Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Social Authentication: Vulnerabilities, Mitigations, and Redesign

Social Authentication: Vulnerabilities, Mitigations, and Redesign

This presentation was utilized during the defense of my MSc Thesis @Politecnico di Milano (April 22, 2013).

Thesis: Social Authentication: Vulnerabilities, Mitigations, and Redesign
Supervisors: Stefano Zanero, Federico Maggi

Description: We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment.
We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information.
We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.

Marco Lancini

April 22, 2013
Tweet

More Decks by Marco Lancini

Other Decks in Research

Transcript

  1. Social Authentication:
    Vulnerabilities, Mitigations, and Redesign
    Master Thesis
    Marco Lancini - April 22, 2013
    Advisor: Prof. Stefano ZANERO
    Co-Advisor: Dr. Federico MAGGI

    View Slide

  2. Marco Lancini
    Online Social Networks
    • Massive user base
    • Facebook reached 1+ billion active users
    • 1/7th of the world population
    • Appealing targets for online crime
    • Identity theft
    • Spamming
    • Phishing
    • Selling stolen credit cards numbers Selling compromised accounts
    • 97% of malicious accounts compromised, not fake
    2

    View Slide

  3. Marco Lancini
    Keeping Stolen Accounts Safe
    • TWO-FACTOR AUTHENTICATION
    • Knowledge factor: “something the user KNOWS” (password)
    • Possession factor: “something the user HAS” (hardware token)
    • The risk of an adversary acquiring both is very low
    • Adopted by high-value services (online banking, Google services)
    • Drawbacks
    • Inconvenient for users
    • Costly for the service that deploys them
    3

    View Slide

  4. Marco Lancini
    SOCIAL AUTHENTICATION
    4

    View Slide

  5. Marco Lancini
    Social Authentication (SA)
    • Two-factor authentication scheme
    • Tests the user’s personal social knowledge
    • 2nd factor:
    • “something the user HAS” (hardware token)
    • “something the user KNOWS” (FRIEND)
    • User’s credentials authentic only if he can correctly identify his friends
    • The user can recognize his friends whereas a stranger cannot
    Attackers halfway across the world might know a user’s password,
    but they don’t know who his friends are.
    • Triggering: When login considered suspicious
    5

    View Slide

  6. Marco Lancini
    How It Works
    • 7 challenges
    • Each challenge (page)
    • 3 photos of a friend
    • 6 possible answers (“suggestions”)
    • User has to correctly answer 5 challenges (2 errors/skips)
    6

    View Slide

  7. Marco Lancini
    Threat Model
    • SA considered safe against adversaries that
    • Have stolen credentials
    • Are strangers (not members of the victim’s social circle)
    • Not safe against
    • Close friends
    • Family
    • Any tightly connected network (university)
    7

    View Slide

  8. Marco Lancini
    VULNERABILITY ASSESSMENT OF SA
    8

    View Slide

  9. Marco Lancini
    SA Photo Selection
    “Are photos randomly selected?”
    • 2,667 SA photos from real SA tests checked
    • 84% containing faces in manual inspection
    • 80% in automatic inspection by software
    • 3,486 random Facebook photos checked
    • 69% contained faces in manual inspection
    • Face detection procedures used for selecting photos with faces
    9

    View Slide

  10. Marco Lancini
    Motivation
    84% are photos with faces
    SA solvable by humans
    80% are photos with faces that can be detected by face-detection software
    Can a stranger bypass SA in an automated manner?
    • position himself inside the victim’s social circle
    • gaining the information necessary to defeat the SA
    10

    View Slide

  11. Marco Lancini
    Attacker Models
    • CASUAL ATTACKER
    • Interested in compromising the greatest possible number of
    accounts
    • Collects publicly available data
    • May lack some information
    • DETERMINED ATTACKER
    • Focused on a particular target
    • Penetrates victim’s social circle
    • Employs fake accounts
    • Collect as much private data as possible
    11

    View Slide

  12. Marco Lancini
    Automated Attack
    1. Crawling Friend List
    2. Issuing Friend Requests (optional)
    1. Creation of Fake Profiles
    2. Infiltration in the Social Graph
    3. Photo Collection (public/private)
    4. Modeling
    1. Face Extraction and Tag Matching
    2. Facial Modeling and Training
    5. Name Lookup
    12

    View Slide

  13. Marco Lancini
    Attack Surface Estimation 13

    View Slide

  14. Marco Lancini
    Experimental Evaluation
    • We collect data as Casual Attackers (publicly available data)
    • We have not compromised or damaged any user account
    • CASUAL ATTACKER experiment
    • DETERMINED ATTACKER experiment
    14

    View Slide

  15. Marco Lancini
    Casual Attacker – Experiment
    • Used our fake accounts as “victims”
    • Automated SA triggering through ToR
    • Geographic dispersion of its exit nodes
    • Appear to be logging in from remote locations
    • Collected 127 real SA tests
    • Face recognition: cloud service (face.com)
    • Exposes REST API to developers
    • Superior accuracy
    • ~44 seconds to solve a complete test << 300 seconds
    15

    View Slide

  16. Marco Lancini
    Casual Attacker – Accuracy
    Manual verification
    • 22% solved (28/127)
    • 56% need 1-2 guesses
    (71/127)
    Failed photos
    • 25% no face in photo
    • hard also for humans
    • 50% unrecogn. face
    • poor quality photos
    • 25% no face model found
    16
    78% in which
    • Tests defeated or
    • Obtained a significant advantage

    View Slide

  17. Marco Lancini
    Determined Attacker – Experiment
    • Used simulation
    • As only public data was used
    • Selected users with enough photos
    • Face recognition: custom implementation (OpenCV)
    • evaluate the accuracy and efficiency of our attack
    • number of faces per user needed to train a
    classifier to successfully solve the SA tests
    • Simulate SA tests from public photos
    • Train system with K = 10, 20, …, 120 faces per friend
    • Generate 30 simulated SA tests from photos not used for training
    17

    View Slide

  18. Marco Lancini
    Determined Attacker – Accuracy
    Successfully passed pages as a function of the size of the training set
    18
    Faces Min Success Rate
    30 42%
    90 57%
    120 100%
    Always successful
    • even when a scarce
    number of faces is
    available
    • K > 100 ensures a
    more robust outcome

    View Slide

  19. Marco Lancini
    Determined Attacker – Efficiency
    Time required to lookup photos as a function of solved pages
    19
    Max Time Required Min Success Rate
    100s 42%
    140s 57%
    150s < 300s 100%

    View Slide

  20. Marco Lancini
    Outcome
    The attack against SA is effective
    • even with off-the-shelf face recognition software
    • SA broken when supplied with the necessary training data
    • Publications
    • “All Your Face Are Belong to Us: Breaking Facebook's Social
    Authentication. ”
    Annual Computer Security Applications Conference (ACSAC), 2012
    • Covered by an article on ComputerWorld US
    20

    View Slide

  21. Marco Lancini
    Facebook’s Response
    • Acknowledged our results
    • Deployed SA to raise the bar in large-scale phishing attacks
    • Not designed for small-scale or targeted attacks
    • Users can enable Login Approval
    • How many have actually done so?
    21

    View Slide

  22. Marco Lancini
    REDESIGN
    22

    View Slide

  23. Marco Lancini
    reSA – “Social Authentication, Revisited”
    • Build SA tests from photos of poor quality
    • state-of-the-art face recognition software detects human faces
    • but cannot identify them (people wearing glasses, etc.)
    • Goal
    • evaluate our implementation of a modified SA photo selection
    scheme for a social networking service
    • By means of
    • Web application that simulates the SA mechanism
    • User study where we asked humans to solve SA tests with photos of
    mixed quality
    23

    View Slide

  24. Marco Lancini
    Photo Selection – Categories 24
    Faces blurred for privacy reasons

    View Slide

  25. Marco Lancini
    System Overview
    • Preparation Phase
    (collect and prepare all the information needed for the actual creation of the tests)
    1. Application Authorization
    2. Photo Collection
    3. Tags Processing
    1. Category Assignment
    2. Eligibility Checks (at least 7 friends eligibile for each type)
    • Tests Generation (on-request)
    25

    View Slide

  26. Marco Lancini
    Example – Challenge 26

    View Slide

  27. Marco Lancini
    Example – Survey 27

    View Slide

  28. Marco Lancini
    User Data
    • 141 users
    • 14 different countries
    28
    • People are able to recognize their friends
    • just as good in both standard SA tests
    • and tests with photos of poor quality

    View Slide

  29. Marco Lancini
    CONCLUSIONS
    29

    View Slide

  30. Marco Lancini
    Conclusions
    • Demonstrated the weaknesses of SA
    • Designed and implemented an automated SA breaking system
    • Publicly-available data sufficient for attackers
    • Cloud services can be utilized effectively
    • Facebook should reconsider its threat model
    • Need to revisit the SA approach
    • Conducted a user study to prove that people are able to recognize their
    friends also in photos of poor quality
    30

    View Slide

  31. Marco Lancini
    Acknowledgments
    Joint work within the SysSec EU Network of Excellence
    • Politecnico di Milano
    • Columbia University
    • FORTH Research Center
    31

    View Slide

  32. Marco Lancini
    THANK YOU. QUESTIONS?
    32

    View Slide