Arkaprabha Bhattacharya and Alaa Daffalla, Cornell University; Kevin Lee, Independent Researcher; Rosanna Bellini, New York University; Nicola Dell, Cornell Tech; Thomas Ristenpart, University of Toronto & Cornell Tech
Despite improvements in account security, compromise remains widespread and damaging, especially when the attacker has close physical or social proximity to the victim (e.g., in terpersonal abuse settings). To help users identify unauthorized access, web services provide account security interfaces (ASIs): notifications and logs that provide information to help infer adversarial compromise. We present the largest measurement study of ASIs to date, evaluating 100 popular services.
Our study highlights an unsatisfying status quo: 29 services provided users with no way to distinguish account accesses. After categorizing ASIs using a new typology, we show that services were inconsistent in the types they deployed. Further, ASIs were often incomplete and confusing, even for expert researchers. Finally, of 61 services that offered an ASI to convey device or location descriptions, 41 (67.2%) were vulnerable to spoofing attacks that successfully obfuscate the source of the access. Based on these findings, we present six principles for improving future ASI deployments.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
