Social Authentication: Vulnerabilities, Mitigations, and Redesign

Presented at DeepSec 2014 „Do you want to know more?“, Unknown date/time (Unknown duration)

As social networks have become an integral part of online user activity, a massive amount of personal information is readily available to such services. In an effort to hinder malicious individuals from compromising user accounts, high-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA), which requires users to identify some of their friends in randomly selected photos to be allowed access to their accounts. In this work, we first studied the attack surface of social authentication, showing how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implemented a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluated it using real public data collected from Facebook. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information, and we have then designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the Social Authentication concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software. Our core concept is to select photos in which state-of-the-art face-recognition software detects human faces, but cannot identify them due to certain characteristics. We implemented a web application that recreates the SA mechanism and conducted a user study that sheds light on user behavior regarding photo tagging, and demonstrated the strength of our approach against automated attacks.

Presenters:

• Marco Lancini - CEFRIEL - Politecnico di Milano
  Marco Lancini has recently obtained a M.Sc. degree in Engineering of Computing Systems at Politecnico di Milano, where he was a member of the Computer Security Group, under advice from Prof. Stefano Zanero. Since May 2013 he is a Security Researcher and Consultant at CEFRIEL (ICT Center of Excellence For Research, Innovation, Education and Industrial Labs partnership), where he works across several aspects of computer security. His principal research interests are mobile security, privacy, and web applications' security.

Links:

• https://deepsec.net/archive/2014.deepsec.net/speaker.html#PSLOT163
• https://infocon.org/cons/DeepSec/DeepSec 2014/Social Authentication - Vulnerabilities, Mitigations, and Redesign.mp4

Similar Presentations:

• Black Hat USA 2011 / Faces Of Facebook - Or, How The Largest Real ID Database In The World Came To Be
• BSidesLV 2014 / Proof of work as an additional factor of authentication
• Kernelcon 2019 / WTF, 2FA!? - Y U No Protect Me?