Showing papers by "Ross Anderson published in 2019"

Measuring the changing cost of cybercrime

Abstract: In 2012 we presented the rst systematic study of the costs of cybercrime. In this paper, we report what has changed in the seven years since. The period has seen major platform evolution, with the mobile phone replacing the PC and laptop as the consumer terminal of choice, with Android replacing Windows, and with many services moving to the cloud. The use of social networks has become extremely widespread. The executive summary is that about half of all property crime, by volume and by value, is now online. We hypothesised in 2012 that this might be so; it is now established by multiple victimisation studies. Many cybercrime patterns appear to be fairly stable, but there are some interesting changes. Payment fraud, for example, has more than doubled in value but has fallen slightly as a proportion of payment value; the payment system has simply become bigger, and slightly more ecient. Several new cybercrimes are signicant enough to mention, including business email compromise and crimes involving cryptocurrencies. The move to the cloud means that system misconguration may now be responsible for as many breaches as phishing. Some companies have suered large losses as a side-eect of denial-of-service worms released by state actors, such as NotPetya; we have to take a view on whether they count as cybercrime. The infrastructure supporting cybercrime, such as botnets, continues to evolve, and specic crimes such as premium-rate phone scams have evolved some interesting variants. The overall picture is the same as in 2012: traditional oences that are now technically `computer crimes' such as tax and welfare fraud cost the typical citizen in the low hundreds of Euros/ dollars a year; payment frauds and similar oences, where the modus operandi has been completely changed by computers, cost in the tens; while the new computer crimes cost in the tens of cents. Defending against the platforms used to support the latter two types of crime cost citizens in the tens of dollars. Our conclusions remain broadly the same as in 2012: it would be economically rational to spend less in anticipation of cybercrime (on antivirus, rewalls, etc.) and more on response. We are particularly bad at prosecuting criminals who operate infrastructure that other wrongdoers exploit. Given the growing realisation among policymakers that crime hasn't been falling over the past decade, merely moving online, we might reasonably hope for better funded and coordinated law-enforcement action.

Hearing your touch: A new acoustic side channel on smartphones.

Abstract: We present the first acoustic side-channel attack that recovers what users type on the virtual keyboard of their touch-screen smartphone or tablet. When a user taps the screen with a finger, the tap generates a sound wave that propagates on the screen surface and in the air. We found the device's microphone(s) can recover this wave and "hear" the finger's touch, and the wave's distortions are characteristic of the tap's location on the screen. Hence, by recording audio through the built-in microphone(s), a malicious app can infer text as the user enters it on their device. We evaluate the effectiveness of the attack with 45 participants in a real-world environment on an Android tablet and an Android smartphone. For the tablet, we recover 61% of 200 4-digit PIN-codes within 20 attempts, even if the model is not trained with the victim's data. For the smartphone, we recover 9 words of size 7--13 letters with 50 attempts in a common side-channel attack benchmark. Our results suggest that it not always sufficient to rely on isolation mechanisms such as TrustZone to protect user input. We propose and discuss hardware, operating-system and application-level mechanisms to block this attack more effectively. Mobile devices may need a richer capability model, a more user-friendly notification system for sensor usage and a more thorough evaluation of the information leaked by the underlying hardware.

Sitatapatra: Blocking the Transfer of Adversarial Samples

Abstract: Convolutional Neural Networks (CNNs) are widely used to solve classification tasks in computer vision. However, they can be tricked into misclassifying specially crafted `adversarial' samples -- and samples built to trick one model often work alarmingly well against other models trained on the same task. In this paper we introduce Sitatapatra, a system designed to block the transfer of adversarial samples. It diversifies neural networks using a key, as in cryptography, and provides a mechanism for detecting attacks. What's more, when adversarial samples are detected they can typically be traced back to the individual device that was used to develop them. The run-time overheads are minimal permitting the use of Sitatapatra on constrained systems.

To freeze or not to freeze: A culture-sensitive motion capture approach to detecting deceit.

Abstract: We present a new signal for detecting deception: full body motion. Previous work on detecting deception from body movement has relied either on human judges or on specific gestures (such as fidgeting or gaze aversion) that are coded by humans. While this research has helped to build the foundation of the field, results are often characterized by inconsistent and contradictory findings, with small-stakes lies under lab conditions detected at rates little better than guessing. We examine whether a full body motion capture suit, which records the position, velocity, and orientation of 23 points in the subject’s body, could yield a better signal of deception. Interviewees of South Asian (n = 60) or White British culture (n = 30) were required to either tell the truth or lie about two experienced tasks while being interviewed by somebody from their own (n = 60) or different culture (n = 30). We discovered that full body motion–the sum of joint displacements–was indicative of lying 74.4% of the time. Further analyses indicated that including individual limb data in our full body motion measurements can increase its discriminatory power to 82.2%. Furthermore, movement was guilt- and penitential-related, and occurred independently of anxiety, cognitive load, and cultural background. It appears that full body motion can be an objective nonverbal indicator of deceit, showing that lying does not cause people to freeze.

Snitches Get Stitches: On the Difficulty of Whistleblowing

Abstract: One of the most critical security protocol problems for humans is when you are betraying a trust, perhaps for some higher purpose, and the world can turn against you if you’re caught. In this short paper, we report on efforts to enable whistleblowers to leak sensitive documents to journalists more safely. Following a survey of cases where whistleblowers were discovered due to operational or technological issues, we propose a game-theoretic model capturing the power dynamics involved in whistleblowing. We find that the whistleblower is often at the mercy of motivations and abilities of others. We identify specific areas where technology may be used to mitigate the whistleblower’s risk. However we warn against technical solutionism: the main constraints are often institutional.

Tendrils of Crime: Visualizing the Diffusion of Stolen Bitcoins

Abstract: The first six months of 2018 saw cryptocurrency thefts of $761 million, and the technology is also the latest and greatest tool for money laundering. This increase in crime has caused both researchers and law enforcement to look for ways to trace criminal proceeds. Although tracing algorithms have improved recently, they still yield an enormous amount of data of which very few datapoints are relevant or interesting to investigators, let alone ordinary bitcoin owners interested in provenance. In this work we describe efforts to visualize relevant data on a blockchain. To accomplish this we come up with a graphical model to represent the stolen coins and then implement this using a variety of visualization techniques.

Snitches Get Stitches: On the Difficulty of Whistleblowing (Transcript of Discussion)

Abstract: I should first comment on the title. We wrote this a long time before the events of yesterday. We do not consider Julian Assange a snitch, and we sincerely hope he doesn’t get stitches. So let’s ignore the first part. Another thing we can ignore is the grace period. Please feel free to interrupt me, starting now.

The gift of the gab: Are rental scammers skilled at the art of persuasion?

Abstract: Rental scams are a type of advance fee fraud, in which the scammer tries to get a victim to pay a deposit to rent an apartment of which the scammer pretends to be the landlord. We specifically focused on fraudulent long-term rentals advertised in the UK on Craigslist. After a victim responds to the scammer's advertisement, the scammer attempts to persuade them to transfer money without having seen the property. We were interested in which persuasion techniques scammers use, and in assessing their skill at the art of persuasion. During a period of three weeks, we scraped 2112 letting advertisements, identified the fraudulent advertisements and had 44 conversations of around 4 or 5 emails each with the scammers. Our analysis indicates that Cialdini`s marketing-based social persuasion strategies, such as liking, appeal to authority, and the need for commitment and consistency are extensively implemented by rental scammers. Of Stajano and Wilson's scam-based persuasion strategies, an appeal to sympathy (i.e., kindness) and need for greed were commonly used. We identified two further social persuasion strategies: establishing credibility and removing objections. At a superficial level, rental scammers seem skilled at their job, because they mimic genuine landlords and use a range of effective persuasion techniques. However, when examining their emails more closely, we see they often use pre-scripted emails, their mimicry is often incompetent, and they have a lack of language skills and cultural knowledge that may tip people off. They appear to be the criminal equivalent of a boilerhouse sales operation, a modus operandi that has not previously been studied by cybercrime researchers.