All Our Face are Belong to us: Breaking Facebook's Social Authentication

  • 2,215 views
Uploaded on

I delivered a talk based on this presentation at http://hek.si 2013 in Ljubljana. …

I delivered a talk based on this presentation at http://hek.si 2013 in Ljubljana.

This presentation is based on the joint research that we did in 2011–2012, which results have been first presented at ACSAC 2012 in December.

Authors: Jason Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos Keromytis, and Stefano Zanero

Abstract: Two-factor authentication is widely used by high-value services to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication, which requires users to identify some of their friends in randomly selected photos. A recent study has provided a formal analysis of social authentication weaknesses against attackers inside the victim’s social circles. In this paper, we extend the threat model and study the attack surface of social authentication in practice, and show how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implement a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluate it using real public data collected from Facebook. Under the assumptions of Facebook’s threat model, our results show that an attacker can obtain access to (sensitive) information for at least 42% of a user’s friends that Facebook uses to generate social authentication challenges. By relying solely on publicly accessible information, a casual attacker can solve 22% of the social authentication tests in an automated fashion, and gain a significant advantage for an additional 56% of the tests, as opposed to just guessing. Additionally, we simulate the scenario of a determined attacker placing himself inside the victim’s social circle by employing dummy accounts. In this case, the accuracy of our attack greatly increases and reaches 100% when 120 faces per friend are accessible by the attacker, even though it is very accurate with as little as 10 faces.

Paper (PDF): http://tinyurl.com/socialauth

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,215
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. ALL YOUR FACE ARE BELONG TO US BREAKING FACEBOOK'S SOCIAL AUTHENTICATION FEDERICO MAGGI NECSTLAB, POLITECNICO DI MILANO
  • 2. ABOUT THE TITLE JAPANESE-TO-ENGLISH TRANSLATION ERROR EU EDITION OF "ZERO WING" CONSOLE GAME, 1991 BECAME AN INTERNET MEME, 2000 "All Your Face are Belong to Us"
  • 3. CATS:連邦政府軍のご協力により、君達 の基地は、全てCATSがいただいた。 CATS: All your base are belong to us. CATS: With the cooperation of Federation Forces, all of your bases now belong to us.
  • 4. JOINT WORK MARCO LANCINI FEDERICO MAGGI STEFANO ZANERO POLITECNICO DI MILANO, ITALY JASON POLAKIS SOTIRIS IOANNIDIS FORTH, GREECE GEORGIOS KONTAXIS ANGELOS KEROMYTIS COLUMBIA UNIVERSITY, US ACCEPTED AT ACSAC 2012
  • 5. ONLINE SOCIAL NETWORKS
  • 6. ONLINE SOCIAL NETWORKS (2013) Facebook Tencent QQ Google+ Twitter Linkedin Tencent Qzone Sina Weibo Windows Live Instagram Registered Users Active Users 1+ billion 1 billion 784+ million 712 million 500+ million 235 million 500+ million 200+ million 200+ million 160 million 597+ million 150 million 400+ million 100+ million 100 million 100 million 100+ million 100 million Wikipedia "List of virtual communities with more than 100 million active users"
  • 7. ONLINE SOCIAL NETWORKS FACEBOOK REACHED 1+ BILLION ACTIVE USERS 1/7th OF THE WORLD POPULATION MASSIVE USER BASE APPEALING TARGET FOR ONLINE CRIME
  • 8. ONLINE SOCIAL NETWORKS ABUSED IDENTITY THEFT SPAMMING PHISHING SELLING CREDIT CARDS SELLING STOLEN ACCOUNTS
  • 9. MALICIOUS FACEBOOK ACCOUNTS Gao et al. "Detecting and Characterizing Social Spam Campaigns" ACM Internet Measurement Conference, 2010 97% ARE REAL, COMPROMISED ACCOUNTS
  • 10. MAIN CAUSES OF STOLEN ACCOUNTS INFORMATION-STEALING MALWARE SOCIAL ENGINEERING PHISHING
  • 11. KEEPING STOLEN ACCOUNTS SAFE MULTI-FACTOR AUTHENTICATION SOMETHING YOU KNOW: A PASSWORD SOMETHING YOU HAVE: A TOKEN
  • 12. Paul Applegate http://www.flickr.com/photos/mrapplegate/1287965486/
  • 13. DRAWBACKS LOW ACCEPTANCE CUMBERSOME CAN BE LOST
  • 14. FACEBOOK'S APPROACH SOMETHING YOU HAVE (TOKEN) SOMEONE YOU KNOW (FRIEND)
  • 15. "A CONTINUED COMMITMENT TO SECURITY" https://www.facebook.com/blog/blog.php?post=486790652130
  • 16. WHEN DOES IT COME INTO PLAY? GEO LOCATION THAT YOU NEVER ACCESSED FROM FIRST TIME YOU USE A COMPUTER
  • 17. HOW DOES IT WORK? 7 FRIENDS TO IDENTIFY 3 PHOTOS PER FRIEND 6 SUGGESTIONS 2 MISTAKES FRIENDS PHOTOS TAGSGROUND TRUTH
  • 18. ADVANTAGES OF SOCIAL AUTHENTICATION PEOPLE ACCUSTOMED TO TAGGING FRIENDS MORE USER FRIENDLY THAN A TOKEN LOOKS LIKE A GAME
  • 19. ADVERSARY MODEL ANYONE OUTSIDE THE VICTIM'S SOCIAL CIRCLE A STRANGER CLOSE COMMUNITIES CLOSE FRIENDS FAMILY
  • 20. ASSUMPTION THE ATTACKER CANNOT INFILTRATE INTO THE VICTIM'S SOCIAL CIRCLE
  • 21. SECURITY WEAKNESSES 5 FRIENDS TO IDENTIFY 3 PHOTOS PER FRIEND 6 SUGGESTIONS 2 MISTAKES is information is publicly available to some degree.
  • 22. CAN AN ATTACKER BYPASS SOCIAL AUTHENTICATION AUTOMATICALLY? (#1 CASUAL ATTACKER)
  • 23. FRIENDS
  • 24. SECURITY WEAKNESSES TAKE 2 7 5 FRIENDS TO IDENTIFY 3 PHOTOS PER FRIEND 6 SUGGESTIONS 2 MISTAKES FRIENDS PHOTOS TAGSGROUND TRUTH
  • 25. PUBLIC FRIENDS LIST 47% OF USERS LEAVE THEIR FRIEND LIST PUBLIC R. Dey at al. Facebook users have become much more private: A large-scale study. IEEE Workshop on Security and Social Networking, 2012 "Are friend lists publicly reachable?"
  • 26. CAN AN ATTACKER BYPASS SOCIAL AUTHENTICATION AUTOMATICALLY? (#2 DETERMINED ATTACKER)
  • 27. ACCEPT BEFRIEND REQUESTS? 70% OF USERS ACCEPT BEFRIEND REQUESTS BLINDLY D. Irani et al. Reverse social engineering attacks in online social networks. DIMVA 2011 100%-47% = 53% OF USERS LEAVE THEIR FRIEND LIST PRIVATE
  • 28. 47% OF USERS LEAVE THEIR FRIEND LIST PUBLIC 53% OF USERS LEAVE THEIR FRIEND LIST PRIVATE 70% OF USERS ACCEPT BEFRIEND REQUESTS BLINDLY 47% + 53% * 70% 84% OF THE USERS MATH: FRIEND LIST REACHABILITY
  • 29. FRIENDS PHOTOS TAGSGROUND TRUTH 84%
  • 30. PHOTOS
  • 31. PUBLIC PHOTOS: A CLOSER LOOK 71% OF THE USER LEAVE THEIR PHOTOS PUBLIC We measured this on a sample of 236,752 Facebook users. "Are photos publicly reachable?" FRIENDS PHOTOS TAGSGROUND TRUTH
  • 32. 71% OF THE USER LEAVE THEIR PHOTOS PUBLIC 29% OF USERS LEAVE THEIR PHOTOS PRIVATE 70% OF USERS ACCEPT BEFRIEND REQUESTS BLINDLY 84% * (71% + 29% * 70%) 77% OF THE USERS MATH: PHOTO REACHABILITY
  • 33. FRIENDS PHOTOS TAGSGROUND TRUTH 84% 77%
  • 34. TAGS
  • 35. PUBLIC TAGS 42% OF THE TAGS ARE REACHABLE PUBLIC TAGS + PRIVATE TAGS ON PUBLIC PHOTOS We measured this on a sample of 236,752 Facebook users. "Are tags publicly reachable?" FRIENDS PHOTOS TAGSGROUND TRUTH
  • 36. FRIENDS PHOTOS TAGSGROUND TRUTH 84% 77% 42%
  • 37. THE GUESS SPACE FOR AN ATTACKER IS NARROW.
  • 38. COULD AN ATTACKER NARROW IT FURTHER?
  • 39. PHOTOS TAKE 2
  • 40. PUBLIC PHOTOS A CLOSER LOOK 82% OF PHOTOS IN SOCIAL AUTH. CONTAIN FACES vs. ONLY 69% OF PHOTOS CONTAIN FACES OVERALL We measured this on a sample of 6,115 photos. "Does Facebook select the photos for social auths?" FRIENDS PHOTOS TAGSGROUND TRUTH
  • 41. FACEBOOK PICKS PHOTOS THAT CONTAIN FACES.
  • 42. FRIENDS PHOTOS TAGSGROUND TRUTH 84% 77% 42% 82%
  • 43. PRACTICAL ATTACK STEP1 CRAWLING FRIENDS LIST OF THE VICTIM (1) COLLECTING THEIR TAGGED PHOTOS (2) FACE MODELING (3) DATABASE OF FACE MODELS
  • 44. Who is "Mister X"? NAME! FACE RECOGNITION PHOTO SOCIAL AUTHENTICATION PRACTICAL ATTACK STEP2 DATABASE OF FACE MODELS
  • 45. FACE MODELING AND RECOGNITION what did we use?
  • 46. acquired by
  • 47. SO, AN ATTACKER COULD EVEN USE FACEBOOK'S OWN TECHNOLOGY TO BYPASS ITS SOCIAL AUTHENTICATION AH...THE IRONY
  • 48. EXPERIMENTAL EVALUATION CASUAL ATTACKER ONLY PUBLICLY AVAILABLE INFORMATION NO BEFRIEND REQUESTS
  • 49. SUCCESS OF THE CASUAL ATTACKER 22% FULL SOLUTION 56% 1–2 GUESSES NEEDED 78% OVERALL (2 MISTAKES ALLOWED)
  • 50. WHEN THE CASUAL ATTACKER FAILS 25% NO FACES IN THE PHOTOS 50% UNRECOGNIZABLE FACE 25% NO FACE MODEL FOUND
  • 51. EXPERIMENTAL EVALUATION DETERMINED ATTACKER ACCESS TO 77% OF THE PHOTOS EMULATED OFFLINE
  • 52. SUCCESS OF THE DETERMINED ATTACKER FACES CRAWLED 30 90 120 MINIMUM SUCCESS RATE 42% 57% 100%
  • 53. SPEED OF THE DETERMINED ATTACKER MAX TIME REQUIRED 100s 140s 150s MINIMUM SUCCESS RATE 42% 57% 100%< TIMEOUT
  • 54. FACEBOOK RESPONSE ACKNOWLEDGED OUR RESULTS SOCIAL AUTH. MEANT AS A "WEAK" PROTECTION INEFFECTIVE AGAINST TARGETED ATTACKS USERS CAN USE LOGIN APPROVAL (WHO DOES IT?)
  • 55. QUICK REMEDIATIONS OPT-IN LOGIN APPROVAL (USERS) REMOVE SUGGESTIONS (FACEBOOK) REDUCE TIMEOUT (FACEBOOK)
  • 56. RETHINKING SOCIAL AUTHENTICATION PEOPLE CAN RECOGNIZE THEIR FRIENDS "LOOK" USE PHOTOS WITH NO FACES FACE RECOGNITION
  • 57. CONCLUSIONS SOCIAL AUTH. INEFFECTIVE FOR 84% OF THE USERS THREAT MODEL EXCLUDES OUR TARGETED ATTACK CLOUD-BASED FACE-RECOGNITION MADE IT EASIER SOCIAL AUTHENTICATION SHOULD BE REVISITED
  • 58. FEDERICO MAGGI: @PHRETOR HTTP://MAGGI.CC FACE THANK YOU!