Connect with us

Hi, what are you looking for?



Using Guilt Instead of Cryptography

Theory on Using Guilt Instead of Cryptography to Prevent “Friendly Fraud”

Theory on Using Guilt Instead of Cryptography to Prevent “Friendly Fraud”

Web site passwords are frustrating to many, especially on mobile devices, where entering them is time-consuming and error prone. One might therefore think that a quick one-click checkout process that does not ask for passwords would be very popular, especially on cell phones. But that is not so. How can this be?

Consumers worry. They worry that they may forget their phone in a café, and that a stranger will grab it and start purchasing things. But even more than that, they worry about their friends and family: people they should be able to trust, but who may in a moment of temptation borrow their phone and rack up a bill. If that takes you by complete surprise, then you probably do not have a teenager in your home.

Using Guilt Instead of Cryptography

Cryptography is pretty much useless against this problem, which is referred to as “friendly fraud.” It’s not because the typical family member can crack PINs and passwords. It’s because many people tend to occasionally share or reuse passwords, or leave their devices unlocked at home.

Here is something odd about stealing: People feel worse about stealing cash than they feel about stealing abstract representations of cash. Put more plainly, you probably would not take a dollar bill from a café counter, but you might not think twice about pocketing a stray pen. It is all about how much guilt it causes you.

Clicking on a checkout button to confirm a purchase is a very abstract representation of transferring money. Therefore … there’s not much guilt.

Now imagine that instead of a button, the phone or computer has a small image of the face of the owner. There’s a small hand associated with the face… and the hand holds a bill. To finalize the purchase – assuming this is a touch screen – you put your finger on the bill and drag it out of the hand of the device owner, and down to an icon that represents the merchant.

Drag a picture of a bill? Just as easy as clicking on a checkout button, one might argue.

Advertisement. Scroll to continue reading.

But not to the unseasoned thief – the friendly fraudster, that is. Nope. To him or her, this is dripping with guilt.

Similarly, imagine that the phone has a forward facing camera – like the new iPhones do – and that there is a photo taken each time a transaction is made. We do not really need to worry about what happens to the photo … whether it is sent to the carrier, emailed to the device owner, checked to be a real face before the transaction goes through… No matter what happens, we have another phenomenon in play: the risk of being found out. This is not so comfortable to the casual thief.

So far, this all sounds like a fraud-fighter’s pipe dream. But here’s the really nice part: There is preliminary evidence that this could actually work.

We ran a survey with over six hundred subjects, grouped into four groups. In one group, we measured the willingness to commit fraud where a “normal” checkout was used. In a second group, we added the guilt (face + hand + bill) component. In a third, we added the detection (photo) feature to the normal checkout. Finally, in a fourth group, we added both the guilt and the detection aspects. Then we compared the measured fraud rates. The initial results look promising. We determined that there is a statistically significant difference between the groups we tested.

So what does this tell us? That passwords are dumb and meaningless? Not quite. Remember, the deterrents we talked about are only designed to work against friendly fraud. Seasoned criminals are, we can assume, quite comfortable with their immorality, and will quickly figure out ways to make sure that the photo won’t be much help in tracking them down. And these tactics will not stop all friendly fraud.

What the results do tell us is that we need to think beyond computer security as we know it. Security is not exclusively about cryptography and secure operating systems. Sometimes, it is all about user interface design.

Nathan Good contributed to this article

If you enjoyed this article, you may enjoy – “Unspoofable Device Identity Using NAND Flash Memory” by Markus Jakobsson

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.