Leveraging Cross-Website Coordination to Mitigate Credential Stuffing
Part of the IBM Back to School Series. This is a continuing series held at IBM where university professors share their knowledge and experience with the IBM technical community. Duke CS and Duke ECE is invited to attend as colleagues of the speaker.
Credential stuffing---wherein an attacker attempts logins using stolen account names and passwords at websites other than the sites from which these credentials were stolen---reportedly remains the predominant method of account compromise on the web today, by a very wide margin. In this talk, we will explore the possibility of coordinating across websites to mitigate credential stuffing. We will first describe our research on leveraging coordination across websites to interfere with password reuse by a user, since today's culture of password reuse is what allows credential stuffing to be effective in the first place. Second, since interfering with password reuse would impose a usability burden on users who wish to reuse passwords, we introduce an alternative framework by which websites can cooperate to detect credential stuffing on a user's accounts, without interfering with that user's reuse of passwords at those accounts. Though the design of such frameworks is fraught with risks to users’ security and privacy, we show that these risks can be effectively mitigated through careful scoping of the goals for such frameworks and through principled design, drawing on techniques from cryptography, model checking, anonymous communication, and others. We further demonstrate through working implementations that our frameworks, even with minimal infrastructural support, can scale well enough to be effective for major sectors of the web ecosystem.
Michael Reiter, presently the Lawrence M. Slifkin Distinguished Professor in the Department of Computer Science at the University of North Carolina at Chapel Hill, plans to transition to Duke University in January 2021. His previous positions include Director of Secure Systems Research at Bell Labs, Lucent Technologies (1998-2001), and Professor and founding Technical Director of CyLab at Carnegie Mellon University (2001-2007). Dr. Reiter's research interests include all areas of computer and communications security and distributed computing. He has served as program chair for the flagship computer security conferences of the IEEE, the ACM, and the Internet Society, and as Editor-in-Chief of ACM Transactions on Information and System Security. Dr. Reiter was named an ACM Fellow in 2008 and an IEEE Fellow in 2014. In 2016, he was awarded the Outstanding Contributions Award from the ACM Special Interest Group on Security, Audit and Control (SIGSAC), for "pioneering research contributions and leadership in computer and information security".