Social Authentication: Vulnerabilities, Mitigations, and Redesign

Social Authentication: Vulnerabilities, Mitigations, and Redesign

This presentation was utilized during the defense of my MSc Thesis @Politecnico di Milano (April 22, 2013).

Thesis: Social Authentication: Vulnerabilities, Mitigations, and Redesign
Supervisors: Stefano Zanero, Federico Maggi

Description: We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment.
We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information.
We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.

A87dd450496fa9c95cc16f7d77c340a3?s=128

Marco Lancini

April 22, 2013
Tweet

Transcript

  1. 1.

    Social Authentication: Vulnerabilities, Mitigations, and Redesign Master Thesis Marco Lancini

    - April 22, 2013 Advisor: Prof. Stefano ZANERO Co-Advisor: Dr. Federico MAGGI
  2. 2.

    Marco Lancini Online Social Networks • Massive user base •

    Facebook reached 1+ billion active users • 1/7th of the world population • Appealing targets for online crime • Identity theft • Spamming • Phishing • Selling stolen credit cards numbers Selling compromised accounts • 97% of malicious accounts compromised, not fake 2
  3. 3.

    Marco Lancini Keeping Stolen Accounts Safe • TWO-FACTOR AUTHENTICATION •

    Knowledge factor: “something the user KNOWS” (password) • Possession factor: “something the user HAS” (hardware token) • The risk of an adversary acquiring both is very low • Adopted by high-value services (online banking, Google services) • Drawbacks • Inconvenient for users • Costly for the service that deploys them 3
  4. 5.

    Marco Lancini Social Authentication (SA) • Two-factor authentication scheme •

    Tests the user’s personal social knowledge • 2nd factor: • “something the user HAS” (hardware token) • “something the user KNOWS” (FRIEND) • User’s credentials authentic only if he can correctly identify his friends • The user can recognize his friends whereas a stranger cannot Attackers halfway across the world might know a user’s password, but they don’t know who his friends are. • Triggering: When login considered suspicious 5
  5. 6.

    Marco Lancini How It Works • 7 challenges • Each

    challenge (page) • 3 photos of a friend • 6 possible answers (“suggestions”) • User has to correctly answer 5 challenges (2 errors/skips) 6
  6. 7.

    Marco Lancini Threat Model • SA considered safe against adversaries

    that • Have stolen credentials • Are strangers (not members of the victim’s social circle) • Not safe against • Close friends • Family • Any tightly connected network (university) 7
  7. 9.

    Marco Lancini SA Photo Selection “Are photos randomly selected?” •

    2,667 SA photos from real SA tests checked • 84% containing faces in manual inspection • 80% in automatic inspection by software • 3,486 random Facebook photos checked • 69% contained faces in manual inspection • Face detection procedures used for selecting photos with faces 9
  8. 10.

    Marco Lancini Motivation 84% are photos with faces SA solvable

    by humans 80% are photos with faces that can be detected by face-detection software Can a stranger bypass SA in an automated manner? • position himself inside the victim’s social circle • gaining the information necessary to defeat the SA 10
  9. 11.

    Marco Lancini Attacker Models • CASUAL ATTACKER • Interested in

    compromising the greatest possible number of accounts • Collects publicly available data • May lack some information • DETERMINED ATTACKER • Focused on a particular target • Penetrates victim’s social circle • Employs fake accounts • Collect as much private data as possible 11
  10. 12.

    Marco Lancini Automated Attack 1. Crawling Friend List 2. Issuing

    Friend Requests (optional) 1. Creation of Fake Profiles 2. Infiltration in the Social Graph 3. Photo Collection (public/private) 4. Modeling 1. Face Extraction and Tag Matching 2. Facial Modeling and Training 5. Name Lookup 12
  11. 14.

    Marco Lancini Experimental Evaluation • We collect data as Casual

    Attackers (publicly available data) • We have not compromised or damaged any user account • CASUAL ATTACKER experiment • DETERMINED ATTACKER experiment 14
  12. 15.

    Marco Lancini Casual Attacker – Experiment • Used our fake

    accounts as “victims” • Automated SA triggering through ToR • Geographic dispersion of its exit nodes • Appear to be logging in from remote locations • Collected 127 real SA tests • Face recognition: cloud service (face.com) • Exposes REST API to developers • Superior accuracy • ~44 seconds to solve a complete test << 300 seconds 15
  13. 16.

    Marco Lancini Casual Attacker – Accuracy Manual verification • 22%

    solved (28/127) • 56% need 1-2 guesses (71/127) Failed photos • 25% no face in photo • hard also for humans • 50% unrecogn. face • poor quality photos • 25% no face model found 16 78% in which • Tests defeated or • Obtained a significant advantage
  14. 17.

    Marco Lancini Determined Attacker – Experiment • Used simulation •

    As only public data was used • Selected users with enough photos • Face recognition: custom implementation (OpenCV) • evaluate the accuracy and efficiency of our attack • number of faces per user needed to train a classifier to successfully solve the SA tests • Simulate SA tests from public photos • Train system with K = 10, 20, …, 120 faces per friend • Generate 30 simulated SA tests from photos not used for training 17
  15. 18.

    Marco Lancini Determined Attacker – Accuracy Successfully passed pages as

    a function of the size of the training set 18 Faces Min Success Rate 30 42% 90 57% 120 100% Always successful • even when a scarce number of faces is available • K > 100 ensures a more robust outcome
  16. 19.

    Marco Lancini Determined Attacker – Efficiency Time required to lookup

    photos as a function of solved pages 19 Max Time Required Min Success Rate 100s 42% 140s 57% 150s < 300s 100%
  17. 20.

    Marco Lancini Outcome The attack against SA is effective •

    even with off-the-shelf face recognition software • SA broken when supplied with the necessary training data • Publications • “All Your Face Are Belong to Us: Breaking Facebook's Social Authentication. ” Annual Computer Security Applications Conference (ACSAC), 2012 • Covered by an article on ComputerWorld US 20
  18. 21.

    Marco Lancini Facebook’s Response • Acknowledged our results • Deployed

    SA to raise the bar in large-scale phishing attacks • Not designed for small-scale or targeted attacks • Users can enable Login Approval • How many have actually done so? 21
  19. 23.

    Marco Lancini reSA – “Social Authentication, Revisited” • Build SA

    tests from photos of poor quality • state-of-the-art face recognition software detects human faces • but cannot identify them (people wearing glasses, etc.) • Goal • evaluate our implementation of a modified SA photo selection scheme for a social networking service • By means of • Web application that simulates the SA mechanism • User study where we asked humans to solve SA tests with photos of mixed quality 23
  20. 25.

    Marco Lancini System Overview • Preparation Phase (collect and prepare

    all the information needed for the actual creation of the tests) 1. Application Authorization 2. Photo Collection 3. Tags Processing 1. Category Assignment 2. Eligibility Checks (at least 7 friends eligibile for each type) • Tests Generation (on-request) 25
  21. 28.

    Marco Lancini User Data • 141 users • 14 different

    countries 28 • People are able to recognize their friends • just as good in both standard SA tests • and tests with photos of poor quality
  22. 30.

    Marco Lancini Conclusions • Demonstrated the weaknesses of SA •

    Designed and implemented an automated SA breaking system • Publicly-available data sufficient for attackers • Cloud services can be utilized effectively • Facebook should reconsider its threat model • Need to revisit the SA approach • Conducted a user study to prove that people are able to recognize their friends also in photos of poor quality 30
  23. 31.

    Marco Lancini Acknowledgments Joint work within the SysSec EU Network

    of Excellence • Politecnico di Milano • Columbia University • FORTH Research Center 31