Cory Doctorow over at Locus Online tells the story of how he got phished the other day. Doctorow is no computer neophyte, he knows what he is doing when it comes to security. Here’s his background plus the key part of the story:
I’m media-literate: I have a good nose for scams and linkbait, I know that no one’s planning to give me millions for aiding in a baroque scheme to smuggle cash out of Nigeria, and I can spot a phishing e-mail at a thousand paces.
I know that phishing – using clever fakes to trick the unsuspecting into revealing their passwords – is a real problem, with real victims. But I just assumed that phishing was someone else’s problem.
Here’s how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords from the phone. I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information.
The next day, Tuesday, we were ten minutes late getting out of the house. My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices. Because we were a little late arriving, the line was longer than usual. My wife went off to read the free newspapers, I stood in the line. Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom. The message read “Is this you????” and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this: http://owl.ly/iuefuew.
I opened the link with my phone and found that I’d been redirected to the Twitter login page, which was prompting me for my password. Seeing the page’s URL (truncated in the little phone-browser’s location bar as “http://twitter….”) and having grown accustomed to re-entering all my passwords since I’d reinstalled my phone’s OS the day before, I carefully tapped in my password, clicked the login button, and then felt my stomach do a slow flip-flop as I saw the URL that my browser was contacting with the login info: http://twitter.scamsite.com (it wasn’t really scamsite, it was some other domain that had been hijacked by the phishers).
And that’s when I realized that I’d been phished. And it was bad.
Phishing isn’t (just) about finding a person who is technically naive. It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall. But all the stars aligned for that one moment, and in that exact and precise moment of vulnerability, I was attacked by a phisher.
While Doctorow does have a point that phishing does rely on finding short-lived cracks in the wall (in this case, the crack was that it was sent by an abusive user to his account before Twitter could shut down that user), it is more complex than that. All spam is about finding cracks in walls of armor. Most of us already know that deals in spam are too good to be true, that our banks don’t need us to login and update our information. At least, we think we know.
The article that I am writing for Virus Bulletin for the conference in October has to do with how the brain processes information and specifically around cognitive processes. What is it about scams that make us fall for these things? Are there some types of scams that work better than others?
I would argue that social networking scams have a higher hit rate than banking scams, at least in terms of how many people fall for them in sheer numbers. The reason is that in the financial world, there is lots of competition. Citibank, Wells Fargo, JP Morgan, Chase, Washington Mutual (ha!), and the list goes on and on. In order for a phishing scam to work, it has to get past a spam filter and hit a customer of that particular bank. Because there are so many different banks the odds of the spammer hitting someone is not stacked in his favor.
Social networking is different because there are far fewer popular sites. Facebook, Twitter, and… uh… what else is there (just kidding)? The point is that these sites have a much larger user base attached to it and therefore the odds of getting past a spam filter and hitting a user of that particular service are higher.
What about brain processes? This is a sneak preview into what I am writing about, but in psycho analytics, the term “affect” is the level of “goodness” or “badness” that we feel in certain situations. If our team in hockey is winning (perhaps winning the gold medal in hockey at the 2010 Olympics), we feel positive affect. If our team is losing (or, perhaps, the opposing team ties it up with less than 30 seconds to go in the game), we feel negative affect. Studies have been done to examine the effect of affect on our decision making process.
It used to be that researchers determined that positive affect makes us less risk-averse. In other words, because we feel that the environment is benign, our guards are not up and therefore the decisions we make do not take into account risk factors. We are less likely to perceive a threat when we feel good about something because in the past, when we revert back to past experiences and biases, those outcomes were positive. Therefore, our brains utilize heuristics to skip around any threats because there was no threat in the past. In this instance, Doctorow saw that he was hearing from an old friend through his social networking site. This made him feel good and therefore his guard was lowered.
On the other hand, recent studies suggest the opposite. Introducing positive affect actually helps us to make better decisions. People who have had positive affect induced in them are able to reason more accurately and come to better decisions than those in neutral or negative moods. People with positive affect or in good moods tend to be more risk averse. This suggests that Doctorow should have been more on guard when getting a Twitter message.
The conclusion is that positive affect can do both, one or the other. It can either utilize heuristics to maintain the level of goodness or be more risk averse and make better decisions. In this case, it appears to have been the former.
This particular area of antispam effectiveness research is, I believe, an underexplored topic. It’s something I plan to evaluate this October in Vancouver at Virus Bulletin. I actually do have more of an explanation for this (based on the research I have done into cognitive processes) but I’m going to keep it to myself for the time being.