On the difficulty of detection on-line fraud

Jerrold Leichter leichter at smarts.com
Sun Oct 2 07:11:13 EDT 2005


Not cryptography, but ultimately what we talk about here often comes down to 
protection that actually works *for people*.

Also a good counter to arguments of the form "if only people were more
careful...."

 							-- Jerry


From:    hfimail at mail1.humanfactors.com
Subject: User Interface Design Newsletter - September, 2005
Date:    September 28, 2005 3:37:43 PM EDT


User Interface Design Update Newsletter - September, 2005

Each month HFI reviews the most useful developments in UI
research from major conferences and publications.

View in HTML - http://www.humanfactors.com/downloads/sep05.asp
__________________________________________________

In this issue:

Kath Straub, Ph.D., CUA, Chief Scientist, looks at recent research
on how people detect, and often miss, Web site fraud.

The Pragmatic Ergonomist, Dr. Eric Schaffer, gives practical advice.
__________________________________________________

PHISHING AND PHARMING AND PHRAUD, OH MY

The ability to recognize people who want to take advantage you is core to
survival. Researchers studying the evolution of cognition suggest that we
begin to develop generic "cheating detection algorithms" through exposure to
the types of deception that occur day to day (Cosmides and Tooby, 1989; Cheng
and Holyoak, 1985; Vasek, 1986) In a general way, we learn to suspect
deception and become cautious when there is a notable inconsistency between
what is happening and what we expected to happen.

Yet, consumers' ability to spot fraud in the Internet is still not very
good. This is because our ability to hone our generic "cheater detectors"
depends our specific or "mediating knowledge" of the deception
environment. When you think about it, it's not hard to imagine why. Even savvy
users find it hard to keep up with the newest scam. Can you define Phishing?
How about Pharming?

Here are the Wikipedia definitions for these Internet deception methods:

   - Phishing: (also carding and spoofing) is a form of social engineering,
      characterized by attempts to fraudulently acquire sensitive information,
      such as passwords and credit card details, by masquerading as a
      trustworthy person or business in an apparently official electronic
      communication, such as an email or an instant message. The term phishing
      arises from the use of increasingly sophisticated lures to "fish" for
      users' financial information and passwords.

   - Pharming: is the exploitation of a vulnerability in the DNS server software
      that allows a hacker to acquire the Domain Name for a site, and to
      redirect that Web site's traffic to another Web site.

And there's more:

   - Page-jacking and mouse-trapping: are techniques used by scammers to divert
      Internet users from their intended Web destination (page-jacking) to the
      scammers site from which the user is unable to leave using their browsers
      back, forward or even close buttons (mouse-trapping).

And, with all the excitement about phishing and pharming, people forget about
just plain fraud.

Its not surprising that people have a hard time identifying Internet
deception. The specific cues you use to detect fraud in the rest of your life
work don't really apply in cyberspace. In bricks-and- mortar transactions you
can see who you are dealing with. In cyberspace, grifters are harder to
spot... if they are even there at all.

THE AVERAGE VICTIM OF INTERNET FRAUD LOSES OVER $700 NOT COUNTING LOST TIME

The good news is that as consumers learn more about how the Internet works
they will, by extension, learn more about how Internet deception works. It
will become much harder to dupe them. Like magic, deception is usually not so
tricky if you know where to look. The challenge then, is to help consumers
learn where to look.

Organizations like Consumer WebWatch, the Internet arm of Consumer Union, have
published reports intended to guide consumers to correctly identify the
characteristics of a credible Internet site. One problem is that not enough
consumers read their reports. And of those that do read them, not enough
actually check the cues. Another problem is that those who practice Internet
fraud do seem to read the reports.

Researchers like Grazioli are taking a different route. Grazioili's work (and
his work with colleagues like Jarvenpaa) contrasts the differences between the
behavior of successful and unsuccessful deception detectors. Consumers good at
detecting deception on the Internet evaluate on assurance cues -- concrete
parameters of an organization or its business model that can be evaluated for
truthfulness (e.g., the phone number) or legal validity (e.g., a warranty). In
contrast, consumers who fail to notice deception tend to assign credibility
based on trust cues -- self-report marketing elements (e.g., customer
testimonials or product sales reports) which are difficult to verify, at best.

WHEN PEOPLE ARE LYING THEY TEND TO TOUCH THEIR FACES. WHAT DO WEB SITES DO?

Grazioli observed these differences in a controlled study of deception
detection. In this study, 80 "business and IT savvy" participants were asked
to visit a specific used laptop reseller site and help a friend to decide if
purchasing a $625 laptop from that particular site was a good idea --
essentially to give a second opinion about the credibility of a site. If the
participant felt comfortable with the site, he or she would then purchase the
laptop using the friend's credit card number.

Half of the participants in Grazioli's study visited an active and functioning
laptop reseller Web site. The other were "page- jacked" to a "deception"
site. The deception site was identical to the base site, except that six known
deception cues (Yamagishi and Yamagishi, 1994) had been added or altered.  The
altered cues included:

   - A forged Better Business Bureau assurance Seal leading to a real looking
     report
   - A warranty that was too good to be true
   - False business location information
   - Forged newsclips from professional magazines
   - Impossibly exaggerated Company sales statistics
   - Universally positive, hyperbolic customer endorsements

After viewing the site and purchasing the laptop (or not), participants
completed a survey exploring whether they perceived the site to be deceptive
or not... or were unsuccessful at detecting deception.

Participants were considered successful if they were suspicious of the altered
site or recognized the real site as trustworthy.  Unsuccessful deception
detectors either failed to register suspicion of the altered site or perceived
significant deception even on the trustworthy site.

Overall, even these business and IT savvy users were not able to discriminate
between the trustworthy and the deceptive site. 55% of participants trusted
the site the deceptive site (30% correctly suspected; 15% were not sure). Only
38% correctly trusted the good site (32% were suspicious; 30% were not sure).

HAVE YOU EVER LOOKED AT THE REAR VIEW MIRROR BUT NOT INTO IT?

In this study the deception cues were abundant but they were subtle.
Participants could establish that the altered cues were deceptive by:

   - Cross checking the business entry from the BBB site. Although clicking on
      the assurance seal in the study led to a detailed report that contained
      links back to the BBB, the report was forged. The only way to definitive-
      ly establish that a company has a relationship with the BBB is to check
      the BBB site.

   - Reading and evaluating the business claims and promise realistically.
      - If the warranty seems to good to be true -- in the study: No questions
         full refund. Any time. Forever.
      - Evaluate the business claims. In this example, the disparity between
         exaggerated sales statistics claims (25,000 units sold) and the
         inventory (5 units) seems improbable.

   - Validating the phone number against the address in a reverse directory.
      In the study the company presented a Seattle business address but a
      California area code. Careful participants also noticed that the office
      in the photo did not have the same address as the business address listed
      in the Web site.

   - Validating 3rd party recommendations including news clips and professional
      recommendations. In the study, links back to the source were broken or
      dropped users on the homepage rather than the recommendation reference.
      Do link back to verify the source. Look for similar recommendations on
      the source pages.

   - Verifying customer endorsements and testimonials. If that's not possible,
      be suspicious.

LOUISIANA (ALABAMA, MISSISSIPPI AND TEXAS) ON MY MIND

In his study, Grazioli also noticed that successful deception detectors
focused on a different set of cues than those who failed. Deception detectors
focused on assurance cues (trust seals, warranties, physical location). In
contrast, those who missed the deception focused on trust cues (customer
testimonials). To validate trust cues you must trust the company. To validate
assurance cues, you must go to organizations outside the one you are seeking
to do business with.

Chasing validation at this level seems like a lot of work. Perhaps that's
because for most of us, strategies for identifying bad risks don't include
looking outside the business itself. For a bricks and mortar establishment we
go to the address. We talk to the employees.  We see the customer
service/returns desk. We hold the receipt and warranty in our hands. On the
Internet, those -- largely implicit -- cues are missing. Our general
strategies for detecting deception in the world may work, but our ability to
detect deception on the Internet still needs fine tuning.

References for this newsletter are posted at:
http://www.humanfactors.com/downloads/sep05.asp
__________________________________________________

The Pragmatic Ergonomist, Dr. Eric Schaffer

We need to find PRACTICAL ways to indicate that a site is the correct site and
a trustworthy vendor. Let's look for creative solutions.  Organizations like
EBay and PayPal provide immediate access to seller information and buyer
feedback. This allows users to instantly discriminate the trustworthy
sellers. But now we need effective strategies for detecting deception in all
the online environments.  We can forget subtle discrimination of counterfeit
logos and painstaking research. Let's all work to find quick, simple, common
sense, and powerful methods that can really work. Otherwise the information
spaces will be increasingly perilous, filled with invisible thugs and muggers.
__________________________________________________

HFI IS HIRING:
Many positions available in Mumbai, India.
http://www.humanfactors.com/Mumbaihire.htm

For positions in the U.S.
http://www.humanfactors.com/about/employment.asp
__________________________________________________

Putting Research into Practice - a yearly seminar on recent research
and its practical application.
http://www.humanfactors.com/training/annualupdate.asp.

HFI's training schedule:
http://www.humanfactors.com/training/schedule.asp
__________________________________________________

Suggestions, comments, questions?
HFI editors at mailto:hfi at humanfactors.com.

Want past issues? http://www.humanfactors.com/downloads/pastissues.asp

Subscribe? - http://www.humanfactors.com/downloads/subscribe.asp


Do NOT want this newsletter?
http://www.humanfactors.com/unsubscribe.asp?Email=leichter@lrw.com
or copy the above URL into the address line of your browser and hit
return.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list