Exploiting Human Factors in User Authentication

Our overarching issue in security is the human factor—and dealing with it is perhaps one of the biggest challenges we face today. Human factor is often described as the weakest part of a security system and users are often described as the weakest link in the security chain. In this thesis, we focus on two problems which are caused by human factors in user authentication and propose respective solutions. a) Secrecy information inference attack—publicly available information can be used to infer some secrecy information about the user. b) Coercion attack—where an attacker forces a user to handover his/her secret information such as account details and password. In the secrecy information inference attack, an attacker can use publicly available data to infer secrecy information about a victim. We should be prudent in choosing any information as secrecy information in user authentication. In this work, we exploit public data extracted from Facebook to infer users' interests. Such interests can also found on their profile pages but such pages are often private. Our experiments conducted on over more than 34, 000 public pages collected from Facebook show that our inference technique can infer interests which are often hidden by users with moderate accuracy. Using the inferred interests, we also demonstrate a secrecy information inference attack to break a preference based backup authentication system BlueMoon™. To mitigate the effect of secrecy information inference attack, we propose a new authentication mechanism based on user's cellphone usage data which is often private. The system generates memorable and dynamic fingerprints which can be used to create authentication challenges. In particular, in this work, we explore if the generated behavioral fingerprints are memorable enough to be remembered by end users to be used for authentication credentials. We demonstrate the application of memorable fingerprints by designing an authentication application on top of it. We conducted an extensive user study that involved collecting about one month of continuous usage data from 58 Symbian and Android smartphone users. Results show that the fingerprints generated are remembered by the user to some extent and that they were moderately secure against attacks even by family members and close friends. The second problem which we focus in this thesis is human vulnerability to coercion attacks. In such attacks, the user is forcefully asked by an attacker to reveal the secret/key to gain access to the system. Most authentication mechanisms today are vulnerable to coercion attacks. We present a novel approach in generating cryptographic keys to fight against coercion attacks. Our technique incorporates a measure of user's emotional status using skin conductance (which changes when the user is under coercion) into the key generation process. A preliminary user study with 39 subjects was conducted which shows that our approach has moderate false acceptance and false rejection rates. Furthermore, to meet the demand of scalability and usability, many real-world authentication systems have adopted the idea of responsibility shifting, where a user's responsibility of authentication is shifted to another entity, usually in case of failure of the primary authentication method. In a responsibility shifting authentication scenario, a human helper who is involved in regaining access, is vulnerable to coercion attacks. In this work, we report our user study on 29 participants which investigates the helper's emotional status when being coerced to assist in an attack. Results show that the coercion causes involuntary skin conductance fluctuation on the helper, which indicates that he/she is nervous and stressed. The results from the two studies show that the skin conductance is a viable approach to fight against coercion attacks in user authentication

Unique Identity Project in India: A Divine Dream or a Miscalculated Heroism?

The Unique Identity Project in India is a flagship project as being highlighted by the Government of India and is being portrayed as a panacea for all ills that exist in the country. Although time can only tell about the efficiency and efficacy of the project, but the very launch of this exercise has made it the largest biometric based identity disbursing e-government project in the globe. This paper, tries to put the current UID project of India into a perspective to evaluate the set of issues and concerns, as pointed by various stakeholders and try to understand the degree of criticality of those arguments. In this light, the areas of concerns around the UID project in India are also being pointed out. Given the largest IT project in nay government globally, the topic is of immense significance besides being timely and the discussion can provide impetus to a series of research activities in the areas of public policy, Information Systems planning and execution as well as appreciating the risks that get associated with such large initiatives.

Between surveillance and recognition: rethinking digital identity in aid

Identification technologies like biometrics have long been associated with securitisation, coercion and surveillance but have also, in recent years, become constitutive of a politics of empowerment, particularly in contexts of international aid. Aid organisations tend to see digital identification technologies as tools of recognition and inclusion rather than oppressive forms of monitoring, tracking and top-down control. In addition, practices that many critical scholars describe as aiding surveillance are often experienced differently by humanitarian subjects. This commentary examines the fraught questions this raises for scholars of international aid, surveillance studies and critical data studies. We put forward a research agenda that tackles head-on how critical theories of data and society can better account for the ambivalent dynamics of ‘power over’ and ‘power to’ that digital aid interventions instantiate

Inheritance Forgery

Many venerable norms in inheritance law were designed to prevent forgery. Most prominently, since 1837, the Wills Act has required testators to express their last wishes in a signed and witnessed writing. Likewise, the court-supervised probate process helped ensure that a donative instrument was genuine and that assets passed to their rightful owners. But in the mid-twentieth century, concern about forgery waned. Based in part on the perception that counterfeit estate plans are rare, several states relaxed the Wills Act and authorized new formalities for notarized and even digital wills. In addition, lawmakers encouraged owners to bypass probate altogether by transmitting wealth through devices such as life insurance and transfer-on-death deeds. This Article offers a fresh look at inheritance-related forgery. Cutting against the conventional wisdom, it discovers that counterfeit donative instruments are a serious problem. Using reported cases, empirical research, grand jury investigations, and media stories, it reveals that courts routinely adjudicate credible claims that wills, deeds, and life insurance beneficiary designations are illegitimate. The Article then argues that the persistence of inheritance-related forgeries casts doubt on the wisdom of some recent innovations, including statutes that permit notarized and electronic wills. The Article also challenges well-established inheritance law norms, including the litigation presumptions in will-forgery contests, the widespread practice of rubber-stamping deeds, and the delegation of responsibility for authenticating a nonprobate transfer to private companies. Finally, the Article outlines reforms to modernize succession while remaining sensitive to the risks of forgery

Organizations, state and power struggles in the age of digitalization and datafication

La digitalització i la datificació han esdevingut recentment una important línia de recerca en l'estudi de les organitzacions. Això és degut al fet que les tecnologies digitals no només són omnipresents a l'esfera social, sinó que tenen un profund impacte en la reconfiguració d'organitzacions i societat en general. En aquest sentit, la literatura acadèmica recent ja ha problematitzat prou el costat fosc de la digitalització, remarcant el creixent poder de les corporacions i el progressiu desempoderament de la ciutadania davant de les pràctiques extractives de les primeres. Partint del reconeixement de la influència creixent de la digitalització a la societat, aquesta tesi busca descobrir el paper de diferents actors tant en l'organització com en la resistència al poder a l'era de la digitalització. La pregunta que guia la recerca és doncs la següent: com s'organitzen les relacions de poder i resistència entre empreses, estat i ciutadans en relació amb la digitalització? Si la introducció construeix la base argumental per analitzar la nova distribució de poder a l'era de la digitalització; el segon capítol aporta una anàlisi qualitativa sobre com es mostra la resistència organitzada a la datificació organitzada per les grans corporacions. El tercer capítol explora críticament el paper de l'Estat en la protecció de la privadesa digital a través de la regulació. Finalment, el quart capítol mostra una anàlisi empírica de cas on es presenta l'activisme de l'estat en la promoció de la digitalització i on agents econòmics i elits tecnològiques actuen conjuntament per promoure l'agenda digital. En conjunt, aquesta tesi busca aportar algunes idees centrals sobre com la resistència organitzada a la datificació i com l'acció estatal poden desafiar i alhora sostenir el poder de les pràctiques extractives de dades de les grans corporacions. Finalment, la naturalesa socialment construïda i organitzada de la digitalització sobresurt com un espai actiu tant de persuasió com de contestació per part dels actors involucrats.La digitalización y la datificación se han convertido recientemente en una importante línea de investigación en el estudio de las organizaciones. Esto se debe al hecho de que las tecnologías digitales no sólo son omnipresentes en la esfera social, sino que tienen un profundo impacto en la reconfiguración de organizaciones y sociedad en general. La literatura académica reciente ha problematizado suficientemente el lado oscuro de la digitalización, remarcando el creciente poder de las corporaciones y el progresivo desempoderamiento de la ciudadanía ante las prácticas extractivas estas. Partiendo del reconocimiento de la influencia creciente de la digitalización en la sociedad, esta tesis busca descubrir el papel de diferentes actores tanto en la organización como en la resistencia al poder en la era de la digitalización. La pregunta que guía la investigación es, pues, la siguiente: ¿cómo se organizan las relaciones de poder y resistencia entre empresas, estado y ciudadanos en relación con la digitalización? Si la introducción construye la base argumental para analizar la nueva distribución de poder en la era de la digitalización; el segundo capítulo aporta un análisis cualitativo sobre cómo se muestra la resistencia organizada a la datificación ejercida por parte de las corporaciones. El tercer capítulo explora críticamente el papel del Estado en la protección de la privacidad digital a través de la regulación. Por último, el cuarto capítulo muestra un análisis empírico de caso donde se presenta el activismo del estado en la promoción de la digitalización, donde agentes económicos y élites tecnológicas actúan conjuntamente para promover la agenda digital. En conjunto, esta tesis busca aportar algunas ideas centrales sobre cómo la resistencia organizada a la datificación y como la acción estatal pueden a la vez desafiar y sostener el poder de las prácticas extractivas de datos de las grandes corporaciones. Finalmente, la naturaleza socialmente construida y organizada de la digitalización sobresale como un espacio activo tanto de persuasión como de contestación por parte de los actores involucrados.Digitalization and its related datafication processes have become an important line of inquiry in organizational research. This is owed to the fact digital technologies are becoming ubiquitous in the social sphere, and have a profound impact on shaping organizations, fields, and society alike. Recent literature is also problematizing the dark side of digitalization, which contributes to the growing power of corporations while subjecting citizens to disempowering positions. In acknowledging its growing influence across society, this thesis seeks to uncover the role of societal actors in both organizing and resisting the power of digitalization by exploring the following: how are relations of power and resistance organized between business, state, and citizens in relation to digitalization? After briefly making the case for such investigation in the introductory chapter, the second chapter undertakes a qualitative content analysis to uncover how resistance is organized against the datafication practices of corporations, as well as the efficacy of such challenges. The third chapter explores the role of the state in protecting citizens’ online privacy through regulatory measures. The fourth chapter adopts a historical case study analysis to present a different side of the state, one which acts in tandem with economic actors and tech elites to promote digitalization in society. Taken together, this thesis reveals insights regarding how organized resistance and state action can both challenge and sustain the power of private corporations’ datafication practices. Furthermore, the socially constructed nature of organizing digitalization is highlighted as an active site of persuasion and contestations between the involved actors