Security Experts:

Using Guilt Instead of Cryptography

Theory on Using Guilt Instead of Cryptography to Prevent "Friendly Fraud"

Web site passwords are frustrating to many, especially on mobile devices, where entering them is time-consuming and error prone. One might therefore think that a quick one-click checkout process that does not ask for passwords would be very popular, especially on cell phones. But that is not so. How can this be?

Consumers worry. They worry that they may forget their phone in a café, and that a stranger will grab it and start purchasing things. But even more than that, they worry about their friends and family: people they should be able to trust, but who may in a moment of temptation borrow their phone and rack up a bill. If that takes you by complete surprise, then you probably do not have a teenager in your home.

Using Guilt Instead of Cryptography

Cryptography is pretty much useless against this problem, which is referred to as “friendly fraud.” It’s not because the typical family member can crack PINs and passwords. It’s because many people tend to occasionally share or reuse passwords, or leave their devices unlocked at home.

Here is something odd about stealing: People feel worse about stealing cash than they feel about stealing abstract representations of cash. Put more plainly, you probably would not take a dollar bill from a café counter, but you might not think twice about pocketing a stray pen. It is all about how much guilt it causes you.

Clicking on a checkout button to confirm a purchase is a very abstract representation of transferring money. Therefore … there’s not much guilt.

Now imagine that instead of a button, the phone or computer has a small image of the face of the owner. There’s a small hand associated with the face… and the hand holds a bill. To finalize the purchase – assuming this is a touch screen – you put your finger on the bill and drag it out of the hand of the device owner, and down to an icon that represents the merchant.

Drag a picture of a bill? Just as easy as clicking on a checkout button, one might argue.

But not to the unseasoned thief – the friendly fraudster, that is. Nope. To him or her, this is dripping with guilt.

Similarly, imagine that the phone has a forward facing camera – like the new iPhones do – and that there is a photo taken each time a transaction is made. We do not really need to worry about what happens to the photo … whether it is sent to the carrier, emailed to the device owner, checked to be a real face before the transaction goes through... No matter what happens, we have another phenomenon in play: the risk of being found out. This is not so comfortable to the casual thief.

So far, this all sounds like a fraud-fighter’s pipe dream. But here’s the really nice part: There is preliminary evidence that this could actually work.

We ran a survey with over six hundred subjects, grouped into four groups. In one group, we measured the willingness to commit fraud where a “normal” checkout was used. In a second group, we added the guilt (face + hand + bill) component. In a third, we added the detection (photo) feature to the normal checkout. Finally, in a fourth group, we added both the guilt and the detection aspects. Then we compared the measured fraud rates. The initial results look promising. We determined that there is a statistically significant difference between the groups we tested.

So what does this tell us? That passwords are dumb and meaningless? Not quite. Remember, the deterrents we talked about are only designed to work against friendly fraud. Seasoned criminals are, we can assume, quite comfortable with their immorality, and will quickly figure out ways to make sure that the photo won’t be much help in tracking them down. And these tactics will not stop all friendly fraud.

What the results do tell us is that we need to think beyond computer security as we know it. Security is not exclusively about cryptography and secure operating systems. Sometimes, it is all about user interface design.

Nathan Good contributed to this article

If you enjoyed this article, you may enjoy - "Unspoofable Device Identity Using NAND Flash Memory" by Markus Jakobsson

view counter
Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist and entrepreneur, studying phishing, crimeware and mobile security. Prior to Agari, Jakobsson spearheaded research in malware, authentication, fraud, user interfaces and security technologies for Qualcomm. He also co-founded three digital startups – ZapFraud, RavenWhite and FatSkunk. Jakobsson has held key roles as Principal Scientist at PayPal, Xerox PARC and RSA Security. He holds more than 100 patents and is a visiting research fellow of the Anti-Phishing Working Group (APWG). He holds a Ph.D. in computer science from the University of California, San Diego and master’s degrees from both the University of California, San Diego and Lund University in Sweden.