All posts by Tyler Moore

How effective is the wisdom of crowds as a security mechanism?

Over the past year, Richard Clayton and I have been tracking phishing websites. For this work, we are indebted to PhishTank, a website where dedicated volunteers submit URLs from suspected phishing websites and vote on whether the submissions are valid. The idea behind PhishTank is to bring together the expertise and enthusiasm of people across the Internet to fight phishing attacks. The more people participate, the larger the crowd, the more robust it should be against errors and perhaps even manipulation by attackers.

Not so fast. We studied the submission and voting records of PhishTank’s users, and our results are published in a paper appearing at Financial Crypto next month. It turns out that participation is very skewed. While PhishTank has several thousand registered users, a small core of around 25 moderators perform the bulk of the work, casting 74% of the votes we observed. Both the distributions of votes and submissions follow a power law.

This leaves PhishTank more vulnerable to manipulation than would be the case if every member of the crowd participated to the same extent. Why? If a few of the most active users stopped voting, a backlog of unverified phishing sites might collect. It also means an attacker could join the system and vote maliciously on a massive scale. Since 97% of submissions to PhishTank are verified as phishing URLs, it would be easy for an attacker to build up reputation by voting randomly many times, and then sprinkle in malicious votes protecting the attacker’s own phishing sites, for example. Since over half of the phishing sites in PhishTank are duplicate rock-phish domains, a savvy attacker could build reputation by voting for these sites without contributing to PhishTank otherwise.

So crowd-sourcing your security decisions can leave you exposed to manipulation. But how does PhishTank compare to the feeds maintained by specialist website take-down companies hired by the banks? Well, we compared PhishTank’s feed to a feed from one such company, and found the company’s feed to be slightly more complete and significantly faster in confirming phishing websites. This is because companies can afford employees to verify their submissions.

We also found that users who vote less often are more likely to vote incorrectly, and that users who commit many errors tend to have voted on
the same URLs.

Despite these problems, we do not advocate against leveraging user participation in the design of all security mechanisms, nor do we believe that PhishTank should throw in the towel. Some improvements can be made by automating obvious categorization so that the hard decisions are taken by PhishTank’s users. In any case, we implore caution before turning over a security decision to a crowd.

Infosecurity Magazine has written a news article describing this work.

Phishing take-down paper wins 'Best Paper Award' at APWG eCrime Researcher's Summit

Richard Clayton and I have been tracking phishing sites for some time. Back in May, we reported on how quickly phishing websites are removed. Subsequently, we have also compared the performance of banks in removing websites and found evidence that ISPs and registrars are initially slow to remove malicious websites.

We have published our updated results at eCrime 2007, sponsored by the Anti-Phishing Working Group. The paper, ‘Examining the Impact of Website Take-down on Phishing’ (slides here), was selected for the ‘Best Paper Award’.

A high-level abridged description of this work also appeared in the September issue of Infosecurity Magazine.

WEIS 2006

The Fifth Annual Workshop on the Economics of Information Security (WEIS) is coming to Cambridge on June 26-28. WEIS topics include the interaction of networks with crime and conflict; the economics of bugs; the dependability of open source and free software; liability and insurance; reputation; privacy; risk perception; the economics of DRM and trusted computing; the economics of trust; the return on security investment; and economic perspectives on spam. A preliminary program and accepted papers are available online.

Immediately following the conclusion of WEIS is the co-located Sixth Workshop on Privacy Enhancing Technologies, June 28-30. The last week of June is sure to be an exciting one in Cambridge.

Participation is open to all interested researchers, practitioners and policy-makers. Register by the end of the week for an early registration discount.