Security

Introducing Advanced security technology for "protecting" and "creating" a smart world.

The Current State of Usable Security
Security threats arising from the interaction between humans and computer systems

Cyberspace is not only the setting for business, it is also an important part of people's lives. With this increased exposure to threats comes increased expectations of safe and secure ICT. There are many different types of security measures to fight these threats, but this time we will be examining usable security; a type of security that protects against threats arising from interactions between humans and computer systems, and in particular threats to one’s privacy.

What is "Usable Security?"

In recent years, the word "cyber-attack" has become more and more commonplace in various forms of media. Whether the attackers' motive is fun, craving the limelight, social and political claims, espionage, or just for monetary gain, these attacks put state institutions, private companies and individual users at risk on a daily basis.

Figure 1: Usable Security
Figure 1: Usable Security

Usable security refers to the practice of preventing threats to user security and privacy that arise from the interaction of humans (users) with computer systems. Unlike traditional system and network security, it focuses on users, analyzing their behavior, mental models and decision-making processes. It then uses these findings to provide feedback on computer system design, implementation, and operation, thereby improving user security and privacy.
Our main focus is threats caused by online services. Rather than addressing software vulnerabilities or account hijacking, our usable security research focuses on security and privacy from the user's personal perspective. As introduced in the first article, according to "10 Major Security Threats 2020," compiled by the IPA (Information-Technology Promotion Agency, Japan), "Personal Information Theft from Services on the Internet" was the 12th biggest threat for individuals and the 8th biggest for organizations, so it is clearly a major security threat.

Privacy threats on online services from a usable security perspective

Figure 2: Example of error messages displayed when an incorrect user ID or password is input
Figure 2: Example of error messages displayed when an incorrect user ID or password is input

Let's take a look at the threat in detail. As an example, let’s think about logging in to a specific online service using a pair of a user ID and password.
This service is configured to display either the message "This User ID does not exist" if the User ID is input incorrectly, or "Incorrect password" if the password is input incorrectly. At first glance, there seems to be no issue with this, and there are likely to be plenty of people who have seen a lot of messages just like this.
But there are potential threats to privacy here.

What if we suppose that there is a person close to you with malicious intent?
Many online services use email addresses as user IDs. So, they might decide to try inputting the email addresses of people they know at random, such as those of their partner, their family, their friends, or their colleagues. As a result, they know that if the message "This User ID does not exist" displays, their target is not using the online service, but if "Incorrect password" displays, their target is using the service.
The main problem is that this attack can be performed by anyone who knows the email address in question.

Examples of privacy breaches that could be caused by error messages

Figure 3: Privacy breaches that could be caused by error messages
Figure 3: Privacy breaches that could be caused by error messages

Let's dig a little deeper into what kind of privacy breach could be caused by this attack.
So, let's use an online based career change service as an example. Based on the knowledge that the person in question holds an account, the attacker might guess that the account holder is planning to change jobs in the near future.
In the case of the financial loans service, they might guess that the person in question is currently experiencing financial difficulties.
Someone close to you who knows your email address might be able to breach your privacy by using these different condition-specific error messages for malicious purposes.

According to our online survey of over 600 people, over 82% of participants answered that there are certain sensitive services they would not want other people to know they have an account with, such as services geared toward people of specific sexual orientations, adult content, and financial loan services. That means that for this 82%, the attack could be a breach of their privacy.
On the other hand, 25% of participants responded "Yes" to the question "Have you ever wanted to know if someone whose email address you know has an account on a particular online service?" This means that one in four people is a potential perpetrator.
In addition, our measurement study of around 100 types of online services revealed that almost all of the services displayed revealing error messages; thus, an attacker can deduce whether their target has an account on almost any of these services.
From these findings we can see that this issue is a practical threat from people close to us.

Examples of Secure Error Messages

So, what measures are valid against the attack? Figure 4 shows examples of secure and insecure messages in each login-related function.

Figure 4: Examples of Secure Error Messages
Function Input Insecure Messages Secure Messages
Login A registered user ID and an incorrect password "Incorrect password" "Incorrect user ID or password"
An unregistered user ID and arbitrary password "This user ID does not exist"
Password Recovery A registered user ID "We have sent you a link to reset your password." "If the email address you input exists in our database, we will send you a link to reset your password."
Unregistered user ID "This is not a registered email address."
Account Creation Registered user ID "This user ID has already been registered." "We have sent an account creation link to the input email address."
Unregistered user ID "Account created successfully."

NTT's Usable Security Initiatives

NTT has been conducting research on usable security in order to design systems that encourage users’ secure behavior as part of efforts to understand user security and privacy awareness and behavior on systems and services; a core part of the field of cyber-security.
NTT Secure Platform Laboratories, which have conducted research into usable security as introduced here, have made the public aware of security threats and notified various stakeholders of countermeasures.
Specifically, we worked with IPA (Information-technology Promotion Agency, Japan) and JPCERT (Japan Computer Emergency Response Team Coordination Center) to notify potentially affected service providers of the threat and countermeasures, and also discussed with OWASP (the Open Web Application Security Project), an international open-source community for web security, to revise its web-security guidelines.

Looking Ahead

In recent years, as ICT and other societal systems have become more advanced, security-related decisions and actions required on the part of users are becoming increasingly complex. While everyone should be able to equally reap the benefits of ICT, there is a concern that this situation will leave some users behind. For example, it is now more difficult to understand the risks and take appropriate action when a browser displays a security warning.
At NTT, we aim to create an ICT society in the truest sense of the word, receptive to all kinds of people. To achieve this, our goal is to create security technology that absolutely everyone can understand, select, and use accordingly. Usable security will no doubt be a major theme in achieving this. One of NTT's strengths is that we develop full-stack (covering a wide range of fields; from infrastructure construction to applications) and full life-cycle (covering the entire life-cycle, from consulting through to maintenance and operations) services.

Humans are the central element in the relationship between humans, computer systems and ICT, and our relationship with computer systems and ICT is unlikely to change in future. However, it is thought that as ICT develops and becomes more complex, human awareness will be unable to keep up, and we will continue to see people exploiting this gap to launch cyber-attacks.

No matter how ICT evolves in future, NTT will continue to work with users to improve their awareness of ICT while also continuing to improve system designs such that users are enabled to make better decisions and use ICT safely and with confidence.

Reference

  1. (1)"Usable Security" (Business Communication 2020 Vol. 57 No. 4)
  2. (2)Ayako Akiyama Hasegawa, Takuya Watanabe, Eitaro Shioji, and Mitsuaki Akiyama, I know what you did last login: inconsistent messages tell existence of a target’s account. ACSAC 2019.
    https://dl.acm.org/doi/10.1145/3359789.3359832

*The names of the laboratories mentioned in the article may have changed since the time of writing/interview.

Related content