contributed articles
Doi: 10.1145/1897852.1897872
knowledge, we examine a variety of
scams, distilling some general principles of human behavior that explain
why the scams work; we then show
how they also apply to broader attacks
on computer systems insofar as they
involve humans. Awareness of the aspects of human psychology exploited
by con artists helps not only the public
avoid these particular scams but also
security engineers build more robust
systems.
Over nine series of the BBC TV documentary The Real Hustle (http://www.
bbc.co.uk/realhustle/) Paul Wilson and
Alexis Conran researched the scams
most commonly carried out in Britain
and, with Jessica-Jane Clement, replicated hundreds of them on unsuspecting victims while filming the action with hidden cameras. The victims
were later debriefed, given their money
back, and asked for their consent to
publish the footage so others would
learn not to fall for the same scams (see
the sidebar “Representative Scams” to
which we refer throughout the main
text.)
The objective of the TV show was to
help viewers avoid being ripped off by
similar scams. Can security researchers do more? By carefully dissecting
dozens of scams, we extracted seven
recurring behavioral patterns and related principles exhibited by victims
and exploited by hustlers. They are
not merely small-scale opportunistic
scams (known as “short cons”) but in-
understanding
scam Victims:
seven
Principles
for systems
security
By fRanK staJano anD PauL WiLson
Effective countermeasures depend on first
understanding how users naturally fall victim
to fraudsters.
FROM a hOliStiC security engineering point of view,
real-world systems are often vulnerable to attack
despite being protected by elaborate technical
safeguards. The weakest point in any security-
strengthened system is usually its human element; an
attack is possible because the designers thought only
about their strategy for responding to threats, without
anticipating how real users would react.
We need to understand how users behave and what
traits of that behavior make them vulnerable, then
design systems security around them. To gain this
key insights
We observed and documented hundreds
of frauds, but almost all of them can be
reduced to a handful of general principles
that explain what victims fall for.
these principles cause vulnerabilities
in computer systems but were exploited
by fraudsters for centuries before
computers were invented and are rooted
in human nature.
users fall prey to these principles not
because they are gullible but because
they are human. instead of blaming
users, understand that these inherent
vulnerabilities exist, then make your
system robust despite them.
