TY - GEN
T1 - Click This, Not That
T2 - 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021
AU - Barron, Timothy
AU - So, Johnny
AU - Nikiforakis, Nick
N1 - Publisher Copyright: © 2021 ACM.
PY - 2021/5/24
Y1 - 2021/5/24
N2 - With phishing attacks, password breaches, and brute-force login attacks presenting constant threats, it is clear that passwords alone are inadequate for protecting the web applications entrusted with our personal data. Instead, web applications should practice defense in depth and give users multiple ways to secure their accounts. In this paper we propose login rituals, which define actions that a user must take to authenticate, and web tripwires, which define actions that a user must not take to remain authenticated. These actions outline expected behavior of users familiar with their individual setups on applications they use often. We show how we can detect and prevent intrusions from web attackers lacking this familiarity with their victim's behavior. We design a modular and application-agnostic system that incorporates these two mechanisms, allowing us to add an additional layer of deception-based security to existing web applications without modifying the applications themselves. Next to testing our system and evaluating its performance when applied to five popular open-source web applications, we demonstrate the promising nature of these mechanisms through a user study. Specifically, we evaluate the detection rate of tripwires against simulated attackers, 88% of whom clicked on at least one tripwire. We also observe web users' creation of personalized login rituals and evaluate the practicality and memorability of these rituals over time. Out of 39 user-created rituals, all of them are unique and 79% of users were able to reproduce their rituals even a week after creation.
AB - With phishing attacks, password breaches, and brute-force login attacks presenting constant threats, it is clear that passwords alone are inadequate for protecting the web applications entrusted with our personal data. Instead, web applications should practice defense in depth and give users multiple ways to secure their accounts. In this paper we propose login rituals, which define actions that a user must take to authenticate, and web tripwires, which define actions that a user must not take to remain authenticated. These actions outline expected behavior of users familiar with their individual setups on applications they use often. We show how we can detect and prevent intrusions from web attackers lacking this familiarity with their victim's behavior. We design a modular and application-agnostic system that incorporates these two mechanisms, allowing us to add an additional layer of deception-based security to existing web applications without modifying the applications themselves. Next to testing our system and evaluating its performance when applied to five popular open-source web applications, we demonstrate the promising nature of these mechanisms through a user study. Specifically, we evaluate the detection rate of tripwires against simulated attackers, 88% of whom clicked on at least one tripwire. We also observe web users' creation of personalized login rituals and evaluate the practicality and memorability of these rituals over time. Out of 39 user-created rituals, all of them are unique and 79% of users were able to reproduce their rituals even a week after creation.
KW - deception
KW - intrusion detection
KW - multi-factor authentication
UR - https://www.scopus.com/pages/publications/85108076310
U2 - 10.1145/3433210.3453088
DO - 10.1145/3433210.3453088
M3 - Conference contribution
T3 - ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
SP - 462
EP - 474
BT - ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
Y2 - 7 June 2021 through 11 June 2021
ER -