Tag: www

Security and Privacy Failures in Popular 2FA Apps (USENIX Sec ’23)

AbstractThe Time-based One-Time Password (TOTP) algorithm is a 2FA method that is widely deployed because of its relatively low implementation costs and purported security benefits over SMS 2FA. However, users of TOTP 2FA apps face a critical usability challenge: maintain access to the secrets stored within the TOTP app, or risk getting locked out of […]

Deployment of Source Address Validation by Network Operators: A Randomized Control Trial (Oakland ’22)

AbstractIP spoofing, sending IP packets with a false source IP address, continues to be a primary attack vector for large-scale Denial of Service attacks. To combat spoofing, various interventions have been tried to increase the adoption of source address validation (SAV) among network operators. How can SAV deployment be increased? In this work, we conduct […]

Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges (CHI ’21)

AbstractSoftware development teams are responsible for making and implementing software design decisions that directly impact end-user privacy, a challenging task to do well. Privacy Champions—people who strongly care about advocating privacy—play a useful role in supporting privacy-respecting development cultures. To understand their motivations, challenges, and strategies for protecting end-user privacy, we conducted 12 interviews with […]

Deciding on Personalized Ads: Nudging Developers About User Privacy (SOUPS ’21)

AbstractMobile advertising networks present personalized advertisements to developers as a way to increase revenue. These types of ads use data about users to select potentially more relevant content. However, choice framing also impacts app developers’ decisions which in turn impacts their users’ privacy. Currently, ad networks provide choices in developer-facing dashboards that control the types […]

Empirical Measurement of Systemic 2FA Usability (USENIX Sec ’20)

AbstractTwo-Factor Authentication (2FA) hardens an organization against user account compromise, but adds an extra step to organizations’ mission-critical tasks. We investigate to what extent quantitative analysis of operational logs of 2FA systems both supports and challenges recent results from user studies and surveys identifying usability challenges in 2FA systems. Using tens of millions of logs […]

“You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild (SOUPS ’20)

AbstractOrganizational security teams have begun to specialize, and as a result, the existence of red, blue, and purple teams have been used as signals for an organization’s security maturity. There is also now a rise in the use of third-party contractors who offer services such as incident response or penetration testing. Additionally, bug bounty programs […]

Nudge Me Right: Personalizing Online Security Nudges to People’s Decision-Making Styles (CHB ’20)

AbstractNudges are simple and effective interventions that alter the architecture in which people make choices in order to help them make decisions that could benefit themselves or society. For many years, researchers and practitioners have used online nudges to encourage users to choose stronger and safer passwords. However, the effects of such nudges have been […]

Conducting Privacy-Sensitive Surveys: A Case Study of Civil Society Organizations (CHI Workshops ’20)

AbstractCompared to other organizations, civil society organizations (CSOs) often operate in elevated-risk contexts, and attacks against them carry much greater ramifications, including threats to freedom of expression, liberty, and life. We aim to capture the factors that affect the attitudes and intentions of CSO employees to engage in security and privacy behaviors by using a […]

A Promise Is A Promise: The Effect Of Commitment Devices On Computer Security Intentions (CHI ’19)

AbstractCommitment devices are a technique from behavioral economics that have been shown to mitigate the effects of present bias—the tendency to discount future risks and gains in favor of immediate gratifications. In this paper, we explore the feasibility of using commitment devices to nudge users towards complying with varying online security mitigations. Using two online […]

The Accuracy of the Demographic Inferences Shown on Google’s Ad Settings (WPES ’18)

AbstractGoogle’s Ad Settings shows the gender and age that Google hasinferred about a web user. We compare the inferred values to theself-reported values of 501 survey participants. We find that Googleoften does not show an inference, but when it does, it is typicallycorrect. We explore which usage characteristics, such as using privacyenhancing technologies, are associated […]