real users would react to maliciously crafted stimuli.We need to understand how users behave and what traits of their behaviour make them vulnerable,and then design systems security around that. How can we gain this knowledge? The message of thispaper is that hustlers and con artists know a lot more about the psychology of their victims than securityengineers typically do; and therefore that the latter might learn useful lessons from the former.The bulk of the paper consists of two sections. In section2we examine a variety of scams, asresearched and recreated for the TV documentary series
The Real Hustle
. In section3we distill somegeneral principles of human behaviour that explain why those scams worked and we show how they alsoapply to broader settings, focusing in particular on attacks on
(of which humans are an element)rather than just on short cons on individuals.Our thesis is that an awareness of the aspects of human psychology exploited by con artists will notonly help members of the public avoid those particular scams but will also help security engineers buildmore robust systems.
2 Scam scenarios
The following scams, inspired by real-world frauds carried out by con artists, were all demonstrated byAlexConran, PaulWilson(coauthorofthispaper)andJessClementintheBritishTVdocumentaryseries
, originallybroadcastonBBC Three. Conranand Wilson, whodescribethemselvesin the
Revision 38 of 2009-08-28 19:47:27 +0100 (Fri, 28 Aug 2009).Earlier drafts presented orally at SHB 2009, Boston, MA, USA (2009-06-11) and at WEIS 2009, London, UK (2009-06-25).

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->