Sensors, Smartphones, Swindles, and Security

E-mail Melanie Martella

The brain is a thing of wonder, allowing us to do and create incredible things, but we also have a number of built-in glitches that can be used by the unscrupulous to get us to hand over goods or information that we shouldn't. And, as we incorporate technology more deeply into our lives, sometimes those technologies come with their own unintentional tells.

In a blog post in November of 2011, Bruce Schneier wrote, "I believe that smart phones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people's lives—smart phone banking, electronic wallets—they're simply going to become the most valuable device for criminals to go after." He's not the only one to think this. Researchers have been looking into how data captured by smartphones can be a far richer source of user information than previously imagined. As discussed in this BBC News article, in January of this year, researchers Adam J. Aviv, Benjamin Sapp, Matt Blaze, and Jonathan M. Smith from the University of Pennsylvania published a paper (PDF) in which they explored whether accelerometer data could be used to accurately infer passwords and PINs entered into a smartphone. The short answer is yes. (I'd suggest reading the paper not only because it's an interesting topic, but also because it references other research into the how the various sensors in smartphones can be used to deduce user inputs.)

The technology angle is just a part of the larger security picture; in 2009, Frank Stajano from the University of Cambridge Computer Laboratory and Paul Wilson from BBC's The Real Hustle, authored a paper titled "Understanding scam victims: seven principles for systems security" where they argued that, to design and implement good systems security, the designers should take into account what they call "human factors" vulnerabilities, the same kinds of user behavior patterns that con artists and hustlers take advantage of. (A hat tip to Making Light for the link). If people are part of your system, then you need to understand their characteristic failure modes as well as those of the system and design accordingly.

It turns out that pickpockets, magicians, and con-men are really good at understanding how to manipulate human perception and attention; it's a key attribute of how they work. Apollo Robbins is an incredibly good pickpocket (if you haven't already seen video of him working his magic, you really, really should. Here's one video from The New Yorker to give you some idea of his virtuosity). In Adam Green's long and fascinating New Yorker profile, "A Pickpocket's Tale" Green recounts Robbins' history and explains (among other things) how Robbins ended up helping neuroscientists Stephen Macknik and Susana Martinez-Conde explore the cognitive basis for some of his skills. As a deft manipulator of perception, Robbins relies on the quirks in how we perceive and react to distract, manipulate, and astound the people he incorporates into his act. Those mental quirks of ours aren't going away; technology needs to take them into account.