Know their Customers: An Empirical Study of Online Account Enumeration Attacks

IF 2.6 4区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS ACM Transactions on the Web Pub Date : 2024-05-07 DOI:10.1145/3664201

Maël Maceiras, Kavous Salehzadeh Niksirat, Gaël Bernard, Benoit Garbinato, Mauro Cherubini, Mathias Humbert, Kévin Huguenin

{"title":"Know their Customers: An Empirical Study of Online Account Enumeration Attacks","authors":"Maël Maceiras, Kavous Salehzadeh Niksirat, Gaël Bernard, Benoit Garbinato, Mauro Cherubini, Mathias Humbert, Kévin Huguenin","doi":"10.1145/3664201","DOIUrl":null,"url":null,"abstract":"Internet users possess accounts on dozens of online services where they are often identified by one of their e-mail addresses. They often use the same address on multiple services and for communicating with their contacts. In this paper, we investigate attacks that enable an adversary (e.g., company, friend) to determine (stealthily or not) whether an individual, identified by their e-mail address, has an account on certain services (i.e., an account enumeration attack). Such attacks on account privacy have serious implications as information about one’s accounts can be used to (1) profile them and (2) improve the effectiveness of phishing. We take a multifaceted approach and study these attacks through a combination of experiments (63 services), surveys (318 respondents), and focus groups (13 participants). We demonstrate the high vulnerability of popular services (93.7%) and the concerns of users about their account privacy, as well as their increased susceptibility to phishing e-mails that impersonate services on which they have an account. We also provide findings on the challenges in implementing countermeasures for service providers and on users’ ideas for enhancing their account privacy. Finally, our interaction with national data protection authorities led to the inclusion of recommendations in their developers’ guide.","PeriodicalId":50940,"journal":{"name":"ACM Transactions on the Web","volume":"80 1","pages":""},"PeriodicalIF":2.6000,"publicationDate":"2024-05-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on the Web","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3664201","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Internet users possess accounts on dozens of online services where they are often identified by one of their e-mail addresses. They often use the same address on multiple services and for communicating with their contacts. In this paper, we investigate attacks that enable an adversary (e.g., company, friend) to determine (stealthily or not) whether an individual, identified by their e-mail address, has an account on certain services (i.e., an account enumeration attack). Such attacks on account privacy have serious implications as information about one’s accounts can be used to (1) profile them and (2) improve the effectiveness of phishing. We take a multifaceted approach and study these attacks through a combination of experiments (63 services), surveys (318 respondents), and focus groups (13 participants). We demonstrate the high vulnerability of popular services (93.7%) and the concerns of users about their account privacy, as well as their increased susceptibility to phishing e-mails that impersonate services on which they have an account. We also provide findings on the challenges in implementing countermeasures for service providers and on users’ ideas for enhancing their account privacy. Finally, our interaction with national data protection authorities led to the inclusion of recommendations in their developers’ guide.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

了解他们的客户：在线账户枚举攻击实证研究

互联网用户拥有几十种在线服务的账户，他们通常通过其中一个电子邮件地址来识别。他们经常在多个服务上使用同一个地址，并与其联系人通信。在本文中，我们研究的攻击可使对手（如公司、朋友）确定（无论是否隐蔽）通过电子邮件地址识别的个人是否在某些服务上拥有账户（即账户枚举攻击）。这种对账户隐私的攻击具有严重的影响，因为有关个人账户的信息可用于：(1) 剖析个人档案；(2) 提高网络钓鱼的有效性。我们采取了一种多方面的方法，通过实验（63 项服务）、调查（318 名受访者）和焦点小组（13 名参与者）的组合来研究这些攻击。我们证明了流行服务的高度脆弱性（93.7%）和用户对其账户隐私的担忧，以及他们对冒充其拥有账户的服务的网络钓鱼电子邮件的易感性。我们还提供了有关服务提供商在实施应对措施方面所面临的挑战以及用户在提高账户隐私方面的想法的调查结果。最后，通过与各国数据保护机构的互动，我们在其开发人员指南中纳入了相关建议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

ACM Transactions on the Web 工程技术-计算机：软件工程

CiteScore

4.90

自引率

0.00%

发文量

审稿时长

7.5 months

期刊介绍： Transactions on the Web (TWEB) is a journal publishing refereed articles reporting the results of research on Web content, applications, use, and related enabling technologies. Topics in the scope of TWEB include but are not limited to the following: Browsers and Web Interfaces; Electronic Commerce; Electronic Publishing; Hypertext and Hypermedia; Semantic Web; Web Engineering; Web Services; and Service-Oriented Computing XML. In addition, papers addressing the intersection of the following broader technologies with the Web are also in scope: Accessibility; Business Services Education; Knowledge Management and Representation; Mobility and pervasive computing; Performance and scalability; Recommender systems; Searching, Indexing, Classification, Retrieval and Querying, Data Mining and Analysis; Security and Privacy; and User Interfaces. Papers discussing specific Web technologies, applications, content generation and management and use are within scope. Also, papers describing novel applications of the web as well as papers on the underlying technologies are welcome.