{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,6]],"date-time":"2025-12-06T17:18:52Z","timestamp":1765041532392,"version":"3.41.0"},"reference-count":43,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2024,6,17]],"date-time":"2024-06-17T00:00:00Z","timestamp":1718582400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003475","name":"Hasler Foundation","doi-asserted-by":"crossref","award":["22018"],"award-info":[{"award-number":["22018"]}],"id":[{"id":"10.13039\/501100003475","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2024,8,31]]},"abstract":"<jats:p>\n            Internet users possess accounts on dozens of online services where they are often identified by one of their e-mail addresses. They often use the same address on multiple services and for communicating with their contacts. In this paper, we investigate attacks that enable an adversary (e.g., company, friend) to determine (stealthily or not) whether an individual, identified by their e-mail address, has an account on certain services (i.e., an\n            <jats:italic>account enumeration attack<\/jats:italic>\n            ). Such attacks on\n            <jats:italic>account privacy<\/jats:italic>\n            have serious implications as information about one\u2019s accounts can be used to (1)\u00a0profile them and (2)\u00a0improve the effectiveness of phishing. We take a multifaceted approach and study these attacks through a combination of experiments (63 services), surveys (318 respondents), and focus groups (13 participants). We demonstrate the high vulnerability of popular services (93.7%) and the concerns of users about their account privacy, as well as their increased susceptibility to phishing e-mails that impersonate services on which they have an account. We also provide findings on the challenges in implementing countermeasures for service providers and on users\u2019 ideas for enhancing their account privacy. Finally, our interaction with national data protection authorities led to the inclusion of recommendations in their developers\u2019 guide.\n          <\/jats:p>","DOI":"10.1145\/3664201","type":"journal-article","created":{"date-parts":[[2024,5,7]],"date-time":"2024-05-07T12:00:48Z","timestamp":1715083248000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Know their Customers: An Empirical Study of Online Account Enumeration Attacks"],"prefix":"10.1145","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-9106-9303","authenticated-orcid":false,"given":"Ma\u00ebl","family":"Maceiras","sequence":"first","affiliation":[{"name":"Department of Information Systems (DESI), University of Lausanne, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4438-3544","authenticated-orcid":false,"given":"Kavous","family":"Salehzadeh Niksirat","sequence":"additional","affiliation":[{"name":"Department of Information Systems (DESI), University of Lausanne, Lausanne, Switzerland"},{"name":"School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7299-1286","authenticated-orcid":false,"given":"Ga\u00ebl","family":"Bernard","sequence":"additional","affiliation":[{"name":"Vice Presidency for Academic Affairs, EPFL, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3952-9273","authenticated-orcid":false,"given":"Benoit","family":"Garbinato","sequence":"additional","affiliation":[{"name":"Department of Information Systems (DESI), University of Lausanne, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1860-6110","authenticated-orcid":false,"given":"Mauro","family":"Cherubini","sequence":"additional","affiliation":[{"name":"Department of Information Systems (DESI), University of Lausanne, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5046-1727","authenticated-orcid":false,"given":"Mathias","family":"Humbert","sequence":"additional","affiliation":[{"name":"Department of Information Systems (DESI), University of Lausanne, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7147-1828","authenticated-orcid":false,"given":"K\u00e9vin","family":"Huguenin","sequence":"additional","affiliation":[{"name":"Department of Information Systems, UNIL, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,6,17]]},"reference":[{"key":"e_1_3_4_2_2","doi-asserted-by":"publisher","DOI":"10.2197\/ipsjjip.28.1030"},{"key":"e_1_3_4_3_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70936-7_8"},{"key":"e_1_3_4_4_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15512-3_22"},{"key":"e_1_3_4_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/2517881.2517886"},{"key":"e_1_3_4_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242656"},{"key":"e_1_3_4_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00061"},{"key":"e_1_3_4_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/3334480.3383074"},{"key":"e_1_3_4_9_2","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2023-0119"},{"key":"e_1_3_4_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3544548.3581170"},{"key":"e_1_3_4_11_2","volume-title":"The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research","author":"Dittrich D.","year":"2012","unstructured":"D. Dittrich and E. Kenneally. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Technical Report. U.S. Department of Homeland Security."},{"key":"e_1_3_4_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW51379.2020.00093"},{"key":"e_1_3_4_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/2470654.2481328"},{"key":"e_1_3_4_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/2858036.2858265"},{"key":"e_1_3_4_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359304"},{"key":"e_1_3_4_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833753"},{"key":"e_1_3_4_17_2","unstructured":"Hacksplaining. 2022. Avoiding User Enumeration. (2022). https:\/\/web.archive.org\/web\/20230610165805\/https:\/\/www.hacksplaining.com\/prevention\/user-enumeration last visited: Feb. 2024."},{"key":"e_1_3_4_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359832"},{"key":"e_1_3_4_19_2","first-page":"105","volume-title":"Proc. of the USENIX Security Symposium (USENIX Security)","author":"Havron Sam","year":"2019","unstructured":"Sam Havron, Diana Freed, Rahul Chatterjee, Damon McCoy, Nicola Dell, and Thomas Ristenpart. 2019. Clinical computer security for victims of intimate partner violence. In Proc. of the USENIX Security Symposium (USENIX Security). USENIX Association, Santa Clara, CA, 105\u2013122. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/havron"},{"key":"e_1_3_4_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00033"},{"key":"e_1_3_4_21_2","first-page":"39","volume-title":"Proc. of the Symp. On Usable Privacy and Security (SOUPS)","author":"Kang Ruogu","year":"2015","unstructured":"Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. \u201cMy data just goes everywhere:\u201d User mental models of the internet and implications for privacy and security. In Proc. of the Symp. On Usable Privacy and Security (SOUPS). 39\u201352. https:\/\/www.usenix.org\/conference\/soups2015\/proceedings\/presentation\/kang"},{"key":"e_1_3_4_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-72359-4_41"},{"key":"e_1_3_4_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00060"},{"key":"e_1_3_4_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3613904.3642889"},{"key":"e_1_3_4_25_2","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyaa006"},{"key":"e_1_3_4_26_2","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1040.0032"},{"key":"e_1_3_4_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3544548.3580985"},{"key":"e_1_3_4_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/3613904.3642823"},{"key":"e_1_3_4_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/3481357.3481515"},{"key":"e_1_3_4_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3025453.3025875"},{"key":"e_1_3_4_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/3411764.3445085"},{"key":"e_1_3_4_32_2","doi-asserted-by":"publisher","DOI":"10.1057\/s41303-017-0058-x"},{"key":"e_1_3_4_33_2","doi-asserted-by":"publisher","unstructured":"Srivathsan G. Morkonda Sonia Chiasson and Paul C. van Oorschot. 2023. Influences of Displaying Permission-related Information on Web Single Sign-On Login Decisions. (Aug.2023). DOI:10.48550\/arXiv.2308.13074arXiv:2308.13074 [cs].","DOI":"10.48550\/arXiv.2308.13074"},{"key":"e_1_3_4_34_2","doi-asserted-by":"publisher","unstructured":"Srivathsan G. Morkonda Sonia Chiasson and Paul C. van Oorschot. 2023. \u201dSign in with ... Privacy\u201d: Timely Disclosure of Privacy Differences among Web SSO Login Options. (Aug.2023). DOI:10.48550\/arXiv.2209.04490arXiv:2209.04490 [cs].","DOI":"10.48550\/arXiv.2209.04490"},{"key":"e_1_3_4_35_2","unstructured":"pagvac. 2007. Username Enumeration Vulnerabilities. (April2007). https:\/\/www.gnucitizen.org\/blog\/username-enumeration-vulnerabilities\/ last visited: Feb. 2024."},{"key":"e_1_3_4_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243740"},{"key":"e_1_3_4_37_2","first-page":"48","volume-title":"User Perceptions of Trust and Privacy on the Internet","author":"Roggemann Kristen","year":"2020","unstructured":"Kristen Roggemann, Galia Nurko, and Alexandra Tyers-Chowdhury. 2020. User Perceptions of Trust and Privacy on the Internet. Technical Report. DAI\u2019s Center for Digital Acceleration. 48 pages."},{"key":"e_1_3_4_38_2","volume-title":"The Coding Manual for Qualitative Researchers (4th ed.)","author":"Salda\u00f1a Johnny","year":"2021","unstructured":"Johnny Salda\u00f1a. 2021. The Coding Manual for Qualitative Researchers (4th ed.). SAGE Publishing, Thousand Oaks."},{"key":"e_1_3_4_39_2","unstructured":"Dafydd Stuttard. 2007. Preventing username enumeration. (April2007). https:\/\/portswigger.net\/blog\/preventing-username-enumeration last visited: Feb. 2024."},{"key":"e_1_3_4_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/2532639"},{"key":"e_1_3_4_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/3544548.3580650"},{"key":"e_1_3_4_42_2","first-page":"18","volume-title":"Proc. of the USENIX Security Symposium (USENIX Security)","author":"Tseng Emily","year":"2020","unstructured":"Emily Tseng, Rosanna Bellini, Nora McDonald, Matan Danos, Rachel Greenstadt, Damon McCoy, Nicola Dell, and Thomas Ristenpart. 2020. The tools and tactics used in intimate partner surveillance: An analysis of online Infidelity forums. In Proc. of the USENIX Security Symposium (USENIX Security). 18."},{"key":"e_1_3_4_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.30"},{"key":"e_1_3_4_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/3025453.3025911"}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3664201","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3664201","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:06:14Z","timestamp":1750291574000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3664201"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,17]]},"references-count":43,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2024,8,31]]}},"alternative-id":["10.1145\/3664201"],"URL":"https:\/\/doi.org\/10.1145\/3664201","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"type":"print","value":"1559-1131"},{"type":"electronic","value":"1559-114X"}],"subject":[],"published":{"date-parts":[[2024,6,17]]},"assertion":[{"value":"2023-09-26","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-04-28","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-17","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}