Markus Jakobsson - Security, Privacy and User Interaction

This Springer imprint is published by the registered company Springer Nature Switzerland AG

The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Online, most people know me by my nom de guerre, Sinon Reborn, and the fact that I hookwinked, over a few busy months, an array of people in positions of power or fame, including celebrities and key people at financial institutions at Wall Street, Bank of England, and the White House. However, what made my deception unusual was that my goal was never to damage or steal, but always to prank my marks.

The approach I used did not involve malicious code or hacking, but it was about cleverly selected account names, cunning pitches, and an understanding of what motivated my marks. At the same time, I never asked for the combination to the safe or any form of sensitive data; far from it. My modus operandi was more often than not to invite them to a party, an unusual party; perhaps with a strange theme, but a party nonetheless. If I were a criminal, I would have been able to use the same techniques to become a successful cybercriminal.

There is no doubt: Given the right angle and the right pitch, you can make almost anybody do almost anything. This is what social engineering is about. Social engineering, in a way, is like martial arts: It is about using your opponents force against them. In the context of social engineering, that means understanding the psychology and context of the target and to play on their vulnerabilities and insecurities. And this is what criminals increasingly do to plunder everybody from little old ladies to major corporations. It is a crime that is not based on criminal technology (unlike, for example, traditional viruses and associated attacks). It is also a crime for which the development of technological countermeasures has lagged severely behind.

This begs the question: If everybody were to leave their doors unlocked, would it be reasonable to resent a rise in burglaries? Burglary would still be wrong, but the blame would not just be with the criminals, but with the people leaving their doors open, too. In the same way, todays Internet services are very much like a city of unlocked doors, and it is because we, as a society, have not bothered understanding the problem. The unlocked doors for us are embodied by a failure to understand protocols, user interfaces, and how these can be used and abused.

This book shines a light on this vast problem and explains both shortcomings and fixesbut not only in the context of social engineering, but about other failures of proper communication, too. It asks and answers the question of how people think and how we can measure this. It also asks and answers how systems should be designed with this in mindwhether we consider how to ask permissions from users to use their data or how we can make sure that existing technologies (such as second-factor techniques) are not abused by criminals.

Returning to the analogy of martial arts, this book considers how to avoid having criminals use the force of little old ladies and of corporations to commit crimes. But doing so requires that we understand the limitations of these potential victims (as well as their strengths) and that we consider what limits the criminals. The book is based on a series of case studies that, together, build the case that it is time for us, as technologists and decision-makers, to change how we approach this problem.

In 1997, I graduated from University of California, San Diego, with a PhD in Cryptography. Entering my first real job as a Member of Technical Staff at Bell Labs, I was convinced that the answer to most problemsor at least, to most problems worth solvingwas cryptography. That, admittedly, was rather nave.

I spent a few blissful years believing cryptography was the answer, doing research on privacy, randomness generation, and electronic paymentsuntil it gradually started to dawn on me that the problems I was solving were strangely disconnected from the real security problems society seemed to suffer. The problem, as it turned out, was that I (like almost all my peers at the time) did not take the end user into consideration. I made the mistake of believing either that the end user will follow the instructions to the dot or sometimes will never do anything right. In either case, I decided to ignore the user, since I had no control over what he or she might do. That, as it turns out, is often a massive mistake and one that can severely cripple otherwise very well designed solutions.

I wrote this book in the hope that by explaining why the end user matters, others could avoid making the mistake so many others have made. It is my strong belief that considering security and privacy only, while ignoring the end user and the user interfaces, is not a winning strategy.

Let me say it again: The user does matter. While we can neither count on him or her always doing the right thing nor always doing the wrong thing, we still need to understand what motivates the typical user and how the typical user interprets information. Most users, whether of a new phone, a new IoT system, or a new piece of software, want to plug it in, flip the switch, and then go on with their lives. They do not want to carefully understand the implications of various possible configurations; they do not want to have to understand what can go wrong; most of them will not even want to read the instructions. This is unfortunate because the end user