Can we use guilt instead of crypto in secure protocol design?

The short answer is yes. And sometimes, cryptographic techniques may be absolutely inappropriate. Consider the case of friendly fraud.

Friendly fraud is when an unauthorized payment is performed by a friend or family member of the account holder. Surprisingly to many, this is one of the most common types of fraud. It causes great losses to merchants in the form of chargebacks, administrative costs to financial service providers, and losses (when not discovered) and frustration to consumers.

Traditional security mechanisms, such as PINs and passwords, do not address the problem well. This is due to the absence of use of these mechanisms, common account sharing, and the ease for fraudsters close to a victim to access accounts using password reset techniques. (These are often based on knowing facts that friends and family members commonly know about each other.)

Instead of thinking of security in terms of cryptography, it is more effective in this case to consider the psychology that underlies the problem. Leveraging on two very common emotions — guilt, and the fear of being found out — we can make headway to address friendly fraud. The image below gives a glimpse of the approach — to read more, see my recent SecurityWeek blog.

User interface to reduce friendly fraud.

In contrast, the “traditional” security approach might have been: Tell people not to share passwords; Make people change their passwords more often; Clarify that account sharing is against the terms of service (on page 156 of the EULA that nobody reads.) It is doubtful that either of those approaches would help.

Comments are closed.