ABSTRACT
Identity leakage is the public disclosure of user accounts that were stolen from an online service provider, e.g. email adresses and passwords. Identity leakage is an emerging threat to the security of user accounts because the number of online identities grows notably faster than the amount of used email adresses and passwords.
In order to protect users against potential identity thefts after a cyber heist, a system that proactively warns the victims seems inevitable. In the design of such a system, there are technical, legal and psychological goals, e.g., the system has to fulfill the General Data Protection Regulation and users do not want to be flooded with warnings about potential identity thefts.
In this paper, we propose a warning management system for online service providers that want to cooperate whilst keeping their users' data private from each other. Most importantly, victims will be informed only once if their user identity was found in an identity leak and the cooperating service providers preserve the privacy of the victims by design. Therefore, our warning system complies with the NIST recommendation.
- Daniel Arp, Erwin Quiring, Tammo Krueger, Stanimir Dragiev, and Konrad Rieck. 2018. Privacy-Enhanced Fraud Detection with Bloom Filters. In International Conference on Security and Privacy in Communication Systems. Springer, 396--415.Google Scholar
- Burton H Bloom. 1970. Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 7 (1970), 422--426.Google ScholarDigital Library
- Joe Deblasio, Stefan Savage, Geoffrey M. Voelker, and Alex C. Snoeren. 2017. Tripwire: Inferring Internet Site Compromise. Internet Measurement Conference (IMC) (2017), 341--354. https://doi.org/10.1145/3131365.3131391Google ScholarDigital Library
- 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L119/59 (4 May 2016). http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOCGoogle Scholar
- Paul A Grassi, Michael E Garcia, and James L Fenton. 2017. Digital Identity Guidelines. NIST special publication 800 (2017), 63--3.Google ScholarCross Ref
- Hendrik Graupner, David Jaeger, Feng Cheng, and Christoph Meinel. 2016. Automated Parsing and Interpretation of Identity Leaks. 9551 (2016), 102--115. https://doi.org/10.1007/978-3-319-24192-0_7Google Scholar
- Daniel Gruss, Michael Schwarz, Matthias Wübbeling, Simon Guggi, Timo Malderle, Stefan More, and Moritz Lipp. 2018. Use-After-FreeMail: Generalizing the Use-After-Free Problem and Applying It to Email Services. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security (Incheon, Republic of Korea) (ASIACCS '18). ACM, New York, NY, USA, 297--311. https://doi.org/10.1145/3196494.3196514Google ScholarDigital Library
- Hasso-Plattner-Institut. 2020. Wurden Ihre Identitätsdaten ausspioniert? https://sec.hpi.de/ilc Last visited: 11.02.2020.Google Scholar
- Olivier Heen and Christoph Neumann. 2017. On the Privacy Impacts of Publicly Leaked Password Databases. In DIMVA 2017, M. Polychronakis and M. Meier (Eds.). Springer, Cham, 347--365. https://doi.org/10.1007/978-3-319-60876-1_16Google ScholarCross Ref
- Troy Hunt. 2020. ';-have i been pwned? https://haveibeenpwned.com/ Last visited: 11.02.2020.Google Scholar
- David Jaeger, Chris Pelchen, Hendrik Graupner, Feng Cheng, and Christoph Meinel. 2016. Analysis of Publicly Leaked Credentials and the Long Story of Password (Re-)use. In Proceedings of the 11th International Conference on Passwords (PASSWORDS2016). Springer, Bochum, 1--19.Google Scholar
- Alison Grace Johansen. 2018. 4 Lasting Effects of Identity Theft. https://www.lifelock.com/education/4-lasting-effects-of-identity-theft/ Last visited:11.02.2020.Google Scholar
- Timo Malderle, Sven Knauer, Martin Lang, Matthias Wübbeling, and Michael Meier. 2020. Track Down Identity Leaks Using Threat Intelligence. In ICISSP 2020 - Proceedings of the 6th International Conference on Information Systems Security and Privacy, Steven Furnell, Paolo Mori, Edgar Weippl, and Oliver Champ (Eds.). SCITEPRESS - Science and Technology Publications, Valetta, Malta.Google Scholar
- Timo Malderle, Matthias Wübbeling, Sven Knauer, and Michael Meier. 2020. Warning of Affected Users About an Identity Leak. In Proceedings of the Tenth International Conference on Soft Computing and Pattern Recognition (SoCPaR 2018), Ana Maria Madureira, Ajith Abraham, Niketa Gandhi, Catarina Silva, and Mário Antunes (Eds.). Springer International Publishing, Cham, 278--287.Google ScholarCross Ref
- Timo Malderle, Matthias Wübbeling, Sven Knauer, Arnold Sykosch, and Michael Meier. 2018. Gathering and Analyzing Identity Leaks for a Proactive Warning of Affected Users. In Proceedings of the 15th ACM International Conference on Computing Frontiers (Ischia, Italy) (CF '18). ACM, New York, NY, USA, 208--211. https://doi.org/10.1145/3203217.3203269Google ScholarDigital Library
- David McCandless, Tom Evans, Paul Barton, Stephanie Starling, and Ducan Geere. 2020. World's Biggest Data Breaches & Hacks. https://www.informationisbeautiful.net/visualizations/world-biggest-data-breaches-hacks/ Last visited: 11.02.2020.Google Scholar
- Jeremiah Onaolapo, Enrico Mariconti, and Gianluca Stringhini. 2016. What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild. IMC '16 Proceedings of the 2016 Internet Measurement Conference (2016), 65--79. https://doi.org/10.1145/2987443.2987475Google ScholarDigital Library
- AJ Paverd, Andrew Martin, and Ian Brown. [n.d.]. Modelling and Automatically Analysing Privacy Properties for Honest-but-Curious Adversaries. Technical Report.Google Scholar
- Rainer Schnell, Tobias Bachteler, and Jörg Reiher. 2009. Privacy-preserving record linkage using Bloom filters. BMC medical informatics and decision making 9, 1 (2009), 41.Google Scholar
- Rolf Schwartmann and Steffen Weiß (editors). 2017. White Paper on Pseudonymization Drafted by the Data Protection Focus Group for the Safety, Protection, and Trust Platform for Society and Businesses in Connection with the 2017 Digital Summit. Technical Report. Digital Summit's data protection focus group.Google Scholar
- SpyCloud Inc. 2020. Protect Employees and Consumers from Account Takeover. https://spycloud.com/ Last visited: 11.02.2020.Google Scholar
- Michael Steiner, Gene Tsudik, and Michael Waidner. 1996. Diffie-Hellman key distribution extended to group communication. In Proceedings of the 3rd ACM conference on Computer and communications security. 31--37.Google ScholarDigital Library
- Kurt Thomas, Angelika Moscicki, Daniel Margolis, Vern Paxson, Elie Bursztein, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, Oxana Comanescu, and Vijay Eranti. 2017. Data Breaches, Phishing, or Malware? Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17 (2017), 1421--1434. https://doi.org/10.1145/3133956.3134067Google ScholarDigital Library
- Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, Sarvar Patel, Dan Boneh, and Elie Bursztein. 2019. Protecting accounts from credential stuffing with password breach alerting. 28th {USENIX} Security Symposium, {USENIX} Security 2019, Santa Clara, CA, USA, August 14--16, 2019. (2019), 1556--1571. https://www.usenix.org/conference/usenixsecurity19/presentation/thomasGoogle Scholar
- Universität Bonn. 2020. identity leak checker. https://leakchecker.uni-bonn.de/ Last visited: 11.02.2020.Google Scholar
Recommendations
Gathering and analyzing identity leaks for a proactive warning of affected users
CF '18: Proceedings of the 15th ACM International Conference on Computing FrontiersIdentity theft is a common consequence of successful cyber-attacks. Criminals steal identity data in order to either (mis)use the data themselves or sell entire identity collections of such data to other parties. Warning the victims of identity theft is ...
Utility Requirement Description for Utility-Preserving and Privacy-Respecting Data Pseudonymization
Trust, Privacy and Security in Digital BusinessAbstractMany of the existing pseudonymization techniques aim at preserving the use-case specific utility of the data. However, retracing under which condition a utility is present in pseudonymized data is hard. Therefore, specifying and applying ...
Achieving Privacy in a Federated Identity Management System
Financial Cryptography and Data SecurityFederated identity management allows a user to efficiently authenticate and use identity information from data distributed across multiple domains. The sharing of data across domains blurs security boundaries and potentially creates privacy risks. We ...
Comments