There are two Ph.D. student positions available at my research group LERSSE. Ph.D. students are accepted with full support in the form of research assistantships and positions are available starting September 2017.
The orthodox paradigm to defend against automated social-engineering attacks in large-scale socio-technical systems is reactive and victim-agnostic. Defenses generally focus on identifying the attacks/attackers (e.g., phishing emails, social-bot infiltrations, malware offered for download). To change the status quo, we propose in our paper presented at NSPW ’16 to identify, even if imperfectly, the vulnerable user population, that is, the users that are likely to fall victim to such attacks. Once identified, information about the vulnerable population can be used in two ways. Continue reading
SOUPS ’16 paper on the prevalence of snooping on mobile phones has received Distinguished Paper award. The paper reports a series of quantitative studies that allowed a more accurate measurement of this phenomena. The study was led by our collaborators at the University of Lisbon. It was inspired by our previous study presented at Mobile CHI ’13. Continue reading
This paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Our mobile game design aimed to enhance the users’ avoidance behaviour through motivation to protect themselves against phishing threats. Continue reading
System-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system-initiated user-replaceable password scheme called “Surpass” that lets users replace few characters in a random password to make it more memorable. Continue reading
User root their Android (or jailbreak their iPhone) smartphones. They do so in order to run useful apps that require root privileges, to remove restrictions by carriers and hardware manufacturers, and to alter or remove system apps. Rooted devices are prevalent. According to a recent Android security report, Google Verify Apps detected rooting apps installed on approximately 2.5M devices.
To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased security we get from using system-generated PINs, however, comes at the cost of memorability. And while banks are increasingly adopting system-generated PINs, the impact on memorability of such PINs has not been studied.
In a collaboration among Honeywell ACS Labs, Sungkyunkwan University, Oregon State University, University of Illinois at Urbana-Champaign, and UBC, we conducted a large-scale online user study with 9,114 participants to investigate the impact of increased PIN length on the memorability of PINs, and whether number chunking techniques (breaking a single number into multiple smaller numbers) can be applied to improve memorability for larger PIN lengths. Our findings have been reported at SOUPS ’15. Continue reading