Evaluation of Real-World Risk-Based Authentication at Online Services Revisited: Complexity Wins

Risk-based authentication (RBA) aims to protect end-users against attacks involving stolen or otherwise guessed passwords without requiring a second authentication method all the time. Online services typically set limits on what is still seen as normal and what is not, as well as the actions taken afterward. Consequently, RBA monitors different features, such as geolocation and device during login. If the features' values differ from the expected values, then a second authentication method might be requested. However, only a few online services publish information about how their systems work. This hinders not only RBA research but also its development and adoption in organizations. In order to understand how the RBA systems online services operate, black box testing is applied. To verify the results, we re-evaluate the three large providers: Google, Amazon, and Facebook. Based on our test setup and the test cases, we notice differences in RBA based on account creation at Google. Additionally, several test cases rarely trigger the RBA system. Our results provide new insights into RBA systems and raise several questions for future work

Honey Encryption for Language

Honey Encryption (HE), introduced by Juels and Ristenpart (Eurocrypt 2014), is an encryption paradigm designed to produce ciphertexts yielding plausible-looking but bogus plaintexts upon decryption with wrong keys. Thus brute-force attackers need to use additional information to determine whether they indeed found the correct key. At the end of their paper, Juels and Ristenpart leave as an open question the adaptation of honey encryption to natural language messages. A recent paper by Chatterjee et al. takes a mild attempt at the challenge and constructs a natural language honey encryption scheme relying on simple models for passwords. In this position paper we explain why this approach cannot be extended to reasonable-size human-written documents e.g. e-mails. We propose an alternative approach and evaluate its security

PIDE: physical intrusion detection for personal mobile devices

Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), Universidade de Lisboa, Faculdade de Ciências, 2015Os dispositivos móveis pessoais, como smartphones e tablets, permitem guardar e aceder a dados pessoais a qualquer hora e em qualquer lugar. Estes dispositivos contêm cada vez mais informação sensível sobre os seus proprietários, incluindo códigos de acesso, mensagens de texto, registo de chamadas, contactos, fotos, vídeos e informações sobre a localização geográfica. Os utilizadores parecem conscientes do risco que estes dispositivos trazem à sua privacidade. As investigações dos problemas de segurança em dispositivos móveis são, em grande parte, sobre ameaças de software malicioso. No entanto, uma vez que os dispositivos móveis são frequentemente utilizados na presença de outros, a ameaça colocada por pessoas próximas, fisicamente ou socialmente, tem vindo a levantar vários problemas de privacidade. Um estudo aferiu que os dispositivos móveis de 14% dos utilizadores inquiridos já foi utilizado por outra pessoa sem a sua permissão. O mesmo estudo indicou que 9% dos utilizadores confessou ter utilizado o smartphone de outra pessoa com a finalidade de adquirir informações pessoais. Atualmente, o mecanismo de segurança mais comum contra intrusão física é a autenticação no ato de desbloqueio do dispositivo, seja por palavra-passe, PIN, padrão ou mesmo biométrica. Estes mecanismos de segurança são úteis quando um dispositivo é perdido ou roubado, mas ineficazes quando se trata de prevenir os amigos e a família de explorarem conteúdos num dispositivo. Os mecanismos de autenticação são vulneráveis a ataques de observação, que podem ser facilmente realizados por pessoas que pertencem ao mesmo círculo social. Por exemplo, um individuo próximo consegue facilmente descobrir um código de acesso, observando-o quando é introduzido, ou observando as marcas deixadas no ecrã tátil. Por outro lado, alguns utilizadores consideram que a autenticação é por vezes fastidiosa, já que as interações com estes dispositivos são curtas e frequentes. Por esse motivo, muitos utilizadores nunca chegam a configurar o mecanismo, ou apenas o utilizam temporariamente. Muitas vezes, por conveniência, necessidade ou até mesmo práticas sociais, os utilizadores de dispositivos móveis são encorajados a partilhá-los com outros. Normalmente, estes dispositivos são partilhados para tarefas muitos especificas, tais como fazer chamadas telefónicas, enviar mensagens de texto, navegar na internet e até mesmo jogar. Nestas situações, os utilizadores vêm-se muitas das vezes forçados a partilhar os seus códigos de desbloqueio. Por vezes, a recusa em fazê-lo conduz a situações sociais embaraçosas, A principal característica deste sistema é que executa as tarefas de deteção de intrusões e gravação de interações, de forma inconspícua, o que significa que o utilizador não se apercebe da sua execução. Assim, esta aplicação torna-se num mecanismo de segurança que não requer nenhuma interação explícita. Para concretizar o mecanismo de reconhecimento facial, utilizou-se a biblioteca Open- CV, que oferece algoritmos otimizados de deteção e reconhecimento facial, e a biblioteca JavaCV, que é uma interface em Java para OpenCV. Para registar as ações do utilizador, foram desenvolvidos dois mecanismos de gravação distintos: screencast e event-based recording. O mecanismo screencast captura screenshots; o proprietário visualiza posteriormente as ações dos utilizadores intrusos numa sequência de imagens. O mecanismo event-based recording é baseado em eventos de acessibilidade, que são mensagens lançadas pelo sistema operativo enquanto o utilizador interage com o dispositivo. Através destes eventos é possível adquirir dados suficientes para conhecer as interações que o utilizador executou no dispositivo e produzir uma lista de aplicações utilizadas e ações executadas em cada uma das aplicações. Para validar este sistema de deteção de intrusões, foram realizados dois estudos com utilizadores. Um estudo de laboratório que tinha como objetivo, não só examinar preocupações emergentes dos utilizadores em relação à privacidade e ao uso dos seus dispositivos por terceiros, mas também identificar mecanismos de defesa e, finalmente, demonstrar a aplicação desenvolvida e compreender de que forma os participantes planeariam utilizar esta ferramenta e se a consideram útil e adequada às suas necessidades. Posteriormente foi elaborado um estudo de campo, que permitiu aos participantes utilizarem a aplicação durante um período alargado de tempo, com o objetivo de compreender como é que os utilizadores adotaram a aplicação. Os resultados indicam que a abordagem dos Sistemas de Deteção de Intrusões se adequa à proteção de conteúdos em situações de partilha do dispositivo e em situações em que a autenticação é insuficiente. Por um lado, funciona como um mecanismo dissuasor, por outro funciona como uma ferramenta que informa o proprietário de quem utilizou o dispositivo e com que propósito. Esta abordagem também é adequada às necessidades dos utilizadores em termos de segurança usável, nomeadamente através da oferta de uma medida de segurança que não exige que os utilizadores despendam esforço em cada interação com o dispositivo.Authentication mechanisms are useful when a device is lost or stolen, but ineffective when it comes to preventing friends and family from snooping through contents. Most unlock authentication methods are vulnerable to observation attacks than can easily be performed by those in a close social circle. Moreover, unlock authentication does not address the common use case of device sharing. Intrusion Detection and Response Systems (IDRS) are based on the assumption that a system will eventually be attacked, and are widely used in network systems as an additional security measure that works around authentication flaws. The main contribution of this work was the design and development of an inconspicuous IDRS for Android smartphones, called Auric. A parallel contribution was the evaluation of the adequacy of that approach, intended to dissuade socially-close adversaries from snooping through device contents. This system runs on the background and attempts to determine, through face recognition, if the device is being operated by the owner. If it is not, it starts recording user actions, which can later be reviewed by the owner. We conducted a laboratory study to examine users concerns over other people looking through their data, and to present the system to participants. We also conducted a field study, where participants used the system for an extended period of time, in order to understand how they adopted it. Results indicate that the IDRS approach addresses previously unmet needs, namely by offering a security measure that does not require users to expend effort in every interaction with the device

Risks and potentials of graphical and gesture-based authentication for touchscreen mobile devices

While a few years ago, mobile phones were mainly used for making phone calls and texting short messages, the functionality of mobile devices has massively grown. We are surfing the web, sending emails and we are checking our bank accounts on the go. As a consequence, these internet-enabled devices store a lot of potentially sensitive data and require enhanced protection. We argue that authentication often represents the only countermeasure to protect mobile devices from unwanted access. Knowledge-based concepts (e.g., PIN) are the most used authentication schemes on mobile devices. They serve as the main protection barrier for many users and represent the fallback solution whenever alternative mechanisms fail (e.g., fingerprint recognition). This thesis focuses on the risks and potentials of gesture-based authentication concepts that particularly exploit the touch feature of mobile devices. The contribution of our work is threefold. Firstly, the problem space of mobile authentication is explored. Secondly, the design space is systematically evaluated utilizing interactive prototypes. Finally, we provide generalized insights into the impact of specific design factors and present recommendations for the design and the evaluation of graphical gesture-based authentication mechanisms. The problem space exploration is based on four research projects that reveal important real-world issues of gesture-based authentication on mobile devices. The first part focuses on authentication behavior in the wild and shows that the mobile context makes great demands on the usability of authentication concepts. The second part explores usability features of established concepts and indicates that gesture-based approaches have several benefits in the mobile context. The third part focuses on observability and presents a prediction model for the vulnerability of a given grid-based gesture. Finally, the fourth part investigates the predictability of user-selected gesture-based secrets. The design space exploration is based on a design-oriented research approach and presents several practical solutions to existing real-world problems. The novel authentication mechanisms are implemented into working prototypes and evaluated in the lab and the field. In the first part, we discuss smudge attacks and present alternative authentication concepts that are significantly more secure against such attacks. The second part focuses on observation attacks. We illustrate how relative touch gestures can support eyes-free authentication and how they can be utilized to make traditional PIN-entry secure against observation attacks. The third part addresses the problem of predictable gesture choice and presents two concepts which nudge users to select a more diverse set of gestures. Finally, the results of the basic research and the design-oriented applied research are combined to discuss the interconnection of design space and problem space. We contribute by outlining crucial requirements for mobile authentication mechanisms and present empirically proven objectives for future designs. In addition, we illustrate a systematic goal-oriented development process and provide recommendations for the evaluation of authentication on mobile devices.Während Mobiltelefone vor einigen Jahren noch fast ausschließlich zum Telefonieren und zum SMS schreiben genutzt wurden, sind die Anwendungsmöglichkeiten von Mobilgeräten in den letzten Jahren erheblich gewachsen. Wir surfen unterwegs im Netz, senden E-Mails und überprüfen Bankkonten. In der Folge speichern moderne internetfähigen Mobilgeräte eine Vielfalt potenziell sensibler Daten und erfordern einen erhöhten Schutz. In diesem Zusammenhang stellen Authentifizierungsmethoden häufig die einzige Möglichkeit dar, um Mobilgeräte vor ungewolltem Zugriff zu schützen. Wissensbasierte Konzepte (bspw. PIN) sind die meistgenutzten Authentifizierungssysteme auf Mobilgeräten. Sie stellen für viele Nutzer den einzigen Schutzmechanismus dar und dienen als Ersatzlösung, wenn alternative Systeme (bspw. Fingerabdruckerkennung) versagen. Diese Dissertation befasst sich mit den Risiken und Potenzialen gestenbasierter Konzepte, welche insbesondere die Touch-Funktion moderner Mobilgeräte ausschöpfen. Der wissenschaftliche Beitrag dieser Arbeit ist vielschichtig. Zum einen wird der Problemraum mobiler Authentifizierung erforscht. Zum anderen wird der Gestaltungsraum anhand interaktiver Prototypen systematisch evaluiert. Schließlich stellen wir generelle Einsichten bezüglich des Einflusses bestimmter Gestaltungsaspekte dar und geben Empfehlungen für die Gestaltung und Bewertung grafischer gestenbasierter Authentifizierungsmechanismen. Die Untersuchung des Problemraums basiert auf vier Forschungsprojekten, welche praktische Probleme gestenbasierter Authentifizierung offenbaren. Der erste Teil befasst sich mit dem Authentifizierungsverhalten im Alltag und zeigt, dass der mobile Kontext hohe Ansprüche an die Benutzerfreundlichkeit eines Authentifizierungssystems stellt. Der zweite Teil beschäftigt sich mit der Benutzerfreundlichkeit etablierter Methoden und deutet darauf hin, dass gestenbasierte Konzepte vor allem im mobilen Bereich besondere Vorzüge bieten. Im dritten Teil untersuchen wir die Beobachtbarkeit gestenbasierter Eingabe und präsentieren ein Vorhersagemodell, welches die Angreifbarkeit einer gegebenen rasterbasierten Geste abschätzt. Schließlich beschäftigen wir uns mit der Erratbarkeit nutzerselektierter Gesten. Die Untersuchung des Gestaltungsraums basiert auf einem gestaltungsorientierten Forschungsansatz, welcher zu mehreren praxisgerechte Lösungen führt. Die neuartigen Authentifizierungskonzepte werden als interaktive Prototypen umgesetzt und in Labor- und Feldversuchen evaluiert. Im ersten Teil diskutieren wir Fettfingerattacken ("smudge attacks") und präsentieren alternative Authentifizierungskonzepte, welche effektiv vor diesen Angriffen schützen. Der zweite Teil beschäftigt sich mit Angriffen durch Beobachtung und verdeutlicht wie relative Gesten dazu genutzt werden können, um blickfreie Authentifizierung zu gewährleisten oder um PIN-Eingaben vor Beobachtung zu schützen. Der dritte Teil beschäftigt sich mit dem Problem der vorhersehbaren Gestenwahl und präsentiert zwei Konzepte, welche Nutzer dazu bringen verschiedenartige Gesten zu wählen. Die Ergebnisse der Grundlagenforschung und der gestaltungsorientierten angewandten Forschung werden schließlich verknüpft, um die Verzahnung von Gestaltungsraum und Problemraum zu diskutieren. Wir präsentieren wichtige Anforderungen für mobile Authentifizierungsmechanismen und erläutern empirisch nachgewiesene Zielvorgaben für zukünftige Konzepte. Zusätzlich zeigen wir einen zielgerichteten Entwicklungsprozess auf, welcher bei der Entwicklung neuartiger Konzepte helfen wird und geben Empfehlungen für die Evaluation mobiler Authentifizierungsmethoden

A Comprehensive Security Framework for Securing Sensors in Smart Devices and Applications

This doctoral dissertation introduces novel security frameworks to detect sensor-based threats on smart devices and applications in smart settings such as smart home, smart office, etc. First, we present a formal taxonomy and in-depth impact analysis of existing sensor-based threats to smart devices and applications based on attack characteristics, targeted components, and capabilities. Then, we design a novel context-aware intrusion detection system, 6thSense, to detect sensor-based threats in standalone smart devices (e.g., smartphone, smart watch, etc.). 6thSense considers user activity-sensor co-dependence in standalone smart devices to learn the ongoing user activity contexts and builds a context-aware model to distinguish malicious sensor activities from benign user behavior. Further, we develop a platform-independent context-aware security framework, Aegis, to detect the behavior of malicious sensors and devices in a connected smart environment (e.g., smart home, offices, etc.). Aegis observes the changing patterns of the states of smart sensors and devices for user activities in a smart environment and builds a contextual model to detect malicious activities considering sensor-device-user interactions and multi-platform correlation. Then, to limit unauthorized and malicious sensor and device access, we present, kratos, a multi-user multi-device-aware access control system for smart environment and devices. kratos introduces a formal policy language to understand diverse user demands in smart environment and implements a novel policy negotiation algorithm to automatically detect and resolve conflicting user demands and limit unauthorized access. For each contribution, this dissertation presents novel security mechanisms and techniques that can be implemented independently or collectively to secure sensors in real-life smart devices, systems, and applications. Moreover, each contribution is supported by several user and usability studies we performed to understand the needs of the users in terms of sensor security and access control in smart devices and improve the user experience in these real-time systems

Risks and potentials of graphical and gesture-based authentication for touchscreen mobile devices

While a few years ago, mobile phones were mainly used for making phone calls and texting short messages, the functionality of mobile devices has massively grown. We are surfing the web, sending emails and we are checking our bank accounts on the go. As a consequence, these internet-enabled devices store a lot of potentially sensitive data and require enhanced protection. We argue that authentication often represents the only countermeasure to protect mobile devices from unwanted access. Knowledge-based concepts (e.g., PIN) are the most used authentication schemes on mobile devices. They serve as the main protection barrier for many users and represent the fallback solution whenever alternative mechanisms fail (e.g., fingerprint recognition). This thesis focuses on the risks and potentials of gesture-based authentication concepts that particularly exploit the touch feature of mobile devices. The contribution of our work is threefold. Firstly, the problem space of mobile authentication is explored. Secondly, the design space is systematically evaluated utilizing interactive prototypes. Finally, we provide generalized insights into the impact of specific design factors and present recommendations for the design and the evaluation of graphical gesture-based authentication mechanisms. The problem space exploration is based on four research projects that reveal important real-world issues of gesture-based authentication on mobile devices. The first part focuses on authentication behavior in the wild and shows that the mobile context makes great demands on the usability of authentication concepts. The second part explores usability features of established concepts and indicates that gesture-based approaches have several benefits in the mobile context. The third part focuses on observability and presents a prediction model for the vulnerability of a given grid-based gesture. Finally, the fourth part investigates the predictability of user-selected gesture-based secrets. The design space exploration is based on a design-oriented research approach and presents several practical solutions to existing real-world problems. The novel authentication mechanisms are implemented into working prototypes and evaluated in the lab and the field. In the first part, we discuss smudge attacks and present alternative authentication concepts that are significantly more secure against such attacks. The second part focuses on observation attacks. We illustrate how relative touch gestures can support eyes-free authentication and how they can be utilized to make traditional PIN-entry secure against observation attacks. The third part addresses the problem of predictable gesture choice and presents two concepts which nudge users to select a more diverse set of gestures. Finally, the results of the basic research and the design-oriented applied research are combined to discuss the interconnection of design space and problem space. We contribute by outlining crucial requirements for mobile authentication mechanisms and present empirically proven objectives for future designs. In addition, we illustrate a systematic goal-oriented development process and provide recommendations for the evaluation of authentication on mobile devices.Während Mobiltelefone vor einigen Jahren noch fast ausschließlich zum Telefonieren und zum SMS schreiben genutzt wurden, sind die Anwendungsmöglichkeiten von Mobilgeräten in den letzten Jahren erheblich gewachsen. Wir surfen unterwegs im Netz, senden E-Mails und überprüfen Bankkonten. In der Folge speichern moderne internetfähigen Mobilgeräte eine Vielfalt potenziell sensibler Daten und erfordern einen erhöhten Schutz. In diesem Zusammenhang stellen Authentifizierungsmethoden häufig die einzige Möglichkeit dar, um Mobilgeräte vor ungewolltem Zugriff zu schützen. Wissensbasierte Konzepte (bspw. PIN) sind die meistgenutzten Authentifizierungssysteme auf Mobilgeräten. Sie stellen für viele Nutzer den einzigen Schutzmechanismus dar und dienen als Ersatzlösung, wenn alternative Systeme (bspw. Fingerabdruckerkennung) versagen. Diese Dissertation befasst sich mit den Risiken und Potenzialen gestenbasierter Konzepte, welche insbesondere die Touch-Funktion moderner Mobilgeräte ausschöpfen. Der wissenschaftliche Beitrag dieser Arbeit ist vielschichtig. Zum einen wird der Problemraum mobiler Authentifizierung erforscht. Zum anderen wird der Gestaltungsraum anhand interaktiver Prototypen systematisch evaluiert. Schließlich stellen wir generelle Einsichten bezüglich des Einflusses bestimmter Gestaltungsaspekte dar und geben Empfehlungen für die Gestaltung und Bewertung grafischer gestenbasierter Authentifizierungsmechanismen. Die Untersuchung des Problemraums basiert auf vier Forschungsprojekten, welche praktische Probleme gestenbasierter Authentifizierung offenbaren. Der erste Teil befasst sich mit dem Authentifizierungsverhalten im Alltag und zeigt, dass der mobile Kontext hohe Ansprüche an die Benutzerfreundlichkeit eines Authentifizierungssystems stellt. Der zweite Teil beschäftigt sich mit der Benutzerfreundlichkeit etablierter Methoden und deutet darauf hin, dass gestenbasierte Konzepte vor allem im mobilen Bereich besondere Vorzüge bieten. Im dritten Teil untersuchen wir die Beobachtbarkeit gestenbasierter Eingabe und präsentieren ein Vorhersagemodell, welches die Angreifbarkeit einer gegebenen rasterbasierten Geste abschätzt. Schließlich beschäftigen wir uns mit der Erratbarkeit nutzerselektierter Gesten. Die Untersuchung des Gestaltungsraums basiert auf einem gestaltungsorientierten Forschungsansatz, welcher zu mehreren praxisgerechte Lösungen führt. Die neuartigen Authentifizierungskonzepte werden als interaktive Prototypen umgesetzt und in Labor- und Feldversuchen evaluiert. Im ersten Teil diskutieren wir Fettfingerattacken ("smudge attacks") und präsentieren alternative Authentifizierungskonzepte, welche effektiv vor diesen Angriffen schützen. Der zweite Teil beschäftigt sich mit Angriffen durch Beobachtung und verdeutlicht wie relative Gesten dazu genutzt werden können, um blickfreie Authentifizierung zu gewährleisten oder um PIN-Eingaben vor Beobachtung zu schützen. Der dritte Teil beschäftigt sich mit dem Problem der vorhersehbaren Gestenwahl und präsentiert zwei Konzepte, welche Nutzer dazu bringen verschiedenartige Gesten zu wählen. Die Ergebnisse der Grundlagenforschung und der gestaltungsorientierten angewandten Forschung werden schließlich verknüpft, um die Verzahnung von Gestaltungsraum und Problemraum zu diskutieren. Wir präsentieren wichtige Anforderungen für mobile Authentifizierungsmechanismen und erläutern empirisch nachgewiesene Zielvorgaben für zukünftige Konzepte. Zusätzlich zeigen wir einen zielgerichteten Entwicklungsprozess auf, welcher bei der Entwicklung neuartiger Konzepte helfen wird und geben Empfehlungen für die Evaluation mobiler Authentifizierungsmethoden