Richard Shay
Iulia Ion
Robert W. Reeder
ABSTRACT
With so much of our lives digital, online, and not entirely under our control, we risk losing access to our communications, reputation, and data. Recent years have brought a rash of high-profile account compromises, but account hijacking is not limited to high-profile accounts. In this paper, we report results of a survey about people's experiences with and attitudes toward account hijacking. The problem is widespread; 30% of our 294 participants had an email or social networking account accessed by an unauthorized party. Five themes emerged from our results: (1) compromised accounts are often valuable to victims, (2) attackers are mostly unknown, but sometimes known, to victims, (3) users acknowledge some responsibility for keeping their accounts secure, (4) users' understanding of important security measures is incomplete, and (5) harm from account hijacking is concrete and emotional. We discuss implications for designing security mechanisms to improve chances for user adoption.
- Aaron, G. & Rasmussen, R., 'Global Phishing Survey: Trends and Domain Name Use in 2H2012,' Anti-Phishing Working Group, (2013).Google Scholar
- Adams, A., & Sasse, M.A., Users are not the enemy, Communications of the ACM, 42(12), (Dec 1999), 40--6. Google ScholarDigital Library
- The Associated Press, 'Twitter feeds of UK's Guardian newspaper hacked,' (Apr 29, 2013).Google Scholar
- Beautement, A., Sasse, M.A., & Wonham, M., 'The compliance budget: managing security behaviour in organisations.' Proceedings of the Workshop on New Security Paradigms, (2008). Google ScholarDigital Library
- Bonneau, J., 'The Gawker hack: how a million passwords were lost,' Light Blue Touchpaper Blog, (Dec 15, 2010).Google Scholar
- Bravo-Lillo, C., Cranor, L.F., Downs, J., Komanduri, S., & Sleeper, M., 'Improving Computer Security Dialogs,' Proceedings of INTERACT '11, (2011), 18--35. Google ScholarDigital Library
- Bridis, T., 'Hacker impersonated Palin, stole e-mail password,' Associated Press, (Sep 18, 2008).Google Scholar
- Bright, P., 'Military Meltdown Monday : 90K military usernames, hashes released,' arstechnica, (Jul 12, 2011).Google Scholar
- Bright, P., 'Anonymous speaks: the inside story of the HBGary hack,' (Feb 15, 2011).Google Scholar
- Buhrmester, M., Kwang, T., & Gosling, S.D., 'Amazon's Mechanical Turk A New Source of Inexpensive, Yet High-Quality, Data,' Perspectives on Psychological Science, 6(1), (2011), 3--5.Google ScholarCross Ref
- Camp, L.J., 'Mental Models of Privacy and Security,' IEEE Technology & Society, (2006).Google Scholar
- Cranor, L.F., 'A Framework for Reasoning About the Human in the Loop,' Proceedings of the Conference on Usability, Psychology, & Security: UPSEC '08, (2008). Google ScholarDigital Library
- Doyle, K., 'Second LulzSec hacker sentenced,' ITWeb, (Aug 12, 2013).Google Scholar
- Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., & Herley, C., 'Does My Password Go up to Eleven' The Impact of Password Meters on Password Selection, Proceedings of the Conference on Human Factors in Computing Systems: CHI '13, (2013), 237988. Google ScholarDigital Library
- Florencio, D. & Herley, C., "Where do security policies come from'" Proceedings of the Symposium on Usable Privacy & Security: SOUPS '10, (2010). Google ScholarDigital Library
- Google Consumer Surveys, http://www.google.com/insights/consumersurveys/how.Google Scholar
- Grosse, E. & Upadhay, M., 'Authentication at Scale.' IEEE Security and Privacy, vol. 11, (Jan/Feb 2013), 1522. Google ScholarDigital Library
- Harbach, M., Fahl, S., Rieger, M., & Smith, M., 'On the Acceptance of Privacy-Preserving Authentication Technology: The Curious Case of National Identity Cards,' Privacy Enhancing Technologies, volume 7981 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, (2013), 245--64.Google Scholar
- Honan, M., 'How Apple and Amazon Security Flaws Led to my Epic Hacking,' Wired, (Aug 6, 2012).Google Scholar
- Honan, M., 'Mat Honan: How I Resurrected My Digital Life After an Epic Hacking,' Wired, (Aug 17, 2012).Google Scholar
- Kittur, A., Chi, E.H., & Suh, B., 'Crowdsourcing User Studies With Mechanical Turk,' Proceedings of the Conference on Human Factors in Computing Systems: CHI '08, (2008), 453--6. Google ScholarDigital Library
- Landis, J.R. & Koch, G.G., 'The measurement of observer agreement for categorical data,' Biometrics 33, (1977), 159--74.Google ScholarCross Ref
- Mazurek, M.L., Arsenault, J.P., Bresee, J., Gupta, N., Ion, I., Johns, C., Lee, D., Liang, Y., Olsen, J., Salmon, B., Shay, R., Vaniea, K., Bauer, L., Cranor, L.F., Ganger, G.R., & Reiter, M.K., 'Access control for home data sharing: Attitudes, needs and practices,' Proceedings of the Conference on Human Factors in Computing Systems: CHI '10, (Apr 2010), 645--54. Google ScholarDigital Library
- McDonald, P., Mohebbi, M., & Slatkin, B., 'Comparing Google Consumer Surveys to Existing Probability and Non-Probability Based Internet Surveys,' Google Whitepaper, Retrieved from http://www.google.com/insights/consumersurveys/static /consumer_surveys_whitepaper.pdf.Google Scholar
- Microsoft, Microsoft Security Intelligence Report, Vol. 14, (2012), Retrieved from http://www.microsoft.com/security/sir/default.aspx.Google Scholar
- O'Mahony, J., 'Financial Times hacked by Syrian Electronic Army,' (May 17, 2013).Google Scholar
- Onion Inc.'s Tech Team. 'How the Syrian Electronic Army Hacked The Onion,' (May 8, 2013).Google Scholar
- Paolacci, G., Chandler, J., & Ipeirotis, P., 'Running experiments on Amazon Mechanical Turk,' Judgment & Decision Making, 5(5), (2010), 411--9.Google Scholar
- Perlroth, N. & Shear, M.D., 'In Hacking, A.P. Twitter Feed Sends False Report of Explosions,' The New York Times: The Caucus, (Apr 23, 2013).Google Scholar
- Rader, E., Wash, R., & Brooks, B., 'Stories as Informal Lessons about Security,' Proceedings of the Symposium on Usable Privacy and Security: SOUPS '12, (2012). Google ScholarDigital Library
- Rainie, L., Kiesler, S., Kang, R., & Madden, M., 'Anonymity, Privacy, and Security Online,' Pew Research Center, (Sep 2013).Google Scholar
- Schechter, S., Egelman, S., and Reeder, R.W., 'It's Not What You Know, but Who You Know: A Social Approach to Last-Resort Authentication,' Proceedings of the Conference on Human Factors in Computing Systems: CHI '09, (2009). Google ScholarDigital Library
- Schechter, S., & Reeder, R.W., '1 + 1 = You: Measuring the Comprehensibility of Metaphors for Configuring Backup Authentication,' Proceedings of the Symposium on Usable Privacy & Security: SOUPS '09, (2009). Google ScholarDigital Library
- Schonfeld, E., 'Twitter's @Ev Confirms Hacker Targeted Personal Accounts; Attack Was 'Highly Distressing,'' (Jul 14, 2009).Google Scholar
- Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., & Cranor, L.F., 'Encountering stronger password requirements: user attitudes and behaviors.' Proceedings of the Symposium on Usable Privacy & Security: SOUPS '10, (2010). Google ScholarDigital Library
- Sosik, V.S., Bursztein, E., Consolvo, S., Huffaker, D., Kossinets, G., Liao, K., McDonald, P., & Sedley, A., 'Online Microsurveys for User Experience Research,' CHI '14 Extended Abstracts on Human Factors in Computing Systems, (2014 to appear). Google ScholarDigital Library
- Wash, R., 'Folk Models of Home Computer Security,' Proceedings of the Symposium on Usable Privacy & Security: SOUPS '10, (2010). Google ScholarDigital Library
- Whitten, A. & Tygar, J.D. 'Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0,' Proceedings of the USENIX Security Symposium, (1999). Google ScholarDigital Library
Index Terms
- "My religious aunt asked why i was trying to sell her viagra": experiences with account hijacking
Recommendations
Hack for Hire: Exploring the Emerging Market for Account Hijacking
WWW '19: The World Wide Web ConferenceEmail accounts represent an enticing target for attackers, both for the information they contain and the root of trust they provide to other connected web services. While defense-in-depth approaches such as phishing detection, risk analysis, and two-...
Agent‐based ARP cache poisoning detection in switched LAN environments
Address resolution protocol (ARP) cache poisoning is mostly used to perform man‐in‐the‐middle (MITM) and denial of service (DoS) attacks for sniffing and network services disruption, respectively, in switch LAN networks. The former attack affects the ...
DIVINA: Discovering Vulnerabilities of Internet Accounts
WWW '15 Companion: Proceedings of the 24th International Conference on World Wide WebInternet users typically have several online accounts - such as mail accounts, cloud storage accounts, or social media accounts. The security of these accounts is often intricately linked: The password of one account can be reset by sending an email to ...
Comments