HOWTO use con-games to improve information security

"Understanding scam victims: seven principles for systems security" by Cambridge University's Frank Stajano and Paul Wilson is an excellent look at the principles involved in "short cons" (confidence games that only take a few minutes to "play") and how they can be applied to information security. The authors examine the mechanics of scams demonstrated in the BBC show "The Real Hustle" and then extract the principles that drive them and show how they are also used in online ripoffs:


This illustrates something important. Many people feel that they are wise to certain scams or take
steps to protect their property; but, often, these steps don't go far enough. A con artist can easily answer
people's concerns or provide all sorts of proof to put minds at ease. In order to protect oneself, it's
essential to remove all possibility of compromise. There's no point parking your own car if you then
give the valet your keys. Despite this, the mark felt more secure when, in actual fact, he had made the
hustler's job easier….

…Much of systems security boils down to "allowing certain principals to perform certain actions on
the system while disallowing anyone else from doing them"; as such, it relies implicitly on some form
of authentication–recognizing which principals should be authorized and which ones shouldn't. The
lesson for the security engineer is that the security of the whole system often relies on the users also
performing some authentication, and that they may be deceived too, in ways that are qualitatively differ-
ent from those in which computer systems can be deceived. In online banking, for example, the role of
verifier is not just for the web site (which clearly must authenticate its customers): to some extent, the
customers themselves should also authenticate the web site before entering their credentials, otherwise
they might be phished. However it is not enough just to make it "technically possible"18 : it must also be
humanly doable by non-techies. How many banking customers check (or even understand the meaning
of) the https padlock?19

Understanding scam victims: seven principles for systems security

(via Schneier)