A deep dive into the human side of cybersecurity, exploring the motivations of bad actors, the evolution of social engineering in the age of AI, and the defensive strategies being developed. The discussion covers the move beyond passwords with passkeys and risk-based authentication, and confronts the complex security and privacy challenges introduced by autonomous agents.
Mazharul Islam from the University of Wisconsin—Madison introduces CASPER, a novel deception-based framework designed to detect the misuse of passkeys stolen from cloud storage providers. CASPER uses a system of decoy secrets and passkeys to enable relying parties (websites) to identify and flag unauthorized login attempts, effectively balancing security, usability, and deployability without disrupting the user experience.
This talk introduces an "abusability analysis framework" to evaluate technologies like passkeys under interpersonal threat models, such as intimate partner violence. An analysis of 19 services revealed critical implementation flaws, including irrevocable cloned passkeys and the failure of password resets to secure accounts, which can create persistent backdoors for abusers.