SECURITY AND USER EXPERIENCE: A HOLISTIC MODEL FOR CAPTCHA USABILITY ISSUES

CAPTCHA is a widely adopted security measure in the Web, and is designed to effectively distinguish humans and bots by exploiting human’s ability to recognize patterns that an automated bot is incapable of. To counter this, bots are being designed to recognize patterns in CAPTCHAs. As a result, CAPTCHAs are now being designed to maximize the difficulty for bots to pass human interaction proof tests, while making it quite an arduous task even for humans as well. The approachability of CAPTCHA is increasingly being questioned because of the inconvenience it causes to legitimate users. Irrespective of the popularity, CAPTCHA is indispensable if one wants to avoid potential security threats. We investigated the usability issues associated with CAPTCHA. We built a holistic model by identifying the important concepts associated with CAPTCHAs and its usability. This model can be used as a guide for the design and evaluation of CAPTCHAs

Does the online card payment system unwittingly facilitate fraud?

PhD ThesisThe research work in this PhD thesis presents an extensive investigation into the security settings of Card Not Present (CNP) financial transactions. These are the transactions which include payments performed with a card over the Internet on the websites, and over the phone. Our detailed analysis on hundreds of websites and on multiple CNP payment protocols justifies that the current security architecture of CNP payment system is not adequate enough to protect itself from fraud. Unintentionally, the payment system itself will allow an adversary to learn and exploit almost all of the security features put in place to protect the CNP payment system from fraud. With insecure modes of accepting payments, the online payment system paves the way for cybercriminals to abuse even the latest designed payment protocols like 3D Secure 2.0. We follow a structured analysis methodology which identifies vulnerabilities in the CNP payment protocols and demonstrates the impact of these vulnerabilities on the overall payment system. The analysis methodology comprises of UML diagrams and reference tables which describe the CNP payment protocol sequences, software tools which implements the protocol and practical demonstrations of the research results. Detailed referencing of the online payment specifications provides a documented link between the exploitable vulnerabilities observed in real implementations and the source of the vulnerability in the payment specifications. We use practical demonstrations to show that these vulnerabilities can be exploited in the real-world with ease. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to payment cards, with our work appearing in the media, radio and T

How WEIRD is Usable Privacy and Security Research? (Extended Version)

In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations.Comment: This paper is the extended version of the paper presented at USENIX SECURITY 202

From Understanding Telephone Scams to Implementing Authenticated Caller ID Transmission

abstract: The telephone network is used by almost every person in the modern world. With the rise of Internet access to the PSTN, the telephone network today is rife with telephone spam and scams. Spam calls are significant annoyances for telephone users, unlike email spam, spam calls demand immediate attention. They are not only significant annoyances but also result in significant financial losses in the economy. According to complaint data from the FTC, complaints on illegal calls have made record numbers in recent years. Americans lose billions to fraud due to malicious telephone communication, despite various efforts to subdue telephone spam, scam, and robocalls. In this dissertation, a study of what causes the users to fall victim to telephone scams is presented, and it demonstrates that impersonation is at the heart of the problem. Most solutions today primarily rely on gathering offending caller IDs, however, they do not work effectively when the caller ID has been spoofed. Due to a lack of authentication in the PSTN caller ID transmission scheme, fraudsters can manipulate the caller ID to impersonate a trusted entity and further a variety of scams. To provide a solution to this fundamental problem, a novel architecture and method to authenticate the transmission of the caller ID is proposed. The solution enables the possibility of a security indicator which can provide an early warning to help users stay vigilant against telephone impersonation scams, as well as provide a foundation for existing and future defenses to stop unwanted telephone communication based on the caller ID information.Dissertation/ThesisDoctoral Dissertation Computer Science 201

AN ENHANCEMENT ON TARGETED PHISHING ATTACKS IN THE STATE OF QATAR

The latest report by Kaspersky on Spam and Phishing, listed Qatar as one of the top 10 countries by percentage of email phishing and targeted phishing attacks. Since the Qatari economy has grown exponentially and become increasingly global in nature, email phishing and targeted phishing attacks have the capacity to be devastating to the Qatari economy, yet there are no adequate measures put in place such as awareness training programmes to minimise these threats to the state of Qatar. Therefore, this research aims to explore targeted attacks in specific organisations in the state of Qatar by presenting a new technique to prevent targeted attacks. This novel enterprise-wide email phishing detection system has been used by organisations and individuals not only in the state of Qatar but also in organisations in the UK. This detection system is based on domain names by which attackers carefully register domain names which victims trust. The results show that this detection system has proven its ability to reduce email phishing attacks. Moreover, it aims to develop email phishing awareness training techniques specifically designed for the state of Qatar to complement the presented technique in order to increase email phishing awareness, focused on targeted attacks and the content, and reduce the impact of phishing email attacks. This research was carried out by developing an interactive email phishing awareness training website that has been tested by organisations in the state of Qatar. The results of this training programme proved to get effective results by training users on how to spot email phishing and targeted attacks

Authentication and Data Protection under Strong Adversarial Model

We are interested in addressing a series of existing and plausible threats to cybersecurity where the adversary possesses unconventional attack capabilities. Such unconventionality includes, in our exploration but not limited to, crowd-sourcing, physical/juridical coercion, substantial (but bounded) computational resources, malicious insiders, etc. Our studies show that unconventional adversaries can be counteracted with a special anchor of trust and/or a paradigm shift on a case-specific basis. Complementing cryptography, hardware security primitives are the last defense in the face of co-located (physical) and privileged (software) adversaries, hence serving as the special trust anchor. Examples of hardware primitives are architecture-shipped features (e.g., with CPU or chipsets), security chips or tokens, and certain features on peripheral/storage devices. We also propose changes of paradigm in conjunction with hardware primitives, such as containing attacks instead of counteracting, pretended compliance, and immunization instead of detection/prevention. In this thesis, we demonstrate how our philosophy is applied to cope with several exemplary scenarios of unconventional threats, and elaborate on the prototype systems we have implemented. Specifically, Gracewipe is designed for stealthy and verifiable secure deletion of on-disk user secrets under coercion; Hypnoguard protects in-RAM data when a computer is in sleep (ACPI S3) in case of various memory/guessing attacks; Uvauth mitigates large-scale human-assisted guessing attacks by receiving all login attempts in an indistinguishable manner, i.e., correct credentials in a legitimate session and incorrect ones in a plausible fake session; Inuksuk is proposed to protect user files against ransomware or other authorized tampering. It augments the hardware access control on self-encrypting drives with trusted execution to achieve data immunization. We have also extended the Gracewipe scenario to a network-based enterprise environment, aiming to address slightly different threats, e.g., malicious insiders. We believe the high-level methodology of these research topics can contribute to advancing the security research under strong adversarial assumptions, and the promotion of software-hardware orchestration in protecting execution integrity therein

Utilitarian Analysis of Mass Surveillance : Panopticons and Privacy

Utilitarian thinking comes under the wider framework of normative ethical theories which judges the morality of any act based on the outcomes achieved. Normative Ethics is the discipline of social sciences that comes under the head of philosophy which is based on moral principles. Based on such moral principles, any act is being considered as either right or wrong. Like any other domain, cyberspace also has some ethical values. To understand the ethics on Cyberspace, first we need to understand that how internet works and how many layers it has and what kind of activities are possible over every layer, respectively. This thesis aims to explain the privacy issues caused by Panopticons related to illegal, unethical, and un-consensual mass surveillance across the internet via using various insidious methodologies. It also explains that who panopticons are and how this terminology came into existence and how it replicates current era’s mass surveillance? Moreover, it addresses the parameters under which any surveilling authority could be declared as a Panopticon. It explains that how and why Panopticons are doing unauthorized, unethical and non-consensual mass surveillance and how that surveillance actually takes place and up to which extent Panopticons have gone to achieve their desired mode of surveillance and it highlights different actors that are involved in mass surveillance at different scales via different techniques. The involvement of Governments with or without the collaboration of Private Internet companies has also been a shady topic exactly till Snowden made his revelations which later on caused a drastic awareness among masses and opened new doors of discussion as well as urged authorities to take some practical measures in order to curb the mass surveillance. That is why, Snowden’s revelations have been taken as a case study to present the depth and techniques of mass surveillance that are in practice both by private and government organizations. The analysis part holds the primary importance in this thesis, that’s why the thesis concludes with analyzing ethical aspects of Mass Surveillance via Utilitarian point of view which analyzes the Snowden’s act of reveling classified information and the corresponding top three accusations posed on him by USA’s house of representatives, followed by legal and cultural implications

2020 Huskies Showcase Abstracts

The 2020 Huskies Showcase abstracts are arranged in the following order: Applied Experience Displays; Artistic Performances; Demonstrations; Gallery Exhibits; Oral Presentations; Poster Presentations