Social Authentication: Vulnerabilities, Mitigations, and Redesign

Transcript

1. Social Authentication:
   Vulnerabilities, Mitigations, and Redesign
   Master Thesis
   Marco Lancini - April 22, 2013
   Advisor: Prof. Stefano ZANERO
   Co-Advisor: Dr. Federico MAGGI
   

   View Slide

2. Marco Lancini
   Online Social Networks
   • Massive user base
   • Facebook reached 1+ billion active users
   • 1/7th of the world population
   • Appealing targets for online crime
   • Identity theft
   • Spamming
   • Phishing
   • Selling stolen credit cards numbers Selling compromised accounts
   • 97% of malicious accounts compromised, not fake
   2
   

   View Slide

3. Marco Lancini
   Keeping Stolen Accounts Safe
   • TWO-FACTOR AUTHENTICATION
   • Knowledge factor: “something the user KNOWS” (password)
   • Possession factor: “something the user HAS” (hardware token)
   • The risk of an adversary acquiring both is very low
   • Adopted by high-value services (online banking, Google services)
   • Drawbacks
   • Inconvenient for users
   • Costly for the service that deploys them
   3
   

   View Slide

4. Marco Lancini
   SOCIAL AUTHENTICATION
   4
   

   View Slide

5. Marco Lancini
   Social Authentication (SA)
   • Two-factor authentication scheme
   • Tests the user’s personal social knowledge
   • 2nd factor:
   • “something the user HAS” (hardware token)
   • “something the user KNOWS” (FRIEND)
   • User’s credentials authentic only if he can correctly identify his friends
   • The user can recognize his friends whereas a stranger cannot
   Attackers halfway across the world might know a user’s password,
   but they don’t know who his friends are.
   • Triggering: When login considered suspicious
   5
   

   View Slide

6. Marco Lancini
   How It Works
   • 7 challenges
   • Each challenge (page)
   • 3 photos of a friend
   • 6 possible answers (“suggestions”)
   • User has to correctly answer 5 challenges (2 errors/skips)
   6
   

   View Slide

7. Marco Lancini
   Threat Model
   • SA considered safe against adversaries that
   • Have stolen credentials
   • Are strangers (not members of the victim’s social circle)
   • Not safe against
   • Close friends
   • Family
   • Any tightly connected network (university)
   7
   

   View Slide

8. Marco Lancini
   VULNERABILITY ASSESSMENT OF SA
   8
   

   View Slide

9. Marco Lancini
   SA Photo Selection
   “Are photos randomly selected?”
   • 2,667 SA photos from real SA tests checked
   • 84% containing faces in manual inspection
   • 80% in automatic inspection by software
   • 3,486 random Facebook photos checked
   • 69% contained faces in manual inspection
   • Face detection procedures used for selecting photos with faces
   9
   

   View Slide

10. Marco Lancini
    Motivation
    84% are photos with faces
    SA solvable by humans
    80% are photos with faces that can be detected by face-detection software
    Can a stranger bypass SA in an automated manner?
    • position himself inside the victim’s social circle
    • gaining the information necessary to defeat the SA
    10
    

    View Slide

11. Marco Lancini
    Attacker Models
    • CASUAL ATTACKER
    • Interested in compromising the greatest possible number of
    accounts
    • Collects publicly available data
    • May lack some information
    • DETERMINED ATTACKER
    • Focused on a particular target
    • Penetrates victim’s social circle
    • Employs fake accounts
    • Collect as much private data as possible
    11
    

    View Slide

12. Marco Lancini
    Automated Attack
    1. Crawling Friend List
    2. Issuing Friend Requests (optional)
    1. Creation of Fake Profiles
    2. Infiltration in the Social Graph
    3. Photo Collection (public/private)
    4. Modeling
    1. Face Extraction and Tag Matching
    2. Facial Modeling and Training
    5. Name Lookup
    12
    

    View Slide

13. Marco Lancini
    Attack Surface Estimation 13
    

    View Slide

14. Marco Lancini
    Experimental Evaluation
    • We collect data as Casual Attackers (publicly available data)
    • We have not compromised or damaged any user account
    • CASUAL ATTACKER experiment
    • DETERMINED ATTACKER experiment
    14
    

    View Slide

15. Marco Lancini
    Casual Attacker – Experiment
    • Used our fake accounts as “victims”
    • Automated SA triggering through ToR
    • Geographic dispersion of its exit nodes
    • Appear to be logging in from remote locations
    • Collected 127 real SA tests
    • Face recognition: cloud service (face.com)
    • Exposes REST API to developers
    • Superior accuracy
    • ~44 seconds to solve a complete test << 300 seconds
    15
    

    View Slide

16. Marco Lancini
    Casual Attacker – Accuracy
    Manual verification
    • 22% solved (28/127)
    • 56% need 1-2 guesses
    (71/127)
    Failed photos
    • 25% no face in photo
    • hard also for humans
    • 50% unrecogn. face
    • poor quality photos
    • 25% no face model found
    16
    78% in which
    • Tests defeated or
    • Obtained a significant advantage
    

    View Slide

17. Marco Lancini
    Determined Attacker – Experiment
    • Used simulation
    • As only public data was used
    • Selected users with enough photos
    • Face recognition: custom implementation (OpenCV)
    • evaluate the accuracy and efficiency of our attack
    • number of faces per user needed to train a
    classifier to successfully solve the SA tests
    • Simulate SA tests from public photos
    • Train system with K = 10, 20, …, 120 faces per friend
    • Generate 30 simulated SA tests from photos not used for training
    17
    

    View Slide

18. Marco Lancini
    Determined Attacker – Accuracy
    Successfully passed pages as a function of the size of the training set
    18
    Faces Min Success Rate
    30 42%
    90 57%
    120 100%
    Always successful
    • even when a scarce
    number of faces is
    available
    • K > 100 ensures a
    more robust outcome
    

    View Slide

19. Marco Lancini
    Determined Attacker – Efficiency
    Time required to lookup photos as a function of solved pages
    19
    Max Time Required Min Success Rate
    100s 42%
    140s 57%
    150s < 300s 100%
    

    View Slide

20. Marco Lancini
    Outcome
    The attack against SA is effective
    • even with off-the-shelf face recognition software
    • SA broken when supplied with the necessary training data
    • Publications
    • “All Your Face Are Belong to Us: Breaking Facebook's Social
    Authentication. ”
    Annual Computer Security Applications Conference (ACSAC), 2012
    • Covered by an article on ComputerWorld US
    20
    

    View Slide

21. Marco Lancini
    Facebook’s Response
    • Acknowledged our results
    • Deployed SA to raise the bar in large-scale phishing attacks
    • Not designed for small-scale or targeted attacks
    • Users can enable Login Approval
    • How many have actually done so?
    21
    

    View Slide

22. Marco Lancini
    REDESIGN
    22
    

    View Slide

23. Marco Lancini
    reSA – “Social Authentication, Revisited”
    • Build SA tests from photos of poor quality
    • state-of-the-art face recognition software detects human faces
    • but cannot identify them (people wearing glasses, etc.)
    • Goal
    • evaluate our implementation of a modified SA photo selection
    scheme for a social networking service
    • By means of
    • Web application that simulates the SA mechanism
    • User study where we asked humans to solve SA tests with photos of
    mixed quality
    23
    

    View Slide

24. Marco Lancini
    Photo Selection – Categories 24
    Faces blurred for privacy reasons
    

    View Slide

25. Marco Lancini
    System Overview
    • Preparation Phase
    (collect and prepare all the information needed for the actual creation of the tests)
    1. Application Authorization
    2. Photo Collection
    3. Tags Processing
    1. Category Assignment
    2. Eligibility Checks (at least 7 friends eligibile for each type)
    • Tests Generation (on-request)
    25
    

    View Slide

26. Marco Lancini
    Example – Challenge 26
    

    View Slide

27. Marco Lancini
    Example – Survey 27
    

    View Slide

28. Marco Lancini
    User Data
    • 141 users
    • 14 different countries
    28
    • People are able to recognize their friends
    • just as good in both standard SA tests
    • and tests with photos of poor quality
    

    View Slide

29. Marco Lancini
    CONCLUSIONS
    29
    

    View Slide

30. Marco Lancini
    Conclusions
    • Demonstrated the weaknesses of SA
    • Designed and implemented an automated SA breaking system
    • Publicly-available data sufficient for attackers
    • Cloud services can be utilized effectively
    • Facebook should reconsider its threat model
    • Need to revisit the SA approach
    • Conducted a user study to prove that people are able to recognize their
    friends also in photos of poor quality
    30
    

    View Slide

31. Marco Lancini
    Acknowledgments
    Joint work within the SysSec EU Network of Excellence
    • Politecnico di Milano
    • Columbia University
    • FORTH Research Center
    31
    

    View Slide

32. Marco Lancini
    THANK YOU. QUESTIONS?
    32
    

    View Slide