Modern mobile operating systems implement an ask-on-first-use policy to regulate applications’ access to private user data: the user is prompted to allow or deny access to a sensitive resource the first time an app attempts to use it. Prior research shows that this model may not adequately capture user privacy preferences because subsequent requests may occur under varying contexts. To address this shortcoming, LERSSE’s PhD student Primal Wijesekera led a collaboration project with Dr. Egelman‘s Berkeley Laboratory for Usable and Experimental Security (BLUES) to implement a novel privacy management system in Android, in which contextual signals are used to build a classifier that predicts user privacy preferences under various scenarios. Continue reading
Contextualizing Privacy Decisions for Better Prediction (and Protection)
Understanding the Risks and Prevention
I will be on a panel on “Understanding the Risks and Prevention” at Cyber Security Forum, organized by the Greater Vancouver Board of Trade on October 20.
WannaCry: A Case Study for the Multitude of Cybersecurity Dimensions
I was recently asked to speak to the media about WannaCry. While preparing for the interview (see the video below), I’ve realized that this particular case is a good illustration of the various dimensions of cybersecurity: Continue reading
Smartphone Users’ Family, Friends, and Other Enemies
The number of smartphone users worldwide was expected to surpass 2 billion in 2016. To protect personal and other sensitive information from unauthorized access, some smartphone users lock their phones. Yet, others don’t, risking the data and online services accessible through their devices. The risks emanate from both device thieves and those who belong to the users’ social circles, so called social insiders. In 2014, 2.1 million Americans (under 2%) had phones stolen. Continue reading
Predicting Smartphone Users’ Permission Decisions
Current smartphone operating systems regulate application permissions by prompting users on an ask-on-first-use basis. Prior research has shown that this method is ineffective because it fails to account for context: the circumstances under which an application first requests access to data may be vastly different than the circumstances under which it subsequently requests access. LERSSE’s Primal is leading the research collaboration with UC Berkeley, in which a longitudinal 131-person field study was performed to analyze the contextuality behind user privacy decisions to regulate access to sensitive resources. Continue reading
“I Don’t Use Apple Pay Because It’s Less Secure …”
This paper reports on why people use, not use, or have stopped using mobile tap-and-pay in stores. The results of our online survey with 349 Apple Pay and 511 Android Pay participants suggest that the top reason for using mobile tap-andpay is usability. Surprisingly, for nonusers of Apple Pay, security was their biggest concern. A common security misconception we found among the nonusers (who stated security as their biggest concern) was that they felt storing card information on their phones is less secure than physically carrying cards inside their wallets. Continue reading
Social Insider Attacks on Facebook
Facebook accounts are secured against unauthorized access through passwords and device-level security. Those defenses, however, may not be sufficient to prevent social insider attacks, where attackers know their victims, and gain access to a victim’s account by interacting directly with their device. To characterize these attacks, we ran two MTurk studies. In the first study Continue reading
“I’m too Busy to Reset my LinkedIn Password”
A common security practice used to deal with a password breach is locking user accounts and sending out an email to tell users that they need to reset their password to unlock their account. This paper evaluates the effectiveness of this security practice based on the password reset email that LinkedIn sent out around May 2016, and through an online survey conducted on 249 LinkedIn users who received that email. Our evaluation shows that only about 46% of the participants reset their passwords.
Going After Vulnerable Population to Defend It
The orthodox paradigm to defend against automated social-engineering attacks in large-scale socio-technical systems is reactive and victim-agnostic. Defenses generally focus on identifying the attacks/attackers (e.g., phishing emails, social-bot infiltrations, malware offered for download). To change the status quo, we propose in our paper presented at NSPW ’16 to identify, even if imperfectly, the vulnerable user population, that is, the users that are likely to fall victim to such attacks. Once identified, information about the vulnerable population can be used in two ways. Continue reading
Collaborative Study of Snooping on Mobile Phones Gets SOUPS Award
SOUPS ’16 paper on the prevalence of snooping on mobile phones has received Distinguished Paper award. The paper reports a series of quantitative studies that allowed a more accurate measurement of this phenomena. The study was led by our collaborators at the University of Lisbon. It was inspired by our previous study presented at Mobile CHI ’13. Continue reading
