Know their Customers: An Empirical Study of Online Account Enumeration Attacks

Détails

Ressource 1Télécharger: Maceiras2024TWeb.pdf (3986.14 [Ko])
Etat: Public
Version: Author's accepted manuscript
Licence: CC BY 4.0
ID Serval
serval:BIB_912816455634
Type
Article: article d'un périodique ou d'un magazine.
Collection
Publications
Institution
Titre
Know their Customers: An Empirical Study of Online Account Enumeration Attacks
Périodique
ACM Transactions on the Web
Auteur⸱e⸱s
Maceiras Maël, Salehzadeh Niksirat Kavous, Bernard Gaël, Garbinato Benoit, Cherubini Mauro, Humbert Mathias, Huguenin Kévin
ISSN
1559-1131 (print)
1559-114X (electronic)
Statut éditorial
Publié
Date de publication
06/2024
Peer-reviewed
Oui
Volume
18
Numéro
3
Pages
37:1-37:36
Langue
anglais
Résumé
Internet users possess accounts on dozens of online services where they are often identified by one of their e-mail addresses. They often use the same address on multiple services and for communicating with their contacts. In this paper, we investigate attacks that enable an adversary (e.g., company, friend) to determine (stealthily or not) whether an individual, identified by their e-mail address, has an account on certain services (i.e., an account enumeration attack). Such attacks on account privacy have serious implications as information about one’s accounts can be used to (1) profile them and (2) improve the effectiveness of phishing. We take a multifaceted approach and study these attacks through a combination of experiments (63 services), surveys (318 respondents), and focus groups (13 participants). We demonstrate the high vulnerability of popular services (93.7%) and the concerns of users about their account privacy, as well as their increased susceptibility to phishing e-mails that impersonate services on which they have an account. We also provide findings on the challenges in implementing countermeasures for service providers and on users’ ideas for enhancing their account privacy. Finally, our interaction with national data protection authorities led to the inclusion of recommendations in their developers’ guide.
Mots-clé
usable security and privacy, Web privacy, account enumeration attacks, online accounts
Données de la recherche
Open Access
Oui
Financement(s)
La Fondation Hasler / 22018
Création de la notice
29/04/2024 11:47
Dernière modification de la notice
18/06/2024 6:09
Données d'usage