Characterizing Social Insider Attacks on Facebook

Abstract

Facebook accounts are secured against unauthorized access through passwords and device-level security. Those defenses, however, may not be sufficient to prevent social insider attacks, where attackers know their victims, and gain access to a victim’s account by interacting directly with their device. To characterize these attacks, we ran two MTurk studies. In the first (n = 1,308), using the list experiment method, we estimated that 24% of participants had perpetrated social insider attacks and that 21% had been victims (and knew about it). In the second study (n = 45), participants wrote stories detailing personal experiences with such attacks. Using thematic analysis, we typified attacks around five motivations (fun, curiosity, jealousy, animosity, and utility), and explored dimensions associated with each type. Our combined findings indicate that social insider attacks are common, often have serious emotional consequences, and have no simple mitigation.

Study Material and Design

A complete list of survey material can be downloaded here.

Raw results for the study have been redacted to ensure privacy of the participants.

Study 2: Dimensions of Social Insider Attacks

Study Motivation

We established that social insider attacks are common but what exactly constitutes a social insider attack? In the next study we sought to establish what it means to conduct a social insider attack, what the attacks looked like, why they took place, how they happened, and what the consequences of such attacks were. To find out, we used a qualitative approach to cast as wide a net as possible for the various dimensions that influence, affect, and pertain to social insider attacks.

Methodology

We collected qualitative data through an online survey in which we asked participants to report on social insider attacks in which they were either the perpetrator or the victim. This survey was deployed on Amazon Mechanical Turk. It included a consent form and qualification and demographic questions to ensure that participants were eligible for participation. The main eligibility criteria was having perpetrated or been a victim to a social insider attack on Facebook. Other requirements included being at least 15 years old and having used Facebook in the past twelve months. As before, we chose to focus on U.S. participants only; thus being geographically located within the U.S. was required in order to accept the task. Following the consent form and opening questions was an open-ended question asking participants to write a story about a past experience with a social insider attack on Facebook.

To minimize priming participants, we avoided using charged terms in survey advertisement and questions. Instead of labeling the phenomenon as a social insider attack, we referred to it as an instance where either you accessed the Facebook account of someone you know without their permission, or someone accessed your Facebook account without your permission. We also avoided language that portrayed the incident as overly negative so that participants would not be dissuaded from writing about their experience truthfully. To protect participant anonymity and avoid self-implication, we asked for no personally identifying information in any of the sections of the survey. We asked respondents to use gender neutral names: Casey as the person who perpetrated the social insider attack, and Alex as the target of the attack.

Data and Analysis

We collected and performed thematic analysis on a total of 45 stories reporting social insider attacks. Stories had min/mean/max word count of 92/263/527 from which three researchers inductively created and refined a codebook, until saturation was reached at 35 stories. The final codebook had a total of 71 codes across six main themes (perpetrators and victims, premeditation, attack vector, attack variants, attack aftermath,and motivation). A batch of ten more stories was collected from which inter-rater reliability for two independent coders was calculated (Cohen’s kappa k=0.95).

The codebook developed for the collected stories:

We also developled a co-occurence table for one of the coders:

Publicity

We have received considerable news coverage of our work:

• Yahoo Canada [link] [pdf]
• Yahoo UK [link] [pdf]
• The Times [link] [pdf]
• CBC Canada [link] [pdf]
• CBC British Columbia [pdf]
• Metro News [link] [pdf]
• Vancouver Sun [link] [pdf]
• The Province [link] [pdf]
• Voice Online [link] [pdf]
• Daily Mail [link] [pdf]
• Hindustan Times [link] [pdf]
• Express Tribue [link] [pdf]
• Daily Hive [link] [pdf]
• The Hindu [link] [pdf]
• Business Tech [link] [pdf]

We also did two radio interviews:

• Roundhouse Radio, January 24, 2017. [link]
• Snow Crash Radio, January 22 2017. [link]

Credits

Research team:

• Wali Ahmed Usmani
• Diogo Marques
• Ivan Beschastnikh
• Konstantin Beznosov
• Tiago Guerreiro
• Luís Carriço

Wali Ahmed Usmani and Ivan Beschastnikh are affiliated with the Network Security and Systems Lab (NSS) @ The University of British Columbia.

Konstanin Beznosov is affiliated with Laboratory for Education and Research in Secure Systems Engineering (LERSSE) @ The University of British Columbia.

Diogo Marques, Tiago Guerreiro and Luís Carriço are affiliated with the Large-Scale Informatics Systems Laboratory (LaSIGE) @ Universidade de Lisboa