DIVINA: Discovering Vulnerabilities of Internet Accounts

Questions

To see how safe, secure, and protected you are, please answer the questions that concern you.
In all of the following, we will identify your online accounts by simple names such as “gmail”, “facebook”, or “hotmail”. You can use arbitrary names, as long as you use them consistently across questions.

In the same way, we will identify your devices by names such as “macbook”, “workpc”, or “secondPhone”. Again, you can use arbitrary names as long as you’re consistent across questions. Your standard phone has to be called “phone”.

You do not have to enter any passwords.

Gmail
Do you have a Gmail account?
Yes No
gmail-access => gmail-data gmail-access => gmail-destruction gmail-password => gmail-passwordAccess
Do you have a recovery address for your account? Link to this page
If yes, type the account name here (e.g. “yahoo”, or “hotmail”), otherwise leave the field blank.
X-access => gmail-passwordAccess
Do you have a recovery phone for your account? Link to this page
The recovery phone is where your password can be sent. If you have one, please enter the name of the phone (e.g. “wifesPhone”, or “workPhone”). If it’s your standard phone, use “phone”. If you don’t have a recovery phone number, leave the field blank.
X-sms => gmail-passwordAccess
Do you forward emails from different accounts to your Gmail account?
If yes, list the set of accounts that forward emails to Gmail here, separated by comma (e.g., “yahoo, work, “hotmail”), otherwise leave the field blank.
gmail-access => X-data
Do you have two-factor authentication enabled?
Yes No
gmail-passwordAccess => gmail-access
gmail-passwordAccess & gmail-secondFactor => gmail-access phone-access => gmail-secondFactor gmail-recoverycodes => gmail-secondFactor
If you have two-factor authentication:

Do you have trusted devices? Link to this page
These are laptops, computers, or phones where you can log in without two-factor authentication. If yes, list your devices here, separated by comma (e.g., “mac, workpc, laptop”)
gmail-trusteddevice => gmail-secondFactor X-access => gmail-trusteddevice
Do you have a backup phone for your account? Link to this page
This is the phone where second factor codes are sent. If you have one, please enter the name of the phone (e.g. “wifesPhone”, or “workPhone”). If it's your standard phone, use “phone”.
X-sms => gmail-secondFactor
Are your recovery codes encrypted?
Yes No
gmail-recoverycodeDecryption & gmail-recoverycodePossession => gmail-recoverycodes
Amazon
Do you have an Amazon account?
Yes No
amazon-password => amazon-access amazon-access => amazon-data amazon-access => amazon-destruction
Which email address do you use to access your Amazon account?
Enter the account name (e.g. “gmail”, or “yahoo”).
X-access => amazon-access
Facebook
Do you have a Facebook account?
Yes No
facebook-access => facebook-data facebook-access => facebook-destruction facebook-password => facebook-passwordAccess facebook-recoveryquestions => facebook-passwordAccess
Is Facebook installed on your phone?
Yes No
phone-access => facebook-data phone-access => facebook-secondFactor
Which email address do you use for your account?
Enter the account name (e.g., “yahoo”, or hotmail”)
X-access => facebook-passwordAccess
Do you have login approvals enabled?
Note that if they are disabled, a one-time password request can be sent from your phone.
Yes No
facebook-passwordAccess => facebook-access phone-sms => facebook-passwordAccess
facebook-passwordAccess & facebook-secondFactor => facebook-access phone-sms => facebook-secondFactor facebook-recoverycodes => facebook-secondFactor
If you have login-approvals:

Do you have trusted devices?
These are laptops, computers, or phones where you can log in without login approval. If yes, list your devices here, separated by comma (e.g., “mac, workpc, laptop”), otherwise leave the field blank.
facebook-trusteddevice => facebook-secondFactor X-access => facebook-trusteddevice
Are your recovery codes encrypted?
Yes No
facebook-recoverycodeDecryption & facebook-recoverycodePossession => facebook-recoverycodes
Dropbox
Which computers are connected to Dropbox?
List the name of the computers here, separated by comma (e.g., “mac, workpc”)
X-access => dropbox-access dropbox-access => dropbox-data dropbox-access => dropbox-destruction
Which email address do you use to access your Dropbox account?
Enter the account name (e.g., “yahoo” or “gmail”)
X-access => dropbox-passwordAccess
Do you have two-factor authentication enabled?
Yes No
dropbox-passwordAccess => dropbox-access
dropbox-passwordAccess & dropbox-secondFactor => dropbox-access phone-access => dropbox-secondFactor dropbox-recoverycodes => dropbox-secondFactor
If you have two-factor authentication:

Are your recovery codes encrypted?
Yes No
dropbox-recoverycodeDecryption & dropbox-recoverycodePossession => dropbox-recoverycodes
Phone
Do you have a password, a numerical code, or a lock pattern on your phone?
Yes No
phone-password & phone-possession => phone-access
phone-possession => phone-access
Do you have a (non-trivial) PIN on your SIM?
Yes No
phone-simpin & phone-possession => phone-sms phone-access => phone-sms
phone-possession => phone-sms
Are the pictures on your phone backed up to any cloud service?
Note that iPhones back up all your pictures by default to iCloud.
Yes. The could services are:
X-access => phone-data AND-access & phone-possession => phone-destruction phone-access => phone-data
No
phone-possession => phone-destruction phone-access => phone-data
I have no pictures on my phone
Devices
We want to know whether stealing your device gives the attacker access to the data stored on that device. This is the case if the hard drive is not encrypted.
List the computers where the hard drive is encrypted.
Enter, e.g., “mac, workpc”. Do not list your phone here.
X-possession & X-password => X-access X-possession & X-recoveryKey => X-access X-access => X-data
List the computers where the hard drive is not encrypted.
Enter, e.g., “mac, workpc”. Do not list your phone here.
X-access => X-data
Backups
We want to know how difficult it is for an attacker to destroy your data.
List the computers that are (1) backed up completely to Dropbox AND (2) backed up to a physical device that is not connected to a cloud service.
dropbox-access => X-data Xbackup-access => X-data X-possession & Xbackup-possession & dropbox-access => X-destruction X-access & Xbackup-possession => X-destruction
List the computers that are (1) not backed up completely to Dropbox, but (2) backed up to a physical device that is not connected to a cloud service.
Xbackup-access => X-data X-possession & Xbackup-possession => X-destruction
List the computers that are (1) backed up completely to Dropbox, but (2) not backed up to a physical device that is not connected to a cloud service.
dropbox-access => X-data dropbox-access => X-destruction
List the computers that are neither (1) backed up completely to Dropbox, nor (2) backed up to a physical device that is not connected to a cloud service.
X-possession => X-destruction
List the computers whose backups are encrypted:
Xbackup-password & Xbackup-possession => Xbackup-access
Other dependencies
Do any of your accounts or devices share the same password?
Pick one of the passwords that are shared. List all services that share this password (e.g., “gmail, hotmail, mac”).

X-password => group1-password group1-password => X-password
Pick another password that is shared between services. List all services that share this password:

X-password => group2-password group2-password => X-password
Pick another password that is shared between services. List all services that share this password:

X-password => group3-password group3-password => X-password
If there are any other dependencies or accounts, you can state them here. For example, if your Mac is in a safe in your house, write
safe-access => mac-possession
safe-key & house-key => safe-access

Dependencies

Dependencies that we computed:

Safety, Security, and Protection

(The computation may take a while. If you get a message saying that the script is unresponsive, either tell the browser to continue/wait, or reload the page and answer fewer questions.)

Safety
the number of keys that you have to lose in order to lose access to your account. We recommend that this number be at least 3.
Security
the number of keys that the attacker needs in order to gain access to your account. We recommend that this number be at least 2.
Protection
the number of keys that the attacker needs in order to destroy your data. We recommend that this number be at least 3.

Required Security Guarantees

If you make sure that your keys are secure with the given probability, then the probability that any of your accounts is hacked is below 5%. For reference: