Evaluating Login Challenges as aDefense Against Account Takeover

Doerfler, Periwinkle; Thomas, Kurt; Marincenko, Maija; Ranieri, Juri; Jiang, Yu; Moscicki, Angelika; McCoy, Damon

doi:10.1145/3308558.3313481

Cited by 30 publications

(21 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…none of them thinks they're going to be targeted for cybersecurity attacks." -A participant Account lockout is a real risk with 2FA [28]. However, it seemed that the population overestimated the likelihood or frequency of this happening, and underestimated the importance of using stronger account security protections given the threats they face.…”

Section: Accounts and Authenticationmentioning

confidence: 99%

"Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns

Consolvo,

Kelley,

Matthews

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

People who are involved with political campaigns face increased digital security threats from well-funded, sophisticated attackers, especially nation-states. Improving political campaign security is a vital part of protecting democracy. To identify campaign security issues, we conducted qualitative research with 28 participants across the U.S. political spectrum to understand the digital security practices, challenges, and perceptions of people involved in campaigns. A main, overarching finding is that a unique combination of threats, constraints, and work culture lead people involved with political campaigns to use technologies from across platforms and domains in ways that leave them-and democracy-vulnerable to security attacks. Sensitive data was kept in a plethora of personal and work accounts, with ad hoc adoption of strong passwords, two-factor authentication, encryption, and access controls. No individual company, committee, organization, campaign, or academic institution can solve the identified problems on their own. To this end, we provide an initial understanding of this complex problem space and recommendations for how a diverse group of experts can begin working together to improve security for political campaigns.

show abstract

Section: Accounts and Authenticationmentioning

confidence: 99%

"Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns

Consolvo,

Kelley,

Matthews

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…We annotate each user with whether they have adopted some form of two-factor authentication (e.g., SMS, device prompts) for their Google account, or established an account recovery mechanism via a secondary email account or phone number. These features allow us to examine whether users who are aware of their elevated risk status adopt critical account hygiene protections that would help protect against phishing attacks and some malware [14].…”

Section: User Annotationsmentioning

confidence: 99%

“…Prior work has shown that phishing attacks often have a disparate impact on their targets, suggesting a need for personalizing defenses to protect the most at-risk users [9,46,51]. Such personalization becomes necessary since requiring additional defenses often means imposing additional usability costs on users [12,14,35]. Our study presents a first step towards designing a system that automatically identifies the subset of users requiring such heightened protections.…”

Section: Introductionmentioning

confidence: 99%

“…In response, tailored protections have started to emerge for "at-risk" individuals, including Google's Advanced Protection Program [22] and Microsoft's AccountGuard [40]. A key challenge in this space, however, is automatically identifying who is at-risk, as applying heightened protections to a broad user base incurs both a financial and usability cost [12,14,35].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Who is targeted by email-based phishing and malware?

Simoiu

Zand

Thomas

et al. 2020

Proceedings of the ACM Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

As technologies to defend against phishing and malware often impose an additional financial and usability cost on users (such as security keys), a question remains as to who should adopt these heightened protections. We measure over 1.2 billion email-based phishing and malware attacks against Gmail users to understand what factors place a person at heightened risk of attack. We find that attack campaigns are typically short-lived and at first glance indiscriminately target users on a global scale. However, by modeling the distribution of targeted users, we find that a person's demographics, location, email usage patterns, and security posture all significantly influence the likelihood of attack. Our findings represent a first step towards empirically identifying the most at-risk users.

show abstract

“…Doerfler et al [7] evaluated the effectiveness of Google's re-authentication challenges by analyzing login attempt data. Their results showed that code-based re-authentication protected against more than 90% of all phishing attempts.…”

Section: Related Workmentioning

confidence: 99%

ICT Systems Security and Privacy Protection

Hölbl

Rannenberg

Welzer

2020

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA's time exposure and usability, these aspects were not studied so far. We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a betweengroup study (N=592) to evaluate these three approaches. Our observations show with significant results that there is potential to speed up the RBA re-authentication process without reducing neither its security properties nor its security perception. The link-based re-authentication via "magic links", however, makes users significantly more anxious than the code-based approaches when perceived for the first time. Our evaluations underline the fact that RBA re-authentication is not a uniform procedure. We summarize our findings and provide recommendations.

show abstract

Evaluating Login Challenges as aDefense Against Account Takeover

Cited by 30 publications

References 12 publications

"Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns

"Why wouldn't someone think of democracy as a target?": Security practices & challenges of people involved with U.S. political campaigns

Who is targeted by email-based phishing and malware?

ICT Systems Security and Privacy Protection

Contact Info

Product

Resources

About