What I Love About My Research

As part of Innovate (in October) 2015, I gave a 7-minute “edutainment” talk, explaining in a very accessible form my current research, using an example of a recent study of iPhone’s TouchID:


Findings on Touch ID in plain (British) English

My research group had a paper presented at SOUPS on the interplay between TouchID and iPhone security, which I’ve described in a recent post. Here’s a video made by a wonderful team at Kindea Labs that explains the key findings in language accessible virtually to anyone:

Towards strong and memorable passwords

surpassSystem-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system-initiated user-replaceable password scheme called “Surpass” that lets users replace few characters in a random password to make it more memorable. Continue reading

Android Rooting:
 Methods, Detection, and Evasion

rooting_methodsUser root their Android (or jailbreak their iPhone) smartphones. They do so in order to run useful apps that require root privileges, to remove restrictions by carriers and hardware manufacturers, and to alter or remove system apps. Rooted devices are prevalent. According to a recent Android security report, Google Verify Apps detected rooting apps installed on approximately 2.5M devices.

Continue reading

How Much Can Chunking Help to Remember Banking PINs?

chunkingTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased security we get from using system-generated PINs, however, comes at the cost of memorability. And while banks are increasingly adopting system-generated PINs, the impact on memorability of such PINs has not been studied.

In a collaboration among Honeywell ACS Labs, Sungkyunkwan University, Oregon State University, University of Illinois at Urbana-Champaign, and UBC, we conducted a large-scale online user study with 9,114 participants to investigate the impact of increased PIN length on the memorability of PINs, and whether number chunking techniques (breaking a single number into multiple smaller numbers) can be applied to improve memorability for larger PIN lengths. Our findings have been reported at SOUPS ’15. Continue reading

Touch ID: How Does It Affect iPhone Security?

Touch IDRecently, Apple has introduced Touch ID, which allows a fingerprint-based authentication to be used for iPhone unlocking. It’s positioned to allow users to use stronger passcodes for locking their iOS devices, without substantially sacrificing usability. It is unclear, however, if users take advantage of Touch ID technology and if they, indeed, employ stronger passcodes. In order to answer this question, at LERSSE, we conducted three user studies through which we found that users do not take an advantage of Touch ID and use weak unlocking secrets. Continue reading

Improving Detection of OSN Fakes by Predicting Victims


LERSSE student Yazan Boshmaf (co-supervised with Matei Ripeanu) has presented at NDSS last part of his Ph.D. research, Integro. It helps OSNs detect automated fake accounts using a robust user ranking scheme. The key idea is based on an insight that victims, benign users who control real accounts and have befriended fakes, form a distinct classification category that is useful for designing robust detection mechanisms. As attackers have no control over victim accounts and cannot alter their activities, a victim account classifier which relies on user-level activities is relatively hard to circumvent. Moreover, as fakes are directly connected to victims, a fake account detection mechanism that integrates victim prediction into graph-level structures can be more robust against manipulations of the graph. Continue reading

Improving Access Review with AuthzMap

AuthzMapResearch led by LERSSE Ph.D. student Pooya Jaferian will be featured at SOUPS this July. By interviewing IT professionals, he has explored access review activity in organizations, and then modeled access review in the activity theory framework. The model suggests that access review requires an understanding of the activity context including information about the users, their job, their access rights, and the history of access policy. Guidelines of the activity theory were used to design a new user interface, AuthzMap, which was compared to two state of the practice. The experiments demonstrated that AuthzMap improved the efficiency of access review most scenarios. Read the full paper for details.

Serving on Computers & Security Editorial Board

COSEAs of January 2014, I’m serving on the editorial board of Elsevier’s Computers & Security journal. Apparently, it is the official journal of Technical Committee 11 (computer security) of the International Federation for Information Processing (IFIP). The journal is in its 29th year, which makes it one of the oldest archival publications in the field of computer security. One of the main goals of the editorial board nowadays is to arrange quality reviews with quick turn-around.


Final Report on Internet Voting

final reportAfter about 18 months of work, the Internet Voting Panel I served on has released its final report on February 12 and
submitted it to the Legislative Assembly of British Columbia. The report contains the panel’s conclusions and recommendations, and summarizes the benefits and challenges of implementing Internet voting for provincial or local government elections in B.C. On October 23, 2013 the panel published a Preliminary Report for a six-week public comment period, ending on December 4, 2013.  The panel reviewed the commentary, including additional submissions from experts, academics and vendors in the Internet voting community. The report can be found on the panel’s web site.