Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Social Authentication - CyCon 2014

Social Authentication - CyCon 2014

I delivered a talk based on this presentation at CyCon 2014 (http://cycon.org) in Tallinn (June 6th, 2014).

Thesis: Social Authentication: Vulnerabilities, Mitigations, and Redesign

Description: We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment.
We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information.
We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.

Marco Lancini

June 06, 2014
Tweet

More Decks by Marco Lancini

Other Decks in Technology

Transcript

  1. Social Authentication:
    Vulnerabilities, Mitigations, and
    Redesign
    Marco Lancini
    CyCon
    June 6, 2014

    View Slide

  2. Marco Lancini
    Online Social Networks
    • Characteristics
    • Huge user base
    • Massive amount of personal information
    • Appealing targets for online crime
    • Identity theft
    • Spamming
    • Phishing
    • Selling compromised accounts
    • TWO-FACTOR AUTHENTICATION
    • Adopted by high-value services (online banking, Google services)
    • Prevent adversaries from compromising accounts using stolen credentials
    2

    View Slide

  3. Marco Lancini
    Social Authentication (SA)
    • Two-factor authentication scheme
    • Tests the user’s personal social knowledge
    • 2nd factor:
    “something the user HAS” (hardware token)
    “something the user KNOWS” (FRIEND)
    • User’s credentials authentic only if he can correctly identify his friends
    • The user can recognize his friends whereas a stranger cannot
    Attackers halfway across the world might know a user’s password,
    but they don’t know who his friends are.
    • Triggering: When login considered suspicious
    3

    View Slide

  4. Marco Lancini
    How It Works
    • 7 challenges
    • Each challenge (page)
    • 3 photos of a friend
    • 6 possible answers (“suggestions”)
    • User has to correctly answer 5 challenges (2 errors/skips)
    4

    View Slide

  5. Marco Lancini
    VULNERABILITY
    ASSESSMENT OF SA
    5

    View Slide

  6. Marco Lancini
    Attacker Models
    • CASUAL ATTACKER
    • Interested in compromising the greatest possible number of accounts
    • Collects publicly available data
    • May lack some information
    • DETERMINED ATTACKER
    • Focused on a particular target
    • Penetrates victim’s social circle
    • Collect as much private data as possible
    6

    View Slide

  7. Marco Lancini
    Can a stranger bypass SA in an automated manner?
    1. Crawling Friend List
    2. Issuing Friend Requests (optional)
     Creation of Fake Profiles
     Infiltration in the Social Graph
    3. Photo Collection (public/private)
    7
    4. Modeling
     Face Extraction and Tag Matching
     Facial Modeling and Training
    5. Name Lookup

    View Slide

  8. Marco Lancini
    Casual Attacker – Experiment
    • Automated SA triggering through ToR
    • Face recognition: cloud service (face.com)
    8
    Manual verification
    • 22% solved (28/127)
    • 56% need 1-2 guesses (71/127)
    78% in which
    • Tests defeated or
    • Obtained a significant
    advantage
    Solved SA pages out of the collected samples

    View Slide

  9. Marco Lancini
    Determined Attacker – Experiment
    • Face recognition: custom implementation (OpenCV)
    • Simulated SA tests from public photos
    • Train system with K = 10, 20, …, 120 faces per friend
    9
    Successfully passed pages as a function of the size of the training set
    Always successful
    • even when a scarce number of
    faces is available
    • K > 100 ensures a more robust
    outcome

    View Slide

  10. Marco Lancini
    Outcome
    • The attack against SA is effective
    • Even with off-the-shelf face recognition software
    • SA broken when supplied with the necessary training data
    • Facebook’s Response
    • Acknowledged our results
    • But
    • Deployed SA to raise the bar in large-scale phishing attacks
    • Not designed for small-scale or targeted attacks
    • Publications
     “All Your Face Are Belong to Us: Breaking Facebook's Social Authentication.”
    Annual Computer Security Applications Conference (ACSAC), 2012
     Covered by an article on ComputerWorld US
    10

    View Slide

  11. Marco Lancini
    REDESIGN
    11

    View Slide

  12. Marco Lancini
    reSA – “Social Authentication, Revisited”
    • Build SA tests from photos of poor quality
    • State-of-the-art face recognition software detects human faces
    • But cannot identify them (people wearing glasses, etc.)
    • reSA
    • Web application that simulates the SA mechanism
    • User study where we asked humans to solve SA tests with photos of mixed quality
    12
    Easy Medium Difficult

    View Slide

  13. Marco Lancini
    System Overview 13

    View Slide

  14. Marco Lancini
    User Data
    • 141 users
    • 14 different countries
    14
    • People are able to recognize their friends
    • just as good in both standard SA tests
    • and tests with photos of poor quality
    Summary of the collected Social Authentication tests

    View Slide

  15. Marco Lancini
    CONCLUSIONS
    15

    View Slide

  16. Marco Lancini
    Conclusions
    • Demonstrated the weaknesses of SA
    • Designed and implemented an automated SA breaking system
    • Publicly-available data sufficient for attackers
    • Cloud services can be utilized effectively
    • Facebook should reconsider its threat model
    • Need to revisit the SA approach
    • Conducted a user study to prove that people are able to recognize their friends
    also in photos of poor quality
    16

    View Slide

  17. Marco Lancini
    Acknowledgments
    Joint work within the SysSec EU Network of Excellence
    • Politecnico di Milano
    • Columbia University
    • FORTH Research Center
    17

    View Slide

  18. Marco Lancini
    THANK YOU
    18

    View Slide