-
A Representative Study on Human Detection of Artificially Generated Media Across Countries
Authors:
Joel Frank,
Franziska Herbert,
Jonas Ricker,
Lea Schönherr,
Thorsten Eisenhofer,
Asja Fischer,
Markus Dürmuth,
Thorsten Holz
Abstract:
AI-generated media has become a threat to our digital society as we know it. These forgeries can be created automatically and on a large scale based on publicly available technology. Recognizing this challenge, academics and practitioners have proposed a multitude of automatic detection strategies to detect such artificial media. However, in contrast to these technical advances, the human percepti…
▽ More
AI-generated media has become a threat to our digital society as we know it. These forgeries can be created automatically and on a large scale based on publicly available technology. Recognizing this challenge, academics and practitioners have proposed a multitude of automatic detection strategies to detect such artificial media. However, in contrast to these technical advances, the human perception of generated media has not been thoroughly studied yet.
In this paper, we aim at closing this research gap. We perform the first comprehensive survey into people's ability to detect generated media, spanning three countries (USA, Germany, and China) with 3,002 participants across audio, image, and text media. Our results indicate that state-of-the-art forgeries are almost indistinguishable from "real" media, with the majority of participants simply guessing when asked to rate them as human- or machine-generated. In addition, AI-generated media receive is voted more human like across all media types and all countries. To further understand which factors influence people's ability to detect generated media, we include personal variables, chosen based on a literature review in the domains of deepfake and fake news research. In a regression analysis, we found that generalized trust, cognitive reflection, and self-reported familiarity with deepfakes significantly influence participant's decision across all media categories.
△ Less
Submitted 10 December, 2023;
originally announced December 2023.
-
52 Weeks Later: Attitudes Towards COVID-19 Apps for Different Purposes Over Time
Authors:
Marvin Kowalewski,
Christine Utz,
Martin Degeling,
Theodor Schnitzler,
Franziska Herbert,
Leonie Schaewitz,
Florian M. Farke,
Steffen Becker,
Markus Dürmuth
Abstract:
The COVID-19 pandemic has prompted countries around the world to introduce smartphone apps to support disease control efforts. Their purposes range from digital contact tracing to quarantine enforcement to vaccination passports, and their effectiveness often depends on widespread adoption. While previous work has identified factors that promote or hinder adoption, it has typically examined data co…
▽ More
The COVID-19 pandemic has prompted countries around the world to introduce smartphone apps to support disease control efforts. Their purposes range from digital contact tracing to quarantine enforcement to vaccination passports, and their effectiveness often depends on widespread adoption. While previous work has identified factors that promote or hinder adoption, it has typically examined data collected at a single point in time or focused exclusively on digital contact tracing apps. In this work, we conduct the first representative study that examines changes in people's attitudes towards COVID-19-related smartphone apps for five different purposes over the first 1.5 years of the pandemic. In three survey rounds conducted between Summer 2020 and Summer 2021 in the United States and Germany, with approximately 1,000 participants per round and country, we investigate people's willingness to use such apps, their perceived utility, and people's attitudes towards them in different stages of the pandemic. Our results indicate that privacy is a consistent concern for participants, even in a public health crisis, and the collection of identity-related data significantly decreases acceptance of COVID-19 apps. Trust in authorities is essential to increase confidence in government-backed apps and foster citizens' willingness to contribute to crisis management. There is a need for continuous communication with app users to emphasize the benefits of health crisis apps both for individuals and society, thus counteracting decreasing willingness to use them and perceived usefulness as the pandemic evolves.
△ Less
Submitted 12 July, 2023;
originally announced July 2023.
-
Digital Security -- A Question of Perspective. A Large-Scale Telephone Survey with Four At-Risk User Groups
Authors:
Franziska Herbert,
Steffen Becker,
Annalina Buckmann,
Marvin Kowalewski,
Jonas Hielscher,
Yasemin Acar,
Markus Dürmuth,
Yixin Zou,
M. Angela Sasse
Abstract:
This paper investigates the digital security experiences of four at-risk user groups in Germany, including older adults (70+), teenagers (14-17), people with migration backgrounds, and people with low formal education. Using computer-assisted telephone interviews, we sampled 250 participants per group, representative of region, gender, and partly age distributions. We examine their device usage, c…
▽ More
This paper investigates the digital security experiences of four at-risk user groups in Germany, including older adults (70+), teenagers (14-17), people with migration backgrounds, and people with low formal education. Using computer-assisted telephone interviews, we sampled 250 participants per group, representative of region, gender, and partly age distributions. We examine their device usage, concerns, prior negative incidents, perceptions of potential attackers, and information sources. Our study provides the first quantitative and nationally representative insights into the digital security experiences of these four at-risk groups in Germany. Our findings show that participants with migration backgrounds used the most devices, sought more security information, and reported more experiences with cybercrime incidents than other groups. Older adults used the fewest devices and were least affected by cybercrimes. All groups relied on friends and family and online news as their primary sources of security information, with little concern about their social circles being potential attackers. We highlight the nuanced differences between the four at-risk groups and compare them to the broader German population when possible. We conclude by presenting recommendations for education, policy, and future research aimed at addressing the digital security needs of these at-risk user groups.
△ Less
Submitted 12 September, 2023; v1 submitted 25 December, 2022;
originally announced December 2022.
-
A World Full of Privacy and Security (Mis)conceptions? Findings of a Representative Survey in 12 Countries
Authors:
Franziska Herbert,
Steffen Becker,
Leonie Schaewitz,
Jonas Hielscher,
Marvin Kowalewski,
M. Angela Sasse,
Yasemin Acar,
Markus Dürmuth
Abstract:
Misconceptions about digital security and privacy topics in the general public frequently lead to insecure behavior. However, little is known about the prevalence and extent of such misconceptions in a global context. In this work, we present the results of the first large-scale survey of a global population on misconceptions: We conducted an online survey with n = 12, 351 participants in 12 count…
▽ More
Misconceptions about digital security and privacy topics in the general public frequently lead to insecure behavior. However, little is known about the prevalence and extent of such misconceptions in a global context. In this work, we present the results of the first large-scale survey of a global population on misconceptions: We conducted an online survey with n = 12, 351 participants in 12 countries on four continents. By investigating influencing factors of misconceptions around eight common security and privacy topics (including E2EE, Wi-Fi, VPN, and malware), we find the country of residence to be the strongest estimate for holding misconceptions. We also identify differences between non-Western and Western countries, demonstrating the need for region-specific research on user security knowledge, perceptions, and behavior. While we did not observe many outright misconceptions, we did identify a lack of understanding and uncertainty about several fundamental privacy and security topics.
△ Less
Submitted 22 December, 2022; v1 submitted 20 December, 2022;
originally announced December 2022.
-
Understanding Users' Interaction with Login Notifications
Authors:
Philipp Markert,
Leona Lassak,
Maximilian Golla,
Markus Dürmuth
Abstract:
Login notifications intend to inform users about sign-ins and help them protect their accounts from unauthorized access. Notifications are usually sent if a login deviates from previous ones, potentially indicating malicious activity. They contain information like the location, date, time, and device used to sign in. Users are challenged to verify whether they recognize the login (because it was t…
▽ More
Login notifications intend to inform users about sign-ins and help them protect their accounts from unauthorized access. Notifications are usually sent if a login deviates from previous ones, potentially indicating malicious activity. They contain information like the location, date, time, and device used to sign in. Users are challenged to verify whether they recognize the login (because it was them or someone they know) or to protect their account from unwanted access. In a user study, we explore users' comprehension, reactions, and expectations of login notifications. We utilize two treatments to measure users' behavior in response to notifications sent for a login they initiated or based on a malicious actor relying on statistical sign-in information. We find that users identify legitimate logins but need more support to halt malicious sign-ins. We discuss the identified problems and give recommendations for service providers to ensure usable and secure logins for everyone.
△ Less
Submitted 31 March, 2024; v1 submitted 14 December, 2022;
originally announced December 2022.
-
Proof-of-Vax: Studying User Preferences and Perception of Covid Vaccination Certificates
Authors:
Marvin Kowalewski,
Franziska Herbert,
Theodor Schnitzler,
Markus Dürmuth
Abstract:
Digital tools play an important role in fighting the current global COVID-19 pandemic. We conducted a representative online study in Germany on a sample of 599 participants to evaluate the user perception of vaccination certificates. We investigated five different variants of vaccination certificates, based on deployed and planned designs in a between-group design, including paper-based and app-ba…
▽ More
Digital tools play an important role in fighting the current global COVID-19 pandemic. We conducted a representative online study in Germany on a sample of 599 participants to evaluate the user perception of vaccination certificates. We investigated five different variants of vaccination certificates, based on deployed and planned designs in a between-group design, including paper-based and app-based variants. Our main results show that the willingness to use and adopt vaccination certificates is generally high. Overall, paper-based vaccination certificates were favored over app-based solutions. The willingness to use digital apps decreased significantly by a higher disposition to privacy, and increased by higher worries about the pandemic and acceptance of the coronavirus vaccination. Vaccination certificates resemble an interesting use case for studying privacy perceptions for health related data. We hope that our work will be able to educate the currently ongoing design of vaccination certificates, will give us deeper insights into privacy of health-related data and apps, and prepare us for future potential applications of vaccination certificates and health apps in general.
△ Less
Submitted 22 June, 2021;
originally announced June 2021.
-
Are Privacy Dashboards Good for End Users? Evaluating User Perceptions and Reactions to Google's My Activity (Extended Version)
Authors:
Florian M. Farke,
David G. Balash,
Maximilian Golla,
Markus Dürmuth,
Adam J. Aviv
Abstract:
Privacy dashboards and transparency tools help users review and manage the data collected about them online. Since 2016, Google has offered such a tool, My Activity, which allows users to review and delete their activity data from Google services. We conducted an online survey with $n = 153$ participants to understand if Google's My Activity, as an example of a privacy transparency tool, increases…
▽ More
Privacy dashboards and transparency tools help users review and manage the data collected about them online. Since 2016, Google has offered such a tool, My Activity, which allows users to review and delete their activity data from Google services. We conducted an online survey with $n = 153$ participants to understand if Google's My Activity, as an example of a privacy transparency tool, increases or decreases end-users' concerns and benefits regarding data collection. While most participants were aware of Google's data collection, the volume and detail was surprising, but after exposure to My Activity, participants were significantly more likely to be both less concerned about data collection and to view data collection more beneficially. Only $25\,\%$ indicated that they would change any settings in the My Activity service or change any behaviors. This suggests that privacy transparency tools are quite beneficial for online services as they garner trust with their users and improve their perceptions without necessarily changing users' behaviors. At the same time, though, it remains unclear if such transparency tools actually improve end user privacy by sufficiently assisting or motivating users to change or review data collection settings.
△ Less
Submitted 28 May, 2021;
originally announced May 2021.
-
What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics
Authors:
Stephan Wiefling,
Markus Dürmuth,
Luigi Lo Iacono
Abstract:
Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it…
▽ More
Risk-based authentication (RBA) aims to strengthen password-based authentication rather than replacing it. RBA does this by monitoring and recording additional features during the login process. If feature values at login time differ significantly from those observed before, RBA requests an additional proof of identification. Although RBA is recommended in the NIST digital identity guidelines, it has so far been used almost exclusively by major online services. This is partly due to a lack of open knowledge and implementations that would allow any service provider to roll out RBA protection to its users.
To close this gap, we provide a first in-depth analysis of RBA characteristics in a practical deployment. We observed N=780 users with 247 unique features on a real-world online service for over 1.8 years. Based on our collected data set, we provide (i) a behavior analysis of two RBA implementations that were apparently used by major online services in the wild, (ii) a benchmark of the features to extract a subset that is most suitable for RBA use, (iii) a new feature that has not been used in RBA before, and (iv) factors which have a significant effect on RBA performance. Our results show that RBA needs to be carefully tailored to each online service, as even small configuration adjustments can greatly impact RBA's security and usability properties. We provide insights on the selection of features, their weightings, and the risk classification in order to benefit from RBA after a minimum number of login attempts.
△ Less
Submitted 26 January, 2021;
originally announced January 2021.
-
Apps Against the Spread: Privacy Implications and User Acceptance of COVID-19-Related Smartphone Apps on Three Continents
Authors:
Christine Utz,
Steffen Becker,
Theodor Schnitzler,
Florian M. Farke,
Franziska Herbert,
Leonie Schaewitz,
Martin Degeling,
Markus Dürmuth
Abstract:
The COVID-19 pandemic has fueled the development of smartphone applications to assist disease management. Many "corona apps" require widespread adoption to be effective, which has sparked public debates about the privacy, security, and societal implications of government-backed health applications. We conducted a representative online study in Germany (n = 1,003), the US (n = 1,003), and China (n…
▽ More
The COVID-19 pandemic has fueled the development of smartphone applications to assist disease management. Many "corona apps" require widespread adoption to be effective, which has sparked public debates about the privacy, security, and societal implications of government-backed health applications. We conducted a representative online study in Germany (n = 1,003), the US (n = 1,003), and China (n = 1,019) to investigate user acceptance of corona apps, using a vignette design based on the contextual integrity framework. We explored apps for contact tracing, symptom checks, quarantine enforcement, health certificates, and mere information. Our results provide insights into data processing practices that foster adoption and reveal significant differences between countries, with user acceptance being highest in China and lowest in the US. Chinese participants prefer the collection of personalized data, while German and US participants favor anonymity. Across countries, contact tracing is viewed more positively than quarantine enforcement, and technical malfunctions negatively impact user acceptance.
△ Less
Submitted 1 February, 2021; v1 submitted 27 October, 2020;
originally announced October 2020.
-
More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication
Authors:
Stephan Wiefling,
Markus Dürmuth,
Luigi Lo Iacono
Abstract:
Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability a…
▽ More
Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.
We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably secure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation. Our contribution provides a first deeper understanding of the users' perception of RBA and helps to improve RBA implementations for a broader user acceptance.
△ Less
Submitted 1 October, 2020;
originally announced October 2020.
-
Evaluation of Risk-based Re-Authentication Methods
Authors:
Stephan Wiefling,
Tanvi Patil,
Markus Dürmuth,
Luigi Lo Iacono
Abstract:
Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art…
▽ More
Risk-based Authentication (RBA) is an adaptive security measure that improves the security of password-based authentication by protecting against credential stuffing, password guessing, or phishing attacks. RBA monitors extra features during login and requests for an additional authentication step if the observed feature values deviate from the usual ones in the login history. In state-of-the-art RBA re-authentication deployments, users receive an email with a numerical code in its body, which must be entered on the online service. Although this procedure has a major impact on RBA's time exposure and usability, these aspects were not studied so far.
We introduce two RBA re-authentication variants supplementing the de facto standard with a link-based and another code-based approach. Then, we present the results of a between-group study (N=592) to evaluate these three approaches. Our observations show with significant results that there is potential to speed up the RBA re-authentication process without reducing neither its security properties nor its security perception. The link-based re-authentication via "magic links", however, makes users significantly more anxious than the code-based approaches when perceived for the first time. Our evaluations underline the fact that RBA re-authentication is not a uniform procedure. We summarize our findings and provide recommendations.
△ Less
Submitted 18 August, 2020;
originally announced August 2020.
-
Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild
Authors:
Stephan Wiefling,
Luigi Lo Iacono,
Markus Dürmuth
Abstract:
Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services…
▽ More
Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA.
In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.
△ Less
Submitted 17 March, 2020;
originally announced March 2020.
-
This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
Authors:
Philipp Markert,
Daniel V. Bailey,
Maximilian Golla,
Markus Dürmuth,
Adam J. Aviv
Abstract:
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surpris…
▽ More
In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n=1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blocklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blocklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blocklists compared them with four other blocklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blocklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blocklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blocklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blocklist at about 10% of the PIN space may provide the best balance between usability and security.
△ Less
Submitted 16 June, 2021; v1 submitted 10 March, 2020;
originally announced March 2020.
-
A Survey of Collection Methods and Cross-Data Set Comparison of Android Unlock Patterns
Authors:
Adam J. Aviv,
Markus Duermuth
Abstract:
Android's graphical password unlock remains one of the most widely used schemes for phone unlock authentication, and it is has been studied extensively in the last decade since its launch. We have learned that users' choice of patterns mimics the poor password choices in other systems, such as PIN or text-based passwords. A wide variety of analysis and data collections methods was used to reach th…
▽ More
Android's graphical password unlock remains one of the most widely used schemes for phone unlock authentication, and it is has been studied extensively in the last decade since its launch. We have learned that users' choice of patterns mimics the poor password choices in other systems, such as PIN or text-based passwords. A wide variety of analysis and data collections methods was used to reach these conclusions, but what is missing from the literature is a systemized comparison of the related work in this space that compares both the methodology and the results. In this paper, we take a detailed accounting of the different methods applied to data collection and analysis for Android unlock patterns. We do so in two dimensions. First we systemize prior work into a detailed taxonomy of collection methods, and in the second dimension, we perform a detailed analysis of 9 different data sets collected using different methods. While this study focuses singularly on the collection methods and comparisons of the Android pattern unlock scheme, we believe that many of the findings generalize to other graphical password schemes, unlock authentication technology, and other knowledge-based authentication schemes.
△ Less
Submitted 26 November, 2018;
originally announced November 2018.
-
When Privacy meets Security: Leveraging personal information for password cracking
Authors:
Claude Castelluccia,
Abdelberi Chaabane,
Markus Dürmuth,
Daniele Perito
Abstract:
Passwords are widely used for user authentication and, despite their weaknesses, will likely remain in use in the foreseeable future. Human-generated passwords typically have a rich structure, which makes them susceptible to guessing attacks. In this paper, we study the effectiveness of guessing attacks based on Markov models. Our contributions are two-fold. First, we propose a novel password crac…
▽ More
Passwords are widely used for user authentication and, despite their weaknesses, will likely remain in use in the foreseeable future. Human-generated passwords typically have a rich structure, which makes them susceptible to guessing attacks. In this paper, we study the effectiveness of guessing attacks based on Markov models. Our contributions are two-fold. First, we propose a novel password cracker based on Markov models, which builds upon and extends ideas used by Narayanan and Shmatikov (CCS 2005). In extensive experiments we show that it can crack up to 69% of passwords at 10 billion guesses, more than all probabilistic password crackers we compared again t. Second, we systematically analyze the idea that additional personal information about a user helps in speeding up password guessing. We find that, on average and by carefully choosing parameters, we can guess up to 5% more passwords, especially when the number of attempts is low. Furthermore, we show that the gain can go up to 30% for passwords that are actually based on personal attributes. These passwords are clearly weaker and should be avoided. Our cracker could be used by an organization to detect and reject them. To the best of our knowledge, we are the first to systematically study the relationship between chosen passwords and users' personal information. We test and validate our results over a wide collection of leaked password databases.
△ Less
Submitted 24 April, 2013;
originally announced April 2013.
-
X-pire! - A digital expiration date for images in social networks
Authors:
Julian Backes,
Michael Backes,
Markus Dürmuth,
Sebastian Gerling,
Stefan Lorenz
Abstract:
The Internet and its current information culture of preserving all kinds of data cause severe problems with privacy. Most of today's Internet users, especially teenagers, publish various kinds of sensitive information, yet without recognizing that revealing this information might be detrimental to their future life and career. Unflattering images that can be openly accessed now and in the future,…
▽ More
The Internet and its current information culture of preserving all kinds of data cause severe problems with privacy. Most of today's Internet users, especially teenagers, publish various kinds of sensitive information, yet without recognizing that revealing this information might be detrimental to their future life and career. Unflattering images that can be openly accessed now and in the future, e.g., by potential employers, constitute a particularly important such privacy concern. We have developed a novel, fast, and scalable system called X-pire! that allows users to set an expiration date for images in social networks (e.g., Facebook and Flickr) and on static websites, without requiring any form of additional interaction with these web pages. Once the expiration date is reached, the images become unavailable. Moreover, the publishing user can dynamically prolong or shorten the expiration dates of his images later, and even enforce instantaneous expiration. Rendering the approach possible for social networks crucially required us to develop a novel technique for embedding encrypted information within JPEG files in a way that survives JPEG compression, even for highly optimized implementations of JPEG post-processing with their various idiosyncrasies as commonly used in such networks. We have implemented our system and conducted performance measurements to demonstrate its robustness and efficiency.
△ Less
Submitted 12 December, 2011;
originally announced December 2011.
