Abstract
Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abraham, M., Crabb, M., Radomirović, S.: “I’m doing the best I can” - understanding technology literate older adults’ account management strategies. In: Parkin, S.E., Viganò, L. (eds.) Socio-Technical Aspects in Security - 11th International Workshop, STAST 2021, Virtual Event, 8 October 2021, Revised Selected Papers. LNCS, vol. 13176, pp. 86–107. Springer, Cham (2021). https://doi.org/10.1007/978-3-031-10183-0_5
Arnaboldi, L., Aspinall, D.: Towards interdependent safety security assessments using bowties. In: Trapp, M., Schoitsch, E., Guiochet, J., Bitsch, F. (eds.) Computer Safety, Reliability, and Security. SAFECOMP 2022 Workshops: DECSoS, DepDevOps, SASSUR, SENSEI, USDAI, and WAISE Munich, Germany, 6–9 September 2022, Proceedings, pp. 211–229. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-14862-0_16
Blanchet, B., Smyth, B., Cheval, V., Sylvestre, M.: ProVerif 2.00: automatic cryptographic protocol verifier, user manual and tutorial. Version from, pp. 05–16 (2018)
Boyer, R.S., Moore, J.S.: A Computational Logic Handbook: Formerly Notes and Reports in Computer Science and Applied Mathematics. Elsevier, New York (2014). https://doi.org/10.1016/C2013-0-10412-6
Budde, C.E., Kolb, C., Stoelinga, M.: Attack trees vs. fault trees: two sides of the same coin from different currencies. In: Quantitative Evaluation of Systems: 18th International Conference, QEST 2021, Paris, France, 23–27 August 2021, Proceedings, pp. 457–467. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-85172-9_24
Cavaglieri, C.: Weak banking security is leaving customers vulnerable to fraud on stolen phones, Which? warns, May 2023
Gordon, M., Milner, R., Morris, L., Newey, M., Wadsworth, C.: A metalanguage for interactive proof in LCF. In: Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 119–130 (1978). https://doi.org/10.1145/512760.512773
Hammann, S., Crabb, M., Radomirović, S., Sasse, R., Basin, D.A.: “I’m surprised so much is connected”. In: Barbosa, S.D.J., et al. (eds.) CHI 2022: CHI Conference on Human Factors in Computing Systems, New Orleans, LA, USA, 29 April 2022–5 May 2022, pp. 620:1–620:13. ACM (2022). https://doi.org/10.1145/3491102.3502125
Hammann, S., Radomirović, S., Sasse, R., Basin, D.: User account access graphs. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 1405–1422, New York, NY, USA. ACM (2019). https://doi.org/10.1145/3319535.3354193
Honan, M.: How Apple and Amazon Security Flaws Led to My Epic Hacking. Wired, August 2012
Rapid7 LLC. Metasploit framework. https://github.com/rapid7/metasploit-framework. Accessed 27 May 2023
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48
Palmer, A.: Here’s how the recent Twitter attacks probably happened and why they’re becoming more common, September 2019
Pöhn, D., Gruschka, N., Ziegler, L.: Multi-account dashboard for authentication dependency analysis. In: ARES 2022: The 17th International Conference on Availability, Reliability and Security, Vienna, Austria, 23–26 August 2022, pp. 39:1–39:13. ACM (2022). https://doi.org/10.1145/3538969.3538987
Stern, J., Nguyen, N.: A basic iPhone feature helps criminals steal your digital life. Wall Street J. (2023). https://www.wsj.com/articles/apple-iphone-security-theft-passcode-data-privacya-basic-iphone-feature-helps-criminals-steal-your-digital-life-cbf14b1a. Accessed 27 May 2023
u/AncientBlueberry42. Reddit thread (and comments) - WSJ: a basic iPhone feature helps criminals steal your entire digital life, February 2023. https://www.reddit.com/r/apple/comments/11awqv5/comment/j9uo56h/. Accessed 4 June 2023
Zhao, J., Ding, B., Guo, Y., Tan, Z., Lu, S.: SecureSIM: rethinking authentication and access control for SIM/eSIM. In: ACM MobiCom 2021: The 27th Annual International Conference on Mobile Computing and Networking, New Orleans, Louisiana, USA, 25–29 October 2021, pp. 451–464. ACM (2021). https://doi.org/10.1145/3447993.3483254
Acknowledgements
This work was partially funded by the UK EPSRC under grant number EP/T027037/1. We’re grateful to Blair Walker and Sándor Bartha for discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Application Security on Android
A Application Security on Android
As discussed in the paper, the main point of weakness for the iPhone example is that the PIN allows access to several further accounts on the phone. Whilst iPhones have no way of further protection against this [16], Android allows locking of the applications so that even if the PIN is compromised, the attacker cannot access individual apps. This is available in one way or another across manufacturers.
1.1 A.1 Xiaomi/POCO/MI
These brands of phones provide the ability to lock individual apps by default. They allow choosing a custom PIN, however, with the limitation that one has to use the same pin for all the locked apps.
1.2 A.2 ONE Plus
ONE Plus phones give the ability to lock individual apps, each with a custom PIN, Password, or pattern.
1.3 A.3 Samsung
Samsung provides a “Secure Folder” feature, a folder locked by custom PIN, Password or pattern, where you can move all your private apps (Similar to Xiaomi/POCO/MI in terms of protection). We also note that this brand provides nice guidance on relative security of the three options.
1.4 A.4 Huawei/Honor/ASUS
These three brands allow for locking individual apps, each with custom PIN, Password, or pattern (as previous). This is done with an App called AppLock, which comes preinstalled on these devices.
1.5 A.5 ALL
Just like for Huawei, Honor and ASUS, we note that AppLock can be installed from the Google store, so any android device can achieve the same level of security. We note that the homonymous app on iPhones seems to have reduced functionality, i.e. only allows locking of photos and files. This is largely due to the sandboxing present on iOS devices.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Arnaboldi, L., Aspinall, D., Kolb, C., Radomirović, S. (2024). Tactics for Account Access Graphs. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14346. Springer, Cham. https://doi.org/10.1007/978-3-031-51479-1_23
Download citation
DOI: https://doi.org/10.1007/978-3-031-51479-1_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51478-4
Online ISBN: 978-3-031-51479-1
eBook Packages: Computer ScienceComputer Science (R0)