1) Cyber-crime is a growing problem as online banking fraud has increased significantly from 2010 to 2012. The human element of security is often the weakest link, as shown through social engineering experiments. 2) A case study on the DigiNotar hack revealed that poor security practices like weak passwords and lack of antivirus software allowed hackers to issue false digital certificates. 3) Situational crime prevention focuses on reducing criminal opportunities and can provide techniques to address phishing through education and awareness training, as well as ensuring computers have up-to-date security systems. However, training may have limited effectiveness without broader changes to influence actual criminal behavior.

1. On the future of Cyber-crime
Pieter Hartel
University of Twente
1

2. Queensland hacker jailed for revenge sewage attacks
2

3. Russian hacker jailed for porn on video billboard
3

4. DigiNotar Hackers suspected of spying on Iranian gmail
http://www.youtube.com/user/foxitsoc?feature=watch
4

5. Online banking fraud
 2010: € 9,8 M
 2011: € 35 M
 2012: € 125M?

6. Engineers ignored the human element
6

7. Once a happy family dedicated to universal packet
carriage
7

8. Keeping honest people honest with the netiquette
8

9. Explosive growth of the Internet from 1995 .. 2005
Millions of Users
Year
9

10. Everyone invited to the party and crime was here to stay
10

11. Uptake of security technology slow
11

12. The offender simply skirts around your defenses..
12

13. The human element: People are the weakest link
Two examples...
13

14. Example 1 : Simulated laptop theft experiment
14

15. 62 simulated offences of which 31 succeeded
Steps Succeeded Failed
Enter building 61 1
(locked door)
Enter office 47 14
(1×cleaner)
Unlock 31 16
Kensington (5×bolt cutter)
Leave 62 0
building (1×emergency exit)
15

16. Results
 Social engineering works
 30 out of 47 attempts with social engineering succeeded
 1 out of 15 attempts without social engineering succeeded
 Managers more likely to prevent attack than the target
 Offender masquerading as ICT staff twice as likely to be successful
[Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice.
PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317
16

17. Example 2 : The failure of DigiNotar
17

18. Certificate
The binding
of a public key
and an identity
signed by a
certification
authority
18

19. What went wrong?
 No anti virus and weak passwords
 Offenders hacked the system and issued rogue certificates
 DigiNotar has been hacked before (2009)
 No backup certificates
 False certificates still accepted by browsers that have not been
patched...
 DigiNotar now bankrupt.
19

20. How to deal with the human element?
 Focus on the offender
 Focus on the offence
[Fel10a] M. Felson. What every mathematician should know about modelling crime.
European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010.
http://dx.doi.org/10.1017/S0956792510000070 20

21. [Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged
children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a
21

22. Situational crime prevention focuses on the offence
1. A theoretical foundation.
2. A standard methodology based on action research.
3. A set of opportunity-reducing techniques.
4. A body of evaluated practice including studies of displacement.
22

23. 1. Routine Activity Approach
Motivated Capable
Offender Guardian
crime
Suitable
Target
23

24. 2. Methodology: Action Research
1. collection of data about the nature of problem
2. analysis of the situational conditions
3. systematic study of means of blocking opportunities
4. implementation of the most promising means
5. monitoring of results and dissemination of experience.
First car theft
4
index published
5
2,3
# of 1
Vehicles
Stolen Years 24

25. 3. A set of opportunity-reducing techniques.
 http://www.popcenter.org/25techniques/
25

26. 26

27. 4. A body of evaluated practice
Example: Phishing case study
27

28. How can we use the 25 techniques to fight Phishing?
 Increase the effort
1. Target Hardening : Train users to be vigilant
2. Control access to facilities : Control inbox & account
3. Control weapons and tools : Keep your PC up to date
 Reduce Rewards
1. Conceal targets : Conceal the email address
2. Disrupt markets : Control Mule recruitment
 Remove Excuses
1. Post Instructions : “No phishing”
28

29. 1. Target Hardening
 Training: Anti-phishing Phil
 http://cups.cs.cmu.edu/antiphishing_phil/new/
29

30. The message of the training
1. Ignore email asking to update personal info
2. Ignore threatening email
3. Ignore email from bank that is not yours
4. Ignore email/url with spelling errors
5. Ignore a url with an ip address
6. Check a url using Google
7. Type a url yourself, don’t click on it
[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and
susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS),
pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM.
http://dx.doi.org/10.1145/1143120.1143131
30

31. How well does training work?
 515 volunteers out of 21,351 CMU staff+stududents.
 172 in the control group, no training
 172 single training, day 0 training
 171 double training, day 0 and day 14 training
 3 legitimate + 7 spearphish emails in 28 days
 No real harvest of ID
[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T.
Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on
Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009.
ACM. http://dx.doi.org/10.1145/1572532.1572536 31

32. Good but could be better
 On day 0 about 50% of participants fell
 Constant across demographic
 Control group remains constant
 Single training reduces clicks
 Multiple training reduces clicks more
 Unfortunately:
 Participants were self selected...
 No indication that this reduces crime...
32

33. 5. Control weapons and tools
Is it a good idea to: Is it a good idea to:
 Let people surf the Internet  Let people drive on the road
without a license ? without a license ?
 Allow manufacturers to sell the  Allow manufacturers to sell the
anti-virus of a PC as an optional brakes of a car as an optional
extra ? extra ?
 Expect people to maintain their  Expect people to maintain their
own anti-virus, fire wall, OS ? own car ?

34. An idea that we would like to test
1. User pays the ISP an “Insurance” premium
2. Security vendor serves the user with updates
3. Security vendor notifies an ISP when user does not update
4. ISP ensures that non-compliant user does not endanger others
5. ISP remunerates vendor
6. Government controls ISPs and vendors

35. √ √
√ √ √
√
√ √
√ √ ? 35

36. Conclusions
 Crime Science approach:
 Gives a human perspective on all things technical
 Might have come up with new ideas
 Avoids experimental flaws
 An ounce of prevention is worth a pound of cure
[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science
+ information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct
2010. http://eprints.eemcs.utwente.nl/18500/
36