CAREER: Account Security Against Interpersonal Attacks
University Of Wisconsin-Madison, Madison WI
Investigators
Abstract
Account security logs are designed by online services to help users detect if there was an unauthorized login to their accounts. However, current account security logs offer unreliable and coarse-grained information for users to differentiate their logins from attackers' logins. Limited data, such as device model and approximate city or province based on IP addresses, can be easily spoofed by attackers, especially in cases of interpersonal attacks. Interpersonal attackers know the victims personally; they may be an intimate partner, family member, friend, or colleague. An interpersonal attacker may live in the same house or town and possess devices with identical models as the victim, making it challenging for victims to conclusively detect unauthorized logins by their attackers. The key problem here is twofold: (a) there is no unique and non-spoofable device identifier that preserves user privacy, and (b) humans and online services identify physical devices differently. In this project, we aim to tackle these issues by developing a framework of device identifiers that can uniquely identify a device while preserving users' privacy and users are able to recognize and associate those ids with their respective physical device, bridging the disconnect between the methods of identifying devices by humans and software. This project is designing, implementing, and evaluating novel ways to improve account security logs to enhance unauthorized login detection. The objectives of the project are to (a) design and implement a protocol for deriving unique yet privacy preserving identifiers of devices; (b) explore methods to familiarize users with such device identifiers without disrupting their user experience, and (c) redesign account security logs to incorporate such identifiers and measure their efficacy in detecting unauthorized logs. The broader impacts of the project include: (1) producing guidelines and engaging with developers of online services to enhance account security mechanisms, (2) deploying unauthorized login detection with Madison Tech Clinic (MTC) and Clinic to End Tech Abuse (CETA) in New York City to support survivors of IA, and (3) teaching students about nuanced threat models, like those of IA. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →