Social Authentication - CyCon 2014

Transcript

1. Social Authentication:
   Vulnerabilities, Mitigations, and
   Redesign
   Marco Lancini
   CyCon
   June 6, 2014
   

   View Slide

2. Marco Lancini
   Online Social Networks
   • Characteristics
   • Huge user base
   • Massive amount of personal information
   • Appealing targets for online crime
   • Identity theft
   • Spamming
   • Phishing
   • Selling compromised accounts
   • TWO-FACTOR AUTHENTICATION
   • Adopted by high-value services (online banking, Google services)
   • Prevent adversaries from compromising accounts using stolen credentials
   2
   

   View Slide

3. Marco Lancini
   Social Authentication (SA)
   • Two-factor authentication scheme
   • Tests the user’s personal social knowledge
   • 2nd factor:
   “something the user HAS” (hardware token)
   “something the user KNOWS” (FRIEND)
   • User’s credentials authentic only if he can correctly identify his friends
   • The user can recognize his friends whereas a stranger cannot
   Attackers halfway across the world might know a user’s password,
   but they don’t know who his friends are.
   • Triggering: When login considered suspicious
   3
   

   View Slide

4. Marco Lancini
   How It Works
   • 7 challenges
   • Each challenge (page)
   • 3 photos of a friend
   • 6 possible answers (“suggestions”)
   • User has to correctly answer 5 challenges (2 errors/skips)
   4
   

   View Slide

5. Marco Lancini
   VULNERABILITY
   ASSESSMENT OF SA
   5
   

   View Slide

6. Marco Lancini
   Attacker Models
   • CASUAL ATTACKER
   • Interested in compromising the greatest possible number of accounts
   • Collects publicly available data
   • May lack some information
   • DETERMINED ATTACKER
   • Focused on a particular target
   • Penetrates victim’s social circle
   • Collect as much private data as possible
   6
   

   View Slide

7. Marco Lancini
   Can a stranger bypass SA in an automated manner?
   1. Crawling Friend List
   2. Issuing Friend Requests (optional)
    Creation of Fake Profiles
    Infiltration in the Social Graph
   3. Photo Collection (public/private)
   7
   4. Modeling
    Face Extraction and Tag Matching
    Facial Modeling and Training
   5. Name Lookup
   

   View Slide

8. Marco Lancini
   Casual Attacker – Experiment
   • Automated SA triggering through ToR
   • Face recognition: cloud service (face.com)
   8
   Manual verification
   • 22% solved (28/127)
   • 56% need 1-2 guesses (71/127)
   78% in which
   • Tests defeated or
   • Obtained a significant
   advantage
   Solved SA pages out of the collected samples
   

   View Slide

9. Marco Lancini
   Determined Attacker – Experiment
   • Face recognition: custom implementation (OpenCV)
   • Simulated SA tests from public photos
   • Train system with K = 10, 20, …, 120 faces per friend
   9
   Successfully passed pages as a function of the size of the training set
   Always successful
   • even when a scarce number of
   faces is available
   • K > 100 ensures a more robust
   outcome
   

   View Slide

10. Marco Lancini
    Outcome
    • The attack against SA is effective
    • Even with off-the-shelf face recognition software
    • SA broken when supplied with the necessary training data
    • Facebook’s Response
    • Acknowledged our results
    • But
    • Deployed SA to raise the bar in large-scale phishing attacks
    • Not designed for small-scale or targeted attacks
    • Publications
     “All Your Face Are Belong to Us: Breaking Facebook's Social Authentication.”
    Annual Computer Security Applications Conference (ACSAC), 2012
     Covered by an article on ComputerWorld US
    10
    

    View Slide

11. Marco Lancini
    REDESIGN
    11
    

    View Slide

12. Marco Lancini
    reSA – “Social Authentication, Revisited”
    • Build SA tests from photos of poor quality
    • State-of-the-art face recognition software detects human faces
    • But cannot identify them (people wearing glasses, etc.)
    • reSA
    • Web application that simulates the SA mechanism
    • User study where we asked humans to solve SA tests with photos of mixed quality
    12
    Easy Medium Difficult
    

    View Slide

13. Marco Lancini
    System Overview 13
    

    View Slide

14. Marco Lancini
    User Data
    • 141 users
    • 14 different countries
    14
    • People are able to recognize their friends
    • just as good in both standard SA tests
    • and tests with photos of poor quality
    Summary of the collected Social Authentication tests
    

    View Slide

15. Marco Lancini
    CONCLUSIONS
    15
    

    View Slide

16. Marco Lancini
    Conclusions
    • Demonstrated the weaknesses of SA
    • Designed and implemented an automated SA breaking system
    • Publicly-available data sufficient for attackers
    • Cloud services can be utilized effectively
    • Facebook should reconsider its threat model
    • Need to revisit the SA approach
    • Conducted a user study to prove that people are able to recognize their friends
    also in photos of poor quality
    16
    

    View Slide

17. Marco Lancini
    Acknowledgments
    Joint work within the SysSec EU Network of Excellence
    • Politecnico di Milano
    • Columbia University
    • FORTH Research Center
    17
    

    View Slide

18. Marco Lancini
    THANK YOU
    18
    

    View Slide