“Investigating web service account remediation advice” to appear at SOUPS 21

WSPR PhD Student Lorenzo Neil will present his first first-author paper, titled “Investigating web service account remediation advice” at the 2021 Symposium on Usable Security and Privacy. Lorenzo was assisted by Elijah Bouma-Sims, a WSPR undergraduate now in the PhD program at CMU, NC State undergrad Evan Lafontaine, Dr. Yasemin Acar, and myself.

Abstract:

Online web services are susceptible to account compromises where adversaries gain access to a user’s account. Once compromised, an account must be restored to its pre-compromise state in a process we term “account remediation.” Account remediation is a technically complex process that in most cases is left to the user, though some web services provide guidance to users through help documentation. The quality of this account remediation advice is of paramount importance in assisting victims of account compromise, yet it is unclear if this advice is complete or suitable. In this paper, we analyze account remediation advice from 57 popular U.S.- based web services. We identify five key phases of account remediation, use this five-phase model to develop a codebook of account remediation advice, then analyze topic coverage. We find that only 39% of the web services studied provided advice for all phases of account remediation. We also find that highly-ranked websites and sites with a previously disclosed data breach have more complete coverage than other sites. Our findings show that account remediation should be more carefully and systematically considered by service providers, security researchers, and consumer advocates, and our detailed analysis will aid in creating better guidelines for users and services.

You can find more about the paper here.