It’s been well documented that people will give up their computer passwords for a piece of chocolate. But what would they be willing to give up for a dollar—or even a penny?
Plenty as it turns out.
Incentivized by a minimal amount of cash, computer users who took part in a study conducted by experts from Carnegie Mellon University, NIST and Penn State University were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment.
The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users.
The study was released recently in a paper called: “It’s All About The Benjamins: An empirical study on incentivizing users to ignore security advice.” While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.
“To most participants, the value extracted from the software (access to free music or screen savers) trumped the potentially dangerous security compromises and privacy invasions they had facilitated,” the researchers, Nicolas Christina, Serge Egelmanb, Timothy Vidasc, and Jens Grossklagsd, wrote in their paper. The results also demonstrate that an attacker could invest a relatively small amount of money to access a victim’s computer—with their consent.
The experiment was carried out over Amazon’s Mechanical Turk, a platform uniting businesses seeking workers, often for mundane tasks. People can search for tasks that interest them, complete them from home, and be compensated. The researchers in this experiment also point out that the platform has also been used to for studies on human subjects and behaviors.
For this experiment, called the CMU Distributed Computing Project, anyone choosing to participate was told they would be part of a research project and had to click through to a consent form. Participants worked with a third-party domain and no mention of the project was found on any Carnegie Mellon domain, meaning that a hacker, for example, had posted a task that included malware.
The task—to view, download and run an executable—was reposted weekly for five weeks. Each time it was reposted, the incentives went up from 1 cent, to 5 cents, 10 cents, 50 cents and finally $1. Participants were allowed to take part only once, and only Windows XP, Vista or 7 users were allowed to participate in order to measure the effectiveness of User Access Controls built into Windows after Vista.
The researchers’ executable was benign; other than collecting and reporting Windows version data, process list data and whether the app was opened in a virtual machine. To the user, the app was running just a timer and then once complete, the user was shown a payment code.
The task was viewed on Mechanical Turk 2,854 times, downloaded 1,714 times and executed 965 times. The proportion of executions, the paper said, increased as the incentive was increased, even though 22 percent of those who executed the program, did so for a penny.
“This raises questions about the effectiveness of well-known security advice when competing against the smallest of incentives,” the researchers wrote.
The presence of the UAC warning, the researchers said, also had made no significant difference on the results. Participants, regardless of the warning, were still willing to download and execute an unknown program that they granted administrative privileges to, the researchers said.
Ironically, the results also yielded some insight into users’ behavior that seems to be somewhat security conscious. Those running antivirus and fully patched machines, for example, were more willing to download the executable thinking the security software would protect their computers.
As the payments climbed to 50 cents, the researchers said, 72 percent of those paid 50 cents and 68 percent of those paid $1 had a current version of Windows running, compared to 54 percent of those paid less money. Also, those who were paid more, performed the task diligently, allowing it to run the task’s full 60 minutes, the researchers said.
“Even though around 70 percent of all our survey participants understood that it was dangerous to run unknown programs downloaded from the Internet, all of them chose to do so once we paid them,” the researchers said.