Skip to content

Weekly CS Paper Archive

Get a computer science paper every Weekend

Keeping the hackers out: 14 different methods to prevent account hijacking

By Simon Last updated: January 21, 2022July 1, 2022

Buna draga,

traveling to another country, you might have faced it before: The anti-account-hijacking systems implemented by the various online providers. There is a wide range from entering your “secret” email address, double verifying via a code send to your cellphone number or if you are super-duper secure a two factor token from a time based OTP app.

This weeks paper evaluates the different methods used by Google to keep the hackers out of your account, regarding how effective they protect you and if they are influencing usability. (Google figured it is not a good idea to have a super secure system that valid users can’t pass anymore as well :D)

More of a field guide than super technical. On top, the paper gave me a few inspirations on how to design such a system myself.


Abstract:

In this paper, we study the efficacy of login challenges at preventing account takeover, as well as evaluate the amount of friction these challenges create for normal users. These secondary authentication factors—presently deployed at Google, Microsoft, and other major identity providers as part of risk-aware authentication—trigger in response to a suspicious login or account recovery attempt. Using Google as a case study, we evaluate the effectiveness of fourteen device-based, delegation-based, knowledge-based, and resource-based challenges at preventing over 350,000 real-world hijacking attempts stemming from automated bots, phishers, and targeted attackers. We show that knowledge-based challenges prevent as few as 10% of hijacking attempts rooted in phishing and 73% of automated hijacking attempts. Device-based challenges provide the best protection, blocking over 94% of hijacking attempts rooted in phishing and 100% of automated hijacking attempts. We evaluate the usability limitations of each challenge based on a sample of 1.2M legitimate users. Our results illustrate that login challenges act as an important barrier to hijacking, but that friction in the process leads to 52% of legitimate users failing to sign-in—though 97% of users eventually access their account in a short period.

Download Link:

https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ab2bedf04f6d4ff60c59b502809c2f151373de54.pdf

Weekly in-depth computer science knowledge to become a better programmer. For free!
Over 2000 subcribers. One click unsubscribe.
Thank you for entering your email adress! Please now open your email Inbox and confirm your subscription
Posted in Weekly CS Paper Tagged account hijacking, security

Post navigation

Previous post If we fly to Mars, we will bring our file system with us. IPFS, the distributed Inter Planetary File System
Next post Generate cats out of nowhere with using generative adversarial networks (GANs)

AI Bitcoin cloud coding consenus Crypto Crypto Currency cryptography database ddos DevOps distributed consensus distributed system distributed systems DNS dos encryption GPS http http2 infra kernel linux Machine learning MapReduce ml mobile networkperformance network security NTP performance Privacy programming security server serverpush speed SRE ssl time UTC webperf webserver website wordpress

© Copyright Weekly CS Paper Archive. All rights reserved.