Tactics for Account Access Graphs

Luca Arnaboldi; David Aspinall; Christina Kolb; Saša Radomirović

doi:10.1007/978-3-031-51479-1_23

Tactics for Account Access Graphs

Luca Arnaboldi^*
, David Aspinall
, Christina Kolb
, Saša Radomirović

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.

Original language	English
Title of host publication	Computer Security – ESORICS 2023
Subtitle of host publication	28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings, Part III
Editors	Gene Tsudik, Mauro Conti, Kaitai Liang, Georgios Smaragdakis
Publisher	Springer
Pages	452-470
Number of pages	19
Volume	3
Edition	1
ISBN (Electronic)	9783031514791
ISBN (Print)	9783031514784
DOIs	https://doi.org/10.1007/978-3-031-51479-1_23
Publication status	Published - 12 Jan 2024
Event	28th European Symposium on Research in Computer Security, ESORICS 2023 - The Hague, Netherlands Duration: 25 Sept 2023 → 29 Sept 2023

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14346 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	28th European Symposium on Research in Computer Security, ESORICS 2023
Country/Territory	Netherlands
City	The Hague
Period	25/09/23 → 29/09/23

Bibliographical note

Publisher Copyright:
© 2024, The Author(s), under exclusive license to Springer Nature Switzerland AG.

Keywords

account access graphs
Android
iOS
security
tactics

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-51479-1_23Licence: None: All rights reserved

Cite this

Arnaboldi, L., Aspinall, D., Kolb, C., & Radomirović, S. (2024). Tactics for Account Access Graphs. In G. Tsudik, M. Conti, K. Liang, & G. Smaragdakis (Eds.), Computer Security – ESORICS 2023: 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings, Part III (1 ed., Vol. 3, pp. 452-470). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14346 LNCS). Springer. https://doi.org/10.1007/978-3-031-51479-1_23

Arnaboldi, Luca ; Aspinall, David ; Kolb, Christina et al. / Tactics for Account Access Graphs. Computer Security – ESORICS 2023: 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings, Part III. editor / Gene Tsudik ; Mauro Conti ; Kaitai Liang ; Georgios Smaragdakis. Vol. 3 1. ed. Springer, 2024. pp. 452-470 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{002ba85bcd8f4e7fb63810578cd1c6ea,

title = "Tactics for Account Access Graphs",

abstract = "Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.",

keywords = "account access graphs, Android, iOS, security, tactics",

author = "Luca Arnaboldi and David Aspinall and Christina Kolb and Sa{\v s}a Radomirovi{\'c}",

note = "Publisher Copyright: {\textcopyright} 2024, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 28th European Symposium on Research in Computer Security, ESORICS 2023 ; Conference date: 25-09-2023 Through 29-09-2023",

year = "2024",

month = jan,

day = "12",

doi = "10.1007/978-3-031-51479-1\_23",

language = "English",

isbn = "9783031514784",

volume = "3",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "452--470",

editor = "Gene Tsudik and Mauro Conti and Kaitai Liang and Georgios Smaragdakis",

booktitle = "Computer Security – ESORICS 2023",

edition = "1",

}

Arnaboldi, L, Aspinall, D, Kolb, C & Radomirović, S 2024, Tactics for Account Access Graphs. in G Tsudik, M Conti, K Liang & G Smaragdakis (eds), Computer Security – ESORICS 2023: 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings, Part III. 1 edn, vol. 3, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14346 LNCS, Springer, pp. 452-470, 28th European Symposium on Research in Computer Security, ESORICS 2023, The Hague, Netherlands, 25/09/23. https://doi.org/10.1007/978-3-031-51479-1_23

Tactics for Account Access Graphs. / Arnaboldi, Luca; Aspinall, David; Kolb, Christina et al.
Computer Security – ESORICS 2023: 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings, Part III. ed. / Gene Tsudik; Mauro Conti; Kaitai Liang; Georgios Smaragdakis. Vol. 3 1. ed. Springer, 2024. p. 452-470 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14346 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Tactics for Account Access Graphs

AU - Arnaboldi, Luca

AU - Aspinall, David

AU - Kolb, Christina

AU - Radomirović, Saša

PY - 2024/1/12

Y1 - 2024/1/12

N2 - Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.

AB - Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.

KW - account access graphs

KW - Android

KW - iOS

KW - security

KW - tactics

UR - https://www.scopus.com/pages/publications/85184089041

U2 - 10.1007/978-3-031-51479-1_23

DO - 10.1007/978-3-031-51479-1_23

M3 - Conference contribution

AN - SCOPUS:85184089041

SN - 9783031514784

VL - 3

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 452

EP - 470

BT - Computer Security – ESORICS 2023

A2 - Tsudik, Gene

A2 - Conti, Mauro

A2 - Liang, Kaitai

A2 - Smaragdakis, Georgios

PB - Springer

T2 - 28th European Symposium on Research in Computer Security, ESORICS 2023

Y2 - 25 September 2023 through 29 September 2023

ER -

Arnaboldi L, Aspinall D, Kolb C, Radomirović S. Tactics for Account Access Graphs. In Tsudik G, Conti M, Liang K, Smaragdakis G, editors, Computer Security – ESORICS 2023: 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings, Part III. 1 ed. Vol. 3. Springer. 2024. p. 452-470. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). Epub 2024 Jan 11. doi: 10.1007/978-3-031-51479-1_23