Digital spies are often thought of as government spooks, or shadowy online groups pilfering data from afar in headline-grabbing attacks. But for many of us, the greatest threat can come from those we know and love.
A new study on so-called "social insider attacks" — where the attacker personally knows the victim — estimates that 24 per cent of survey participants had accessed the Facebook account of someone close to them without that person's knowledge.
Twenty-one per cent of those surveyed were estimated to be "knowing victims" of such an attack themselves.
"There are all these techniques that the security community has developed to deal with the external threat," said Ivan Beschastnikh, an assistant professor of computer science at the University of British Columbia, referring to efforts that companies such as Facebook put into preventing strangers from accessing your account from afar — via phishing, for example.
"But when it comes to internal threats, where the person might have physical access to the device, basically most research says 'it's out of scope.'"
Such threats have become an increasing concern to lawmakers and privacy advocates in recent years, with software used to stalk the smartphones of victims of domestic abuse drawing particular ire.
Beschastnikh, with UBC colleagues Wali Ahmed Usmani and Konstantin Beznosov, and researchers from the University of Lisbon, co-authored the study and will present their paper at the Human Factors in Computing Systems conference in Denver this May.
Funding was provided by the Office of the Privacy Commissioner of Canada.
The researchers conducted two surveys — one to determine the prevalence of attackers and victims, and another to better understand the rationale behind and consequences of such attacks.
The first survey — in which an estimated 24 per cent of survey participants accessed someone's Facebook account without them knowing — involved 1,308 people based in the U.S., and was conducted using an online service called Mechanical Turk.
In the second part of the study, the researchers analyzed 45 anonymous personal stories detailing incidents where the participant had either gained access to someone's Facebook account or been the victim of such an attack.
The researchers intended to understand how often insider attacks take place, the attacker's motive, the profiles of attackers and victims, and most importantly, the effect of such an intrusion.
'Victims were often livid'
Among the anonymous submissions, some admitted to looking at their victim's phone while he or she was in the shower. Another considered installing keylogging software on a partner's computer in order to get the password to Facebook and email accounts.
In one instance, a respondent went so far as to take a victim's sleeping hand and press a finger to the fingerprint sensor in order to unlock the phone.
The result: "Victims were often livid," the report recounts. "Many attacks led to permanent changes in the relationship between the victim and the perpetrator including ending of marriage, commitment, and friendship."
One victim told a boss about an incident, and the attacker was fired.
From curiosity to jealousy
The motivations of outside attackers — who often hack for profit — is not the same as insider attackers, the researchers point out.
"Our findings suggest that attacks are common, opportunistic, and have a range of motives, including fun, curiosity, jealousy, animosity and utility," the researchers write — with jealousy motivating 17 of the 45 stories received.
And unlike more traditional phishing attacks — which attempt to target a large swath of users at once — "the proximity between the victim and a social insider makes it easier for the insider to obtain unauthorized access to the victim's device and Facebook account," they continue.
Worse, because of the range of motives and methods, the researchers say it's hard to suggest a single strategy to mitigate such attacks.
"The large-scale intrusions that we see, they tend to target many many people," Beschastnikh said — and thus, tend to be similar in execution.
"To target a specific person, it takes quite a bit of effort, a lot of social engineering. And clearly the person who's the best person to do that is a person that you would know."