Category Archives: usable security

“I Don’t Use Apple Pay Because It’s Less Secure …”

This paper reports on why people use, not use, or have stopped using mobile tap-and-pay in stores. The results of our online survey with 349 Apple Pay and 511 Android Pay participants suggest that the top reason for using mobile tap-andpay is usability. Surprisingly, for nonusers of Apple Pay, security was their biggest concern. A common security misconception we found among the nonusers (who stated security as their biggest concern) was that they felt storing card information on their phones is less secure than physically carrying cards inside their wallets. Continue reading

Social Insider Attacks on Facebook

Facebook accounts are secured against unauthorized access through passwords and device-level security. Those defenses, however, may not be sufficient to prevent social insider attacks, where attackers know their victims, and gain access to a victim’s account by interacting directly with their device. To characterize these attacks, we ran two MTurk studies. In the first study Continue reading

“I’m too Busy to Reset my LinkedIn Password”

A common security practice used to deal with a password breach is locking user accounts and sending out an email to tell users that they need to reset their password to unlock their account. This paper evaluates the effectiveness of this security practice based on the password reset email that LinkedIn sent out around May 2016, and through an online survey conducted on 249 LinkedIn users who received that email. Our evaluation shows that only about 46% of the participants reset their passwords.

Continue reading

Investigation of Phishing Avoidance

phishing_studyThis paper reports on a design and development of a mobile game prototype as an educational tool helping computer users to protect themselves against phishing attacks. The elements of a game design framework for avoiding phishing attacks were used to address the game design issues. Our mobile game design aimed to enhance the users’ avoidance behaviour through motivation to protect themselves against phishing threats. Continue reading

Two Ph.D. Student Vacancies

DSC_4934There are two Ph.D. student positions available at my research group LERSSE. Ph.D. students are accepted with full support in the form of research assistantships and positions are available starting September 2017.

Continue reading

What I Love About My Research

As part of Innovate (in October) 2015, I gave a 7-minute “edutainment” talk, explaining in a very accessible form my current research, using an example of a recent study of iPhone’s TouchID:

 

Towards strong and memorable passwords

surpassSystem-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system-initiated user-replaceable password scheme called “Surpass” that lets users replace few characters in a random password to make it more memorable. Continue reading

How Much Can Chunking Help to Remember Banking PINs?

chunkingTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased security we get from using system-generated PINs, however, comes at the cost of memorability. And while banks are increasingly adopting system-generated PINs, the impact on memorability of such PINs has not been studied.

In a collaboration among Honeywell ACS Labs, Sungkyunkwan University, Oregon State University, University of Illinois at Urbana-Champaign, and UBC, we conducted a large-scale online user study with 9,114 participants to investigate the impact of increased PIN length on the memorability of PINs, and whether number chunking techniques (breaking a single number into multiple smaller numbers) can be applied to improve memorability for larger PIN lengths. Our findings have been reported at SOUPS ’15. Continue reading

Touch ID: How Does It Affect iPhone Security?

Touch IDRecently, Apple has introduced Touch ID, which allows a fingerprint-based authentication to be used for iPhone unlocking. It’s positioned to allow users to use stronger passcodes for locking their iOS devices, without substantially sacrificing usability. It is unclear, however, if users take advantage of Touch ID technology and if they, indeed, employ stronger passcodes. In order to answer this question, at LERSSE, we conducted three user studies through which we found that users do not take an advantage of Touch ID and use weak unlocking secrets. Continue reading

Improving Access Review with AuthzMap

AuthzMapResearch led by LERSSE Ph.D. student Pooya Jaferian will be featured at SOUPS this July. By interviewing IT professionals, he has explored access review activity in organizations, and then modeled access review in the activity theory framework. The model suggests that access review requires an understanding of the activity context including information about the users, their job, their access rights, and the history of access policy. Guidelines of the activity theory were used to design a new user interface, AuthzMap, which was compared to two state of the practice. The experiments demonstrated that AuthzMap improved the efficiency of access review most scenarios. Read the full paper for details.