Human Factors in Security Phishing Scam Leaked Credentials

Human Factors in Security Phishing, Scam, Leaked Credentials • Phishing and spoofing – Why email spoofing is still possible? – How could spoofing/phishing emails penetrate the current defense? – How to build robust and usable phishing detection and alert systems Measurement + User study • Poor defense: SPF/DKIM/DMARC, 4%~48% adoption rate • Spoofing indicators are largely missing • Mobile phishing is even more serious Gmail

Human Factors in Security (Cont. ) Phishing, Scam, Leaked Credentials • Understanding the persistent threat from leaked credentials – How often do users reuse or modify passwords across services? – How quickly do users change the reused (leaked) passwords? – Are modified passwords predicable? • Empirical approach instead of user studies – Data-driven: 28 M users, 62 M passwords, 107 services – 52% of users reused or modified passwords across services o Email and shopping passwords mostly reused – Guessing algorithm: 16 Million passwords cracked in < 10 guesses

Adversarial Machine Learning in the physical domain Stop Sign • Fool a machine learning system is relatively easy – Most work focuses on the “digital domain” – Machine learning cannot (does not) reason like human + • New challenges in the physical domain – Various sources of errors make the attack more difficult View angle, distance, quantization, resolution – Attacks require training data from the physical world, expensive – Can we model the differences between digital and physical world? – How to defend against adversarial attacks? = o Yield Sign

Other Projects • GPS spoofing to attack mobile navigation systems (self-driving car) – In preparation • Crowdsourcing social media data to detect security events – CIKM 2017 • Mobile deep links to hijack web-to-mobile communications – USENIX Security 2017 • Detecting collusion between mobile apps – Asia CCS 2017, Mo. ST 2017 • The social aspects of mobile payments – ICWMS 2017, GROUP 2018 4