The Game Theory of Phishing
posted by:Jeremy Clark // 11:59 PM // May 01, 2007 // ID TRAIL MIX
By all measures, the amount of internet fraud is rising. Morgan Keegan reports the number of new phishing sites increased in its order of magnitude from 4,367 in October 2005 to 37,444 in October 2006. And phishing is not the only source of online fraud, the number of victims of identity theft is growing as well.
In response to the escalation of phishing attacks, a plethora of anti-phishing tools have been unleashed—Firefox extensions, IE toolbars, and psychedelic colour-shifting borders for your browser, as well as, perhaps more sensibly, blacklists of known phishing sites including a list maintained by web titan Google. Of course, these tools only work in so far as users take the time to install them and learn how to use them. On the latter point, news on the usability of security front is equally despairing. A user study conducted by Rachna Dhamija (Harvard), J. D. Tygar (Berkley), and Marti Hearst (Berkley), presented last year at the Conference on Human Factors in Computer Science, had participants evaluate 20 websites—7 legitimate, 13 fraudulent—and differentiate between them. The best phishing site fooled over 90% of the participants, with many users reasoning that page’s nice layout and animated graphics were a sure sign of its legitimacy. Numerous other usability studies have examined the effectiveness of various anti-phishing technologies, and its typical to hear them described as unintuitive at best and unusable at worst (not to mention an eyesore).
All of this brings us to the magnificent architecture of some of Ottawa’s oldest banks. With their tall pillars, imposing lobbies, marble floors, and brass railings, bank architecture showcases impressive work by great architects like John M. Lyle. (Okay, pardon the non sequitur. I assure you I am going somewhere with this). What is perhaps most intriguing about bank architecture is the reason for the notable buildings. Why exactly were banks so impressive and what happened? There is an easy answer: the magnificent designs were a consequence of competition (an answer easy enough to be articulated in The Canadian Encyclopedia). The problem with this answer is that it does not adequately explain why bank buildings have become less and less impressive over the past century while there is still substantial competition, nor does it explain why there was not a similar architectural arms race in hardware stores, feed mills, or other competitive industries.
A better answer comes from the work of economist Michael Spencer on asymmetric information and signaling theory (for which he shared the 2001 Nobel prize). Before the days of governmental oversight and a banking oligopoly, there existed the threat that the new bank that opened up down the street might be a fraud with crooks planning to run off with your money. By building impressive buildings, legitimate banks sent a signal of quality to customers that fraudulent banks could not afford to send. An expensive building assured potential customers that the bank was planning on long-term establishment and was committed to high standards of service.
These types of scenarios are called signaling games in game theory. A basic signaling game has two participants, a sender and a receiver. The sender knows something about herself (called her type) that is not observable to the receiver. The sender’s objective is to signify her type in a signal that differentiates her from other senders of different types, and to provoke an appropriate response from the recipient. Examples of signals include the education level of a job applicant, a full-page advertisement in the New York Times, or the striking blue-green plumage of a peacock.
The problem of phishing and fraudulent websites is also a signaling game, where legitimate websites need to find the online equivalent of an impressive building to signal their type to users. The problem is that the most obvious parallel to the offline world—an impressive website—is completely inadequate. Whether or not the bank customers of lore worked out the game theory of their situation, the signal worked because customers naturally gravitated towards banks with nice buildings. Once the signal became common, most customers did not need an education campaign in how to differentiate between legitimate and fraudulent banks to make the correct choice. In other words, their ulterior motives led them to the right decision. As the user study mention above indicates, this natural instinct is still instilled in modern internet users. When presented with an impressive website with fancy graphics and a cutting edge layout, a significant proportion of users conclude that is a signal of its legitimacy. While designing the kind of full-featured websites banks commonly use does cost a small fortune, the problem lays in the fact that all this hard work can be copied effortlessly. Phishing is thus a twofold problem: (1) we do not have a good signal, and (2) the signal that users naturally look for is not good.
It may be possible to address the second through user education if only we could solve the first. One potential signal might be website seals offered by watchdog organizations like TRUSTe and BBBOnLine. Benjamin Edelman of Harvard empirically studied websites baring these seals. He found that while a BBBOnLine seal slightly increased the probability of the site being trustworthy (but not enough to be an adequate signal), a TRUSTe seal actually decreased the probability that is was trustworthy. That is to say, a site with no seal at all is more likely to be trustworthy than one with a TRUSTe seal. Thus the seal not only fails as an adequate signal, it actually results in adverse selection. In the same paper, presented last year at the Workshop on the Economics of Information Security, Edelman also found that search engine advertisements are more than twice as likely to be untrustworthy as the accompanying search results—another display of adverse selection.
Perhaps a more promising area of third party accreditation is through website certificate authorities. The largest certificate issuers are, respectively, Verisign, GeoTrust, Comodo, GoDaddy, and Entrust. Until recently, a certificate from any of these authorities evoked the same response in browsers—a padlock being displayed—despite the fact that the verification process varies radically from authority to authority. Recently, however, Microsoft has agreed to implement a new, tiered approach to displaying certificate indicators. In new versions of Internet Explorer, the address bar will display a red toolbar if the site is a suspected phishing site, yellow if the site has a traditional certificate, and green if it has an extended validation (EV) certificate (and as always, white for no certificate). Receiving an EV certificate requires an extensive investigation process that will likely catch any fraudulent attempts at certification.
EV certificates have the potential to be an adequate signal. However this is only half of the problem, as the other half is getting users to recognize the signal and act accordingly. Time will tell if the EV process is extensive enough to demarcate legitimate companies from fraudulent ones, and if users will adapt to recognizing and understanding the implications of the signal. In the meanwhile, economic game theory still dictates that one way a company can signal its legitimacy is by spending more money than a fraudulent one could afford. In my opinion, nothing would say quality like an SSL certificate that costs a million dollars, turns the IE address bar sparkling gold, and puts a dollar sign over the lock. Anyone want to help me start MilliSign?