Tadek Pietraszek
Research Areas
Authored Publications
Sort By
Protecting accounts from credential stuffing with password breach alerting
Jennifer Pullman
Kevin Yeo
Ananth Raghunathan
Patrick Gage Kelley
Borbala Benko
Sarvar Patel
Dan Boneh
Proceedings of the USENIX Security Symposium, Usenix (2019)
Preview abstract
Protecting accounts from credential stuffing attacks remains
burdensome due to an asymmetry of knowledge: attackers
have wide-scale access to billions of stolen usernames and
passwords, while users and identity providers remain in the
dark as to which accounts require remediation. In this paper,
we propose a privacy-preserving protocol whereby a client can
query a centralized breach repository to determine whether
a specific username and password combination is publicly
exposed, but without revealing the information queried. Here,
a client can be an end user, a password manager, or an identity
provider. To demonstrate the feasibility of our protocol, we
implement a cloud service that mediates access to over 4
billion credentials found in breaches and a Chrome extension
serving as an initial client. Based on anonymous telemetry
from nearly 670,000 users and 21 million logins, we find that
1.5% of logins on the web involve breached credentials. By
alerting users to this breach status, 26% of our warnings result
in users migrating to a new password, at least as strong as
the original. Our study illustrates how secure, democratized
access to password breach alerting can help mitigate one
dimension of account hijacking.
View details
Picasso: Lightweight Device Class Fingerprinting for Web Clients
Artem Malyshey
Workshop on Security and Privacy in Smartphones and Mobile Devices (2016)
Preview abstract
In this work we present Picasso: a lightweight device class fingerprinting protocol that allows a server to verify the software and hardware stack of a mobile or desktop client. As an example, Picasso can distinguish between traffic sent by an authentic iPhone running Safari on iOS from an emulator or desktop client spoofing the same configuration. Our fingerprinting scheme builds on unpredictable yet stable noise introduced by a client's browser, operating system, and graphical stack when rendering HTML5 canvases. Our algorithm is resistant to replay and includes a hardware-bound proof of work that forces a client to expend a configurable amount of CPU and memory to solve challenges. We demonstrate that Picasso can distinguish 52 million Android, iOS, Windows, and OSX clients running a diversity of browsers with 100% accuracy. We discuss applications of Picasso in abuse fighting, including protecting the Play Store or other mobile app marketplaces from inorganic interactions; or identifying login attempts to user accounts from previously unseen device classes.
View details
Dialing Back Abuse on Phone Verified Accounts
Dmytro Iatskiv
Chris Grier
Damon McCoy
Proceedings of the 21st ACM Conference on Computer and Communications Security (2014)
Preview abstract
In the past decade the increase of for-profit cybercrime has given rise to an entire underground ecosystem supporting large-scale abuse, a facet of which encompasses the bulk registration of fraudulent accounts. In this paper, we present a 10 month longitudinal study of the underlying technical and financial capabilities of criminals who register phone verified accounts (PVA). To carry out our study, we purchase 4,695 Google PVA as well as acquire a random sample of 300,000 Google PVA through a collaboration with Google. We find that miscreants rampantly abuse free VOIP services to circumvent the intended cost of acquiring phone numbers, in effect undermining phone verification. Combined with short lived phone numbers from India and Indonesia that we suspect are tied to human verification farms, this confluence of factors correlates with a market-wide price drop of 30--40% for Google PVA until Google penalized verifications from frequently abused carriers. We distill our findings into a set of recommendations for any services performing phone verification as well as highlight open challenges related to PVA abuse moving forward.
View details
Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild
Borbala Benko
Daniel Margolis
Andy Archer
Allan Aquino
Andreas Pitsillidis
Stefan Savage
IMC '14 Proceedings of the 2014 Conference on Internet Measurement Conference, ACM, 1600 Amphitheatre Parkway, pp. 347-358
Preview abstract
Online accounts are inherently valuable resources---both for the data they contain and the reputation they accrue over time. Unsurprisingly, this value drives criminals to steal, or hijack, such accounts. In this paper we focus on manual account hijacking---account hijacking performed manually by humans instead of botnets. We describe the details of the hijacking workflow: the attack vectors, the exploitation phase, and post-hijacking remediation. Finally we share, as a large online company, which defense strategies we found effective to curb manual hijacking.
View details
