Tactics for Account Access Graphs

Luca Arnaboldi; David Aspinall; Christina Kolb; Saša Radomirović

doi:10.1007/978-3-031-51479-1_23

Tactics for Account Access Graphs

Luca Arnaboldi^*, David Aspinall, Christina Kolb, Saša Radomirović

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.

Original language	English
Title of host publication	Computer Security – ESORICS 2023
Editors	Gene Tsudik, Mauro Conti, Kaitai Liang, Georgios Smaragdakis
Publisher	Springer
Pages	452-470
Number of pages	19
ISBN (Electronic)	9783031514791
ISBN (Print)	9783031514784
DOIs	https://doi.org/10.1007/978-3-031-51479-1_23
Publication status	Published - 12 Jan 2024
Event	28th European Symposium on Research in Computer Security 2023 - The Hague, Netherlands Duration: 25 Sept 2023 → 29 Sept 2023

Publication series

Name	Lecture Notes in Computer Science
Volume	14346
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	28th European Symposium on Research in Computer Security 2023
Abbreviated title	ESORICS 2023
Country/Territory	Netherlands
City	The Hague
Period	25/09/23 → 29/09/23

Keywords

account access graphs
Android
iOS
security
tactics

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-51479-1_23

Cite this

@inproceedings{690515b5eab7437db500cac67036d273,

title = "Tactics for Account Access Graphs",

abstract = "Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.",

keywords = "account access graphs, Android, iOS, security, tactics",

author = "Luca Arnaboldi and David Aspinall and Christina Kolb and Sa{\v s}a Radomirovi{\'c}",

note = "Publisher Copyright: {\textcopyright} 2024, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 28th European Symposium on Research in Computer Security 2023, ESORICS 2023 ; Conference date: 25-09-2023 Through 29-09-2023",

year = "2024",

month = jan,

day = "12",

doi = "10.1007/978-3-031-51479-1\_23",

language = "English",

isbn = "9783031514784",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "452--470",

editor = "Gene Tsudik and Mauro Conti and Kaitai Liang and Georgios Smaragdakis",

booktitle = "Computer Security – ESORICS 2023",

}

Arnaboldi, L, Aspinall, D, Kolb, C & Radomirović, S 2024, Tactics for Account Access Graphs. in G Tsudik, M Conti, K Liang & G Smaragdakis (eds), Computer Security – ESORICS 2023. Lecture Notes in Computer Science, vol. 14346, Springer, pp. 452-470, 28th European Symposium on Research in Computer Security 2023, The Hague, Netherlands, 25/09/23. https://doi.org/10.1007/978-3-031-51479-1_23

TY - GEN

T1 - Tactics for Account Access Graphs

AU - Arnaboldi, Luca

AU - Aspinall, David

AU - Kolb, Christina

AU - Radomirović, Saša

PY - 2024/1/12

Y1 - 2024/1/12

N2 - Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.

AB - Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.

KW - account access graphs

KW - Android

KW - iOS

KW - security

KW - tactics

UR - https://www.scopus.com/pages/publications/85184089041

U2 - 10.1007/978-3-031-51479-1_23

DO - 10.1007/978-3-031-51479-1_23

M3 - Conference contribution

AN - SCOPUS:85184089041

SN - 9783031514784

T3 - Lecture Notes in Computer Science

SP - 452

EP - 470

BT - Computer Security – ESORICS 2023

A2 - Tsudik, Gene

A2 - Conti, Mauro

A2 - Liang, Kaitai

A2 - Smaragdakis, Georgios

PB - Springer

T2 - 28th European Symposium on Research in Computer Security 2023

Y2 - 25 September 2023 through 29 September 2023

ER -