Social Authentication - CyCon 2014

Social Authentication - CyCon 2014

I delivered a talk based on this presentation at CyCon 2014 (http://cycon.org) in Tallinn (June 6th, 2014).

Thesis: Social Authentication: Vulnerabilities, Mitigations, and Redesign

Description: We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment.
We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information.
We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.

A87dd450496fa9c95cc16f7d77c340a3?s=128

Marco Lancini

June 06, 2014
Tweet

Transcript

  1. Social Authentication: Vulnerabilities, Mitigations, and Redesign Marco Lancini CyCon June

    6, 2014
  2. Marco Lancini Online Social Networks • Characteristics • Huge user

    base • Massive amount of personal information • Appealing targets for online crime • Identity theft • Spamming • Phishing • Selling compromised accounts • TWO-FACTOR AUTHENTICATION • Adopted by high-value services (online banking, Google services) • Prevent adversaries from compromising accounts using stolen credentials 2
  3. Marco Lancini Social Authentication (SA) • Two-factor authentication scheme •

    Tests the user’s personal social knowledge • 2nd factor: “something the user HAS” (hardware token) “something the user KNOWS” (FRIEND) • User’s credentials authentic only if he can correctly identify his friends • The user can recognize his friends whereas a stranger cannot Attackers halfway across the world might know a user’s password, but they don’t know who his friends are. • Triggering: When login considered suspicious 3
  4. Marco Lancini How It Works • 7 challenges • Each

    challenge (page) • 3 photos of a friend • 6 possible answers (“suggestions”) • User has to correctly answer 5 challenges (2 errors/skips) 4
  5. Marco Lancini VULNERABILITY ASSESSMENT OF SA 5

  6. Marco Lancini Attacker Models • CASUAL ATTACKER • Interested in

    compromising the greatest possible number of accounts • Collects publicly available data • May lack some information • DETERMINED ATTACKER • Focused on a particular target • Penetrates victim’s social circle • Collect as much private data as possible 6
  7. Marco Lancini Can a stranger bypass SA in an automated

    manner? 1. Crawling Friend List 2. Issuing Friend Requests (optional)  Creation of Fake Profiles  Infiltration in the Social Graph 3. Photo Collection (public/private) 7 4. Modeling  Face Extraction and Tag Matching  Facial Modeling and Training 5. Name Lookup
  8. Marco Lancini Casual Attacker – Experiment • Automated SA triggering

    through ToR • Face recognition: cloud service (face.com) 8 Manual verification • 22% solved (28/127) • 56% need 1-2 guesses (71/127) 78% in which • Tests defeated or • Obtained a significant advantage Solved SA pages out of the collected samples
  9. Marco Lancini Determined Attacker – Experiment • Face recognition: custom

    implementation (OpenCV) • Simulated SA tests from public photos • Train system with K = 10, 20, …, 120 faces per friend 9 Successfully passed pages as a function of the size of the training set Always successful • even when a scarce number of faces is available • K > 100 ensures a more robust outcome
  10. Marco Lancini Outcome • The attack against SA is effective

    • Even with off-the-shelf face recognition software • SA broken when supplied with the necessary training data • Facebook’s Response • Acknowledged our results • But • Deployed SA to raise the bar in large-scale phishing attacks • Not designed for small-scale or targeted attacks • Publications  “All Your Face Are Belong to Us: Breaking Facebook's Social Authentication.” Annual Computer Security Applications Conference (ACSAC), 2012  Covered by an article on ComputerWorld US 10
  11. Marco Lancini REDESIGN 11

  12. Marco Lancini reSA – “Social Authentication, Revisited” • Build SA

    tests from photos of poor quality • State-of-the-art face recognition software detects human faces • But cannot identify them (people wearing glasses, etc.) • reSA • Web application that simulates the SA mechanism • User study where we asked humans to solve SA tests with photos of mixed quality 12 Easy Medium Difficult
  13. Marco Lancini System Overview 13

  14. Marco Lancini User Data • 141 users • 14 different

    countries 14 • People are able to recognize their friends • just as good in both standard SA tests • and tests with photos of poor quality Summary of the collected Social Authentication tests
  15. Marco Lancini CONCLUSIONS 15

  16. Marco Lancini Conclusions • Demonstrated the weaknesses of SA •

    Designed and implemented an automated SA breaking system • Publicly-available data sufficient for attackers • Cloud services can be utilized effectively • Facebook should reconsider its threat model • Need to revisit the SA approach • Conducted a user study to prove that people are able to recognize their friends also in photos of poor quality 16
  17. Marco Lancini Acknowledgments Joint work within the SysSec EU Network

    of Excellence • Politecnico di Milano • Columbia University • FORTH Research Center 17
  18. Marco Lancini THANK YOU 18