If he weren't so ethical, Markus Jakobsson could be a world-class online fraudster. In a way, he already is.
Jakobsson, a cybersecurity researcher and professor at Indiana University in Bloomington, spends much of his time perpetrating online attacks of unsuspecting Web surfers - without actually harming them, of course - to see what types of ruses people will fall for and to predict potential new techniques phishers might pursue.
The university that gave the world Alfred Kinsey, the famous sex researcher, is more than willing to tolerate experiments that might improve computer security, even if it annoys a few unwitting participants.
"They think everything that is not immoral or illegal is fine," Jakobsson joked Wednesday at the Usenix Security Symposium in Boston, while delivering a talk on the human factor in online fraud such as phishing, click fraud and crimeware. Victims of online attacks often give up personal information, such as bank account details, or have their computers controlled remotely by hackers.
Jakobsson's research subjects can't know they're being experimented upon, or the results would be meaningless. The typical procedure is to tell them about the research after they've unknowingly participated, which Jakobsson admits has led to some angry responses.
In one experiment, Jakobsson and his students sent e-mails to about 20 people directing them to a site authenticated only by a self-signed certificate, an identity certificate signed by its creator. Many people accepted the certificate even though anyone knowledgeable in computer security should not have.
"We were on four continents within a day with a starting point of 20 of these messages," Jakobsson said. "We could have put malware on computers."
In another study, Jakobsson found that while people often won't click on a suspicious link within an e-mail, they will go to the site if they are instructed to copy and paste the same URL into their browsers. The lesson Jakobsson took from the study - which involved an e-mail asking users to update their eBay accounts - is that public education efforts about the danger of online attacks are insufficient. People know they're not supposed to click on suspicious links, but they haven't been told not to copy and paste the same links into an address bar. A slight change in approach causes victims to let their guards down and pays dividends for bad guys.
Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.
"People think [the phrase] 'starting with' is just as good as 'ending with,' which of course is remarkable insight," he said.