[ieee 2014 international conference on communication systems and network technologies (csnt) -...
TRANSCRIPT
Analyzing Email Account Creation: Expectations v/s Reality
Vishal Kumar
Department of CSE, BTKIT
Dwarahat, Almora, Uttarakhand, India
Kunwar Singh Vaisla, SMIEEE
Department of CSE, BTKIT
Dwarahat, Almora, Uttarakhand, India
Jaydeep Kishore
Department of CSE, SIT
Pithoragarh, India
Abstract—Email is the most used mode of communication in
the present era. Email account is now our necessity as it is part
of all application forms on the Internet. We have identified
some deficiencies of the present email account creation system
by available email service providers and discuss a previously
unconsidered avenue by which a user can create any number
of fake accounts without restriction. We present the results of
our study on the most popular email service providers. Our
approach is simple and analyze that it is an easy task to harm a
known by creating such fake accounts instead of compromising
others accounts which is more tedious. We also outline our
defense mechanisms to mitigate creation of fake email accounts
and enhance security.
Keywords-Privacy; Identity; Online social networks; Email;
OTP
I. INTRODUCTION
There are around 2.2 billion Email users in the world [1]
and over the past few years the internet user arises due to
immense popularity of online social networks. People who
sign up for these services trust the system with their personal
information. A lot of work is done to identify fake data,
images or identities on online social media [2, 3]. With the
increase in the usage of social networks, we need to concern
about privacy and security. Public awareness on privacy
concerns and vulnerability has grown, but still many users
remain incognizant of the potential for their personal
information to be used or compromised by malicious
attackers, and, in some cases, the service providers
themselves. We investigated to understand that malicious
adversaries try to gain information about other people’s
accounts using fake accounts. The privacy policy intends to
secure user data but do we really need to secure fake data.
The survey says Facebook [17] has 8.7% bogus accounts
roughly count 83 million accounts [4]. The main cause
behind fake accounts is the fake email accounts. It means if
we want to overcome this problem we need to track back.
These malicious accounts are also a play a vital role in
phishing. Therefore the consequeses of the fake email
accounts may result in damage, chaos and monetary losses in
the real world. We are giving the related work in the next
Section II. In Section III, we are presenting our experimental
work to create fake accounts on various popular email
service providers. Section IV indicates the results from these
experiments. Section V shows defense mechanisms to
mitigate this problem. Section VI concludes our paper with
some future work to be done.
II. RELATED WORK
A lot of work is done by the researchers and academicians on
social networks like spam detection, networking, privacy and
security. The authors in [5] review different security and
privacy risks which threaten the well-being of OSN users and
illustrate different classic threats with real-life scenarios. M.
Egele et al. [6] developed a tool, called COMPA to detect
compromised user accounts in social networks on Twitter
and Facebook. The approach uses a composition of statistical
modeling and anomaly detection to identify accounts that
experience a sudden change in behavior. A. Gupta et al. [7]
analyzed malicious content posted online during Boston
crisis event on Twitter and show that large number of users
with high social reputation and verified accounts were
responsible for spreading the fake content. L. Bilge et al. [8]
investigate automated crawling and identity theft attacks
against a number of popular social networking sites. In this
paper we are investigating the actual cause behind the scene
i.e the fake email accounts on the internet.
III. THE EXPERIMENT
We identified following questions regarding deficiency in
the present email system. How efficient is our email service
system? Is it efficient enough to trace out fake email
accounts? The experiments on popular email service
providers expose the deficiencies of the present system. We
created fake email accounts on popular email service
providers like yahoo [13], rediff [14], gmail [15] and hotmail
[16]. In this paper, we focus on measuring the disparity
between the desired and the actual scenarios of creating a
new email account.
We started our experimental work with Hotmail. The
process of account creation needs inputting all the data like
name, Date of Birth, mobile number, and even alternate
email account details as bogus. We were offered to choose a
username. The hotmail mainly focus to create a strong
password to ensure safety to user accounts. To create a
strong password, it should have Capital letter, numerals and
symbols. You must take care that your password should not
contain your first or last name. Users can reset their
password; given two choices either enters your mobile
number or an alternate email account. At last input your
2014 Fourth International Conference on Communication Systems and Network Technologies
978-1-4799-3070-8/14 $31.00 © 2014 IEEE
DOI 10.1109/CSNT.2014.126
597
2014 Fourth International Conference on Communication Systems and Network Technologies
978-1-4799-3070-8/14 $31.00 © 2014 IEEE
DOI 10.1109/CSNT.2014.126
597
location to complete sign up along your
surprising that neither the mobile num
email account was verified. A new em
welcome message is ready to use.
TABLE I. USER ATTRIBUTES FOR NEW E
Attributes Descrip
Name
F_Name
Name of the user who owns
Username
combination of alphabets a
special symbols
Password
combination of alphabets a
special symbols
Date of Birth User must be 13+
Gender Comes with 3 options M/F/
Mobile Phone
It offers 2 advantages; sec
password
Alternate Email
Email account on any other
in case of resetting the pass
Location Nationality
We repeated the same experimen
procedure requires similar inputs as d
comparing we found the difference a u
mobile number or an alternate email acc
email account on rediff. In lieu user c
question. A new email account with a w
ready to use. A user account on
compromised as it allows opting your
password.
In other words password creation o
practice. We continued the process on ya
data filling is same as earlier. Yahoo em
strong password similar to Hotmail. I
alternate email then you need to h
questions. Yahoo lacks the same defi
mobile number unverified.
Finally, we ended new email accoun
Undoubtedly, Email creation is bette
Gmail. The two-step verification on G
account by sending OTP on your mobil
opt to receive the codes either through T
or via voice call. Once you verify the cod
means you are an authorized user.
IV. RESULTS
Nearly half of the users who have a
are members of some online social netw
dependent on email services to create
social network shown in Fig. 1. It mean
is the root cause of fake accounts on so
analyzing the attributes listed in Tabl
attributes are sufficient to develop a de
restrict fake account creation. During a
can willingly feed wrong entry like nam
create bogus account. The drawback is t
r postal code. It was
ber nor an alternate
mail account with a
EMAIL ACCOUNT
ption
M_Name L_Name
s the account
and numerals excluding
and numerals including
/other
curity and resetting the
r email service provider
sword
nt on Rediff. The
discussed above. On
user does not require
count to create a new
can opt for security
welcome message is
Rediff easily be
own name as your
on rediff suffers bad
ahoo. The process of
mphasize on creating
If you do not have
have some security
iciency and left the
nt creation on Gmail.
er and effective on
Gmail verifies your
le number. You may
Text messages (SMS)
de received on phone
access to the Internet
works [10]. Users are
a profile on online
ns that email account
ocial networks. After
e 1, we found that
efense mechanism to
account creation user
me or Date of Birth to
that no email service
provider verifies the data in
wants an email account with
possible in the current system
still there is no way to verify
Yahoo ask for the user mob
verify the correctness of the n
is working or not, valid or no
code on it. It represents that
formality.
Figure 1. (a) Sign U
Figure 1. (b) Sign U
nputted by the user. Suppose A
h a fake name B. It is easier and
m. Even if A is a genuine user,
fy her data. Rediff, Hotmail and
bile number, but none of them
number like whether the number
ot simply by sending verification
t collection of data is merely a
Up Process of Facebook
Up Process of Twitter
598598
Figure 1. (c) Sign Up Process of
Figure 1. (d) Sign Up Process of
Figure 1. Sign Up Process of popular onl
We found that only Google offers t
when a user create his new Accoun
verification code on the mobile number
to access your account. Google offers
account verification either of two m
verification, user gets a unique PIN a
number. Upon entering that PIN, the acc
and the user is authorized to access accou
charge for SMS verification.
The method to receive verification c
call. Even Google can be fooled using
offers virtual mobile numbers to sen
messages or voice calls. A CAPTCH
deployed by all email service provider
networks for guarding account reg
posting, and so on [9].
f Pinterest
f LinkedIn
line Social Networks
two step verification
nt. Google sends a
which must be feed
to receive one-time
methods. With SMS
at the mobile phone
count will be verified
unt. Google does not
ode is through voice
Pinger [12]. Pinger
nd and receive text
HA is ubiquitously
rs and online social
gistration, comment
V. THE PROPO
In our experiment, we fo
any email service provider
need to search for the solution
assuming user mobile numb
inputted by the user. Assum
mobile number during email
has two approaches:
A. Using Truecaller
Truecaller [11] is a global
smart and feature phones, and
site, developed by True Soft
contact details globally given
has an integrated caller ID s
achieve call-blocking func
integration to keep the phon
and birthdays. The name has
it returns true name of the ca
between the email service p
verify the entered mobile
application returns the nam
location where the SIM is reg
Figure 2. Tru
This approach has its own
get information of the mobile
and the same can be used to c
B. Using Identity Resolution
This scheme of identit
processes- Identity search and
• Identity search process
operator’s database to
information obtained from
• Identity matching proces
search process in the form
in the case if data m
Identity matching proces
the data available with
with the one inputted by
OSED SOLUTION
ound that the data requested by
is sufficient. It means that we
n within these attributes. We are
er as the mandatory field to be
ming that all users provide their
creation, our proposed solution
l phone directory application for
d also accessible through its web
ftware Scandinavia AB. It finds
n name or telephone number, and
ervice using Crowd sourcing to
ctionality and social media
nebook up-to-date with pictures
been given to the application as
aller. An interface can be created
providers and the Truecaller to
e number by the user. The
me of the user along with the
gistered.
ue Caller Screen
n limitations. A user can fool to
e number owner simply on trials
create an account.
n
ty resolution follows in two
d identity matching.
sends a request to the mobile
look and verify the desired
m the user.
ss is the outcome of the identity
m of valid or invalid data. Valid
matches and invalid otherwise.
ss calculates similarity between
the mobile operator’s database
the user.
599599
The methodology is shown in Figure 3. The user
communicates with the email service provider which in
return communicates with the mobile operator for the valid
data.
Figure 3. Methodology
a. Identity Search
For a user U, given her identity and her mobile number as
a verification parameter S that would be a search parameter.
The email service provider would send a request to the
mobile operator for verification.
Any search method takes a source and a set of search
parameters as input and retrieves a set of candidate items
which hold similar values for the search parameters. For an
identity search algorithm, source can be given identity and
search parameter a mobile number on her identity
dimensions.
b. Identity Matching
The data supplied by the email service provider matches
with mobile number user data that with the mobile operator
means the user is genuine. We need to create a function i.e a
matching function that would return value 1 if query sent
matches with the mobile operator data and 0 otherwise.
VI. CONCLUSION
This paper primarily focuses on deficiencies in the
present email account creation system. We addressed defense
mechanisms to mitigate the problem but there are some
challenges associated with it like network congestion,
reliability, as well as policy issues between mobile operators
and internet giants. The present email account creation
system by popular free email service providers is effective
but not efficient. Therefore the consequeses may result in
damage, chaos and monetary losses in the real world. We
hope, at least the study in this paper would contribute in new
research directions.
We are developing a mathematical model to calculate
complexity due to network traffic. We would like to conduct
a larger study for identification of existing fake email
accounts. As a next step, we would like to mitigate existing
fake accounts and analyze network congestion due to
additional verification tier.
REFERENCES
[1]. http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/
[2]. A. Gupta, H. Lamba, P. Kumarguru and A. Joshi, “Faking Sandy:
Characterizing and Identifying Fake images on Twitter during
Hurricane Sandy,” 2nd International Workshop on Privacy and
Security in Online Social Media (PSOSM), in conjunction with
the 22th International World Wide Web Conference (WWW)
2013.
[3]. P. Jain, P. Kumaraguru, and A. Joshi, “@I seek 'fb.me':
Identifying Users across Multiple Online Social Networks,” 2nd
International Workshop on Web of Linked Entities (WoLE), in
conjunction with the 22th International World Wide Web
Conference (WWW) (2013)
[4]. 83 million Facebook accounts are fakes and dupes
http://bit.ly/Np3seb.
[5]. M. Fire, R. Goldschmidt, Y. Elovici “Online Social Networks:
Threats and Solutions Survey” CoRR abs/1303.3764 (2013)
[6]. M. Egele, G. Stringhini, C. Kruegel, and G. Vigna” COMPA:
Detecting Compromised Accounts on Social Networks” 20th
Annual Network and Distributed System Security
Symposium, NDSS 2013, San Diego, California, USA, February
24-27, 2013.
[7]. A. Gupta,, H. Lamba,, and P. Kumaraguru, “$1.00 per RT
#BostonMarathon #PrayForBoston: Analyzing Fake Content on
Twitter”. IEEE APWG eCrime Research Summit (eCRS), 2013,
San Francisco,USA, 16-18 September 2013.
[8]. L. Bilge, T. Strufe, D. Balzarotti,and E. Kirda “All your
contacts are belong to us: automated identity theft attacks on
social networks” 18th international conference on World wide
web (WWW-2009).
[9]. M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M.
Voelker, and S. Savage, “Re: Captchas: Understanding
CAPTCHA-solving services in an economic context,” 19th
USENIX conference on Security (SEC’10), 2010.
[10]. Global Publics Embrace Social Networking. PewResearchCenter,
2010. http://pewglobal.org/2010/12/15/global-publics-embrace-
social-networking/
[11]. www.truecaller.com
[12]. www.pinger.com
[13]. www.yahoo.com
[14]. www.rediff.com
[15]. www.gmail.com
[16]. www.hotmail.com
[17]. www.facebook.com
600600