It’s up to you to see the phish at the election ballot box

To be sure that your vote really counts, it’s up to you to look out for phish on the ballot.

But according to new research from the University of Michigan, that’s not what people actually do. Only 4 out of 10 bothered to review their printed ballots at all if they weren’t prompted to do so — and only one out of 15 noticed that something was wrong with their ballot.

Ballot marking devices (BMDs) that let voters pick their candidates on a touch screen, print out a paper ballot that can be reviewed, then scanned for counting would seem to be a good thing. They potentially enhance election security by enabling all the advantages of both electronic and paper voting. Sounds great, it’s just that the vast majority of voters completely skipped the review step between voting and scanning. This means they are vulnerable to electoral phish – and that a hackers’ attempts to change what is printed out would go largely undetected.

Can an election be hacked?

The potential of someone stepping into the process by hacking the ballot printing process — and the likelihood of people catching this nefarious activity – was the big question mark in these researchers’ heads.

Electronic voting machines have known security issues and hacking vulnerabilities. This autumn, a Pennsylvania election had problems in their BMD machines. Instead of winning the election by a thousand votes, only 15 votes were registered for the candidate. It’s not just a single device manufacturer either. The “Voting Village” at the DefCon IT security conference looked into a hundred voting machines and found hackable vulnerabilities in every one of them. While there are no publicly known cases of an election being swayed by bad technology or hackers – the real risk exists.

People usually  will not verify their choices

For their test, they bought three voting machines, made a sample ballot for a mock election, and then had 241 people vote on the devices at the local library. But when each of the voters printed out their ballots to be scanned, the researchers also added an error to it. Yet only 40% of the voters checked their ballots with only 6.6 percent noticing something was amiss and reported it to the election officials.

Warning signs are not enough

Putting a sign up warning people to check their ballots wasn’t effective. A verbal reminder was marginally effective, boosting detection up to 16%. Having a ballot cheat sheet, known professionally as a slate, was by far the most effective, boosting detection rates to 85.7% in some scenarios.

Phishing for an election

Tweaking the ballot after the voter has made their decision is electoral phishing – passing off something fraudulent that really looks and works like the real thing. Researchers proved this technique fooled the vast majority of their test group by hitting them in an unexpected location – right in the middle of the transaction. The best defense is that of a careful, skeptical online shopper – look out for unusual texts and device behavior, double check if amounts and purchases are correct, and take action if there is an issue.

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.