Abstract
Account access graphs have been proposed as a way to model relationships between user credentials, accounts, and methods of access; they capture both multiple simultaneous access routes (e.g., for multi-factor authentication) as well as multiple alternative access routes (e.g., for account recovery). In this paper we extend the formalism with state transitions and tactics. State transitions capture how access may change over time as users or adversaries use access routes and add or remove credentials and accounts. Tactics allow us to model and document attacker techniques or resilience strategies, by writing small programs. We illustrate these ideas using some attacks against mobile authentication and banking applications which have been publicised in 2023.
| Original language | English |
|---|---|
| Title of host publication | Computer Security – ESORICS 2023 |
| Subtitle of host publication | 28th European Symposium on Research in Computer Security, The Hague, The Netherlands, September 25–29, 2023, Proceedings, Part III |
| Editors | Gene Tsudik, Mauro Conti, Kaitai Liang, Georgios Smaragdakis |
| Pages | 452-470 |
| Number of pages | 19 |
| ISBN (Electronic) | 978-3-031-51479-1 |
| DOIs | |
| Publication status | Published - 2024 |
| Externally published | Yes |
| Event | 28th European Symposium on Research in Computer Security, ESORICS 2023 - The Hague, Netherlands Duration: 25 Sept 2023 → 29 Sept 2023 Conference number: 28 |
Conference
| Conference | 28th European Symposium on Research in Computer Security, ESORICS 2023 |
|---|---|
| Abbreviated title | ESORICS 2023 |
| Country/Territory | Netherlands |
| City | The Hague |
| Period | 25/09/23 → 29/09/23 |
Keywords
- n/a OA procedure