Know their Customers: An Empirical Study of Online Account Enumeration Attacks
Details
Serval ID
serval:BIB_912816455634
Type
Article: article from journal or magazin.
Collection
Publications
Institution
Title
Know their Customers: An Empirical Study of Online Account Enumeration Attacks
Journal
ACM Transactions on the Web
ISSN
1559-1131 (print)
1559-114X (electronic)
1559-114X (electronic)
Publication state
Published
Issued date
06/2024
Peer-reviewed
Oui
Volume
18
Number
3
Pages
37:1-37:36
Language
english
Abstract
Internet users possess accounts on dozens of online services where they are often identified by one of their e-mail addresses. They often use the same address on multiple services and for communicating with their contacts. In this paper, we investigate attacks that enable an adversary (e.g., company, friend) to determine (stealthily or not) whether an individual, identified by their e-mail address, has an account on certain services (i.e., an account enumeration attack). Such attacks on account privacy have serious implications as information about one’s accounts can be used to (1) profile them and (2) improve the effectiveness of phishing. We take a multifaceted approach and study these attacks through a combination of experiments (63 services), surveys (318 respondents), and focus groups (13 participants). We demonstrate the high vulnerability of popular services (93.7%) and the concerns of users about their account privacy, as well as their increased susceptibility to phishing e-mails that impersonate services on which they have an account. We also provide findings on the challenges in implementing countermeasures for service providers and on users’ ideas for enhancing their account privacy. Finally, our interaction with national data protection authorities led to the inclusion of recommendations in their developers’ guide.
Keywords
usable security and privacy, Web privacy, account enumeration attacks, online accounts
Research datasets
Open Access
Yes
Funding(s)
Hasler Foundation / 22018
Create date
29/04/2024 11:47
Last modification date
18/06/2024 6:09