A Case of Sesame Seeds: Growing and Nurturing Credentials in the Face of Mimicry

Abstract

The purpose of this paper is to put the study of mimicry on the information security research map. Mimicry in humans has received little scholarly attention. Sociologist Diego Gambetta has constructed a framework that enables reasoning about episodes of mimicry based on trust in signs. By looking at the problem of phishing the applicability of this framework to problems of mimicry in information security system was tested. It was found that while the framework offers valuable insights, it needs to be updated since the assumptions that it makes do not hold in practice. A new framework is proposed, built on the core ideas of Gambetta’s framework, and extended with results from a literature study of phishing and other sources. This framework has been used for finding possible solutions to problems in web browser interface design. Because the nature of authentication was found to be the observation of discriminatory signals the paper also discusses the ethical issues surrounding the use of credentials. We hope that this paper will help system designers in finding and choosing appropriate credentials for authentication. By using the proposed framework a system can be analysed for the presence of credentials that enable the discrimination between genuine users and impostors. The framework can also serve as a method for identifying the dynamics behind user verification of credentials. The two problems that the framework can help address are the impersonation of providers and the impersonation of users. Like much other security research the results of this paper can be misused by attackers. It is expected that the framework will be more useful for defenders than attackers, as it is of an analytical nature, and cannot be used directly in any attacks. Since this study is of an exploratory nature the findings of the study need to be verified through research with greater validity. The paper contains directions for further research.