Is Is Th This Re Really Yo You? ? An Em Empi pirical St Stud - - PowerPoint PPT Presentation

is is th this re really yo you an em empi pirical st stud
SMART_READER_LITE
LIVE PREVIEW

Is Is Th This Re Really Yo You? ? An Em Empi pirical St Stud - - PowerPoint PPT Presentation

Sep 22, 2022 225 likes •757 views

Bonneau et al.: Passwords and the evolution of imperfect authentication. Comm. ACM 58(7) (Jun 2015) Image: Iwona Usakiewicz / Andrij Borys Associates Is Is Th This Re Really Yo You? ? An Em Empi pirical St Stud udy on n Ri Risk-Bas

slide-1
SLIDE 1

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Is Is Th This Re Really Yo You? ? An Em Empi pirical St Stud udy on n Ri Risk-Bas Based Au Authen entication Ap Applied ed in th the Wi Wild

Stephan Wiefling, Luigi Lo Iacono – TH Köln – University of Applied Sciences Markus Dürmuth – Ruhr University Bochum

1

Image: Iwona Usakiewicz / Andrij Borys Associates

Bonneau et al.: Passwords and the evolution of imperfect authentication. Comm. ACM 58(7) (Jun 2015)
slide-2
SLIDE 2

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

2
slide-3
SLIDE 3

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Mo Motiva tivatio tion

§ Weaknesses in password-based authentication increase § Large-scale password database leaks § Credential Stuffing § Intelligent password guessing* § Phishing

*Wang et al.: Targeted online password guessing: An underestimated threat. In CCS ’16. ACM (2016)

3
slide-4
SLIDE 4

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Mo Motiva tivatio tion

§ 2FA is unpopular § <10% of all Google accounts used 2FA in January 2018* à Using Risk-based Authentication to increase account security with minimal impact on user interaction

*Milka, G.: Anatomy of Account Takeover. In: Enigma 2018. USENIX (Jan 2018)

4
slide-5
SLIDE 5

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

5

Username Password

Risk estimation Low Medium High Risk: IP address User agent ...

slide-6
SLIDE 6

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

6

Username Password

IP: Lisbon, PT Chrome Windows 10 ...

slide-7
SLIDE 7

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

7

„Same device as always“

Risk estimation Low risk

Username Password

IP: Lisbon, PT Chrome Windows 10 ...

slide-8
SLIDE 8

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

8

IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ...

Username Password

slide-9
SLIDE 9

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

9

„There‘s something different here“

Risk estimation Medium risk Additional Authentication IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ...

Username Password

slide-10
SLIDE 10

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

10

„There‘s something different here“

Risk estimation Medium risk Additional Authentication Proof for additional authentication IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ...

Username Password

slide-11
SLIDE 11

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

11

IP: Ne New York, US* Ph PhantomJS Li Linux ...

Username Password

*Known spam IP address

slide-12
SLIDE 12

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

12

„Very likely a hacker“

Risk estimation High risk

Username Password

*Known spam IP address

IP: Ne New York, US* Ph PhantomJS Li Linux ...

slide-13
SLIDE 13

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Ris Risk-ba based Au Authentic icatio ion

§ Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed

*Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017)

13
slide-14
SLIDE 14

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Ris Risk-ba based Au Authentic icatio ion

§ Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed § Prevents widespread adoption

*Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017)

14
slide-15
SLIDE 15

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Ris Risk-ba based Au Authentic icatio ion

§ Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed à Black-box testing eight popular online services

*Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017)

15
slide-16
SLIDE 16

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

16
slide-17
SLIDE 17

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

17

?

slide-18
SLIDE 18

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

18

Lo Login IP IP ad addre ress Us User Ag Agent ... ...

?

slide-19
SLIDE 19

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

19

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ...

?

slide-20
SLIDE 20

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

20

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ...

?

slide-21
SLIDE 21

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

21

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ...

?

slide-22
SLIDE 22

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

22

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ...

?

slide-23
SLIDE 23

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

23

Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ...

</>

?

slide-24
SLIDE 24

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

24

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... 21 Ot Other Co Country Chrome ...

</>

?

slide-25
SLIDE 25

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

25

Login Lo Login IP IP ad addre ress Us User Ag Agent ... ...

1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... 21 Ot Other Co Country Chrome ...

</>

?

  • r ?

,

slide-26
SLIDE 26

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s no not t that that ea easy sy...

26

Login history influences risk score

slide-27
SLIDE 27

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s no not t that that ea easy sy...

27

Login history influences risk score

Solution: Create many user accounts

slide-28
SLIDE 28

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s no not t that that ea easy sy...

28

Automated testing influences result

slide-29
SLIDE 29

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s no not t that that ea easy sy...

29

Automated testing influences result

Solution: Create human-like browsingbehavior

slide-30
SLIDE 30

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

30

Identities 28x

slide-31
SLIDE 31

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

31

Identities RBA Inspection System

Log

RBA Testing Human User Imitation

28x

slide-32
SLIDE 32

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

32

Identities Inspected Services RBA Inspection System

Log

RBA Testing Human User Imitation

28x 224 User Accounts

slide-33
SLIDE 33

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

33

List of potential features is huge

slide-34
SLIDE 34

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

34

List of potential features is huge

Solution: Test most relevant* features

*Citations in literature, Highest distinguishing info in Alaca and van Oorschot

Alaca, F., van Oorschot, P.C.: Device Fingerprinting for augmenting web authentication. In: Proc. ACSAC '16. pp. 289-301. ACM (2016)

slide-35
SLIDE 35

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

35

Fea Feature re RB RBA references count (e (except *) Di Distingui uishing info* IP IP a address

  • ●●●○

Us User agent string

  • ●●●○

La Language

  • ●●●○

Di Display resolut ution

  • ●●●○

Lo Login time me

  • ●●○○

Evercookies

  • Canvas fingerprinting
  • ●●○○

Mouse and keystroke dynamics

  • Failed login attempts
  • WebRTC
  • ●●○○

Counting hosts behind NAT

  • ●○○○

Ad blocker detection

  • ○○○○

*Alaca, F., van Oorschot, P.C.: Device Fingerprinting for augmenting web authentication. In: Proc. ACSAC '16. pp. 289-301. ACM (2016)

slide-36
SLIDE 36

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

36

List of potential features is huge

Solution: Test most relevant features § IP address § User agent string § Language § Display resolution § Login time

slide-37
SLIDE 37

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

37

IP addressfeaturehaswiderangeofvalues

slide-38
SLIDE 38

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

38

IP addressfeaturehaswiderangeofvalues

Solution: Conduct a two part study

slide-39
SLIDE 39

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

39

IP addressfeaturehaswiderangeofvalues

Solution: Conduct a two part study

1. Find IP feature thresholds 2. Test all features with the IP threshold

slide-40
SLIDE 40

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

40

Study one

Find IP feature thresholds

slide-41
SLIDE 41

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Re Results

41

IP IP va varia iatio ion Fa Facebook Go Google le Am Amazon n Linke LinkedIn n GO GOG. G.com St Stea eam Tw Twitc tch iCl iCloud #0 (TH Köln, fixed)

  • #1 (TH Köln, fresh)
  • A
  • #2 (same city, different ISP)
  • S
  • A
  • #3 (Frankfurt, DE)
  • S
  • A
  • #4 (Paris, FR)
  • A

A A A

  • #5 (Oregon, US)
  • A

A A A

  • #6 (Tor)
  • A

A A A

  • A: Additional authentication factors requested

S: Security alert submitted

slide-42
SLIDE 42

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

It It‘s ‘s st still n not

  • t that

that ea easy sy...

42

Study two

Test all features with the IP threshold*

*Set IP one step below RBA threshold, set other features as “suspicious“ as possible

slide-43
SLIDE 43

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Re Results

43

Google

A: Additional authentication factors requested S: Security alert submitted C: Critical security alert submitted

slide-44
SLIDE 44

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Re Results

44

LinkedIn

A: Additional authentication factors requested

slide-45
SLIDE 45

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Re Results

45

Se Serv rvice Us Used fea features an and wei weight hting ngs Am Amazon IP address GO GOG. G.com IP address Go Google

  • 1. IP address
  • 2. Time parameters
  • 3. User agent string, display resolution

Li Linke kedIn

  • 1. IP address
  • 2. User agent string, language, time parameters, display resolution
slide-46
SLIDE 46

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Re Results

46
slide-47
SLIDE 47

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Re Results

47
slide-48
SLIDE 48

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Re Results

*: Authentication factor was offered in all tested parameter variations

48

Se Serv rvice Re Requested authentic icatio ion factors Am Amazon § Verification code (email*, text message) Fa Facebook § Approve login on another computer § Identify photos of friends § Asking friends for help § Verification code (text message) GO GOG. G.com § Verification code (email)* Go Google § Enter the city you usually sign in from § Verification code (email, text message, app, phone call) § Press confirmation button on second device Li Linke kedIn § Verification code (email)*

slide-49
SLIDE 49

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Pr Priva ivacy lea leak on

  • n Fa

Faceb ebook

  • ok
49
slide-50
SLIDE 50

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Pr Priva ivacy lea leak on

  • n Fa

Faceb ebook

  • ok
50

Responsible disclosure

Reported: September 4th, 2018 Fixed: September 6th, 2018

slide-51
SLIDE 51

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Co Conc nclusion

§ First insights into RBA practices of big online services § Intended to support developers, administrators and researchers § Testing tool available as open source software* § Interactive results and RBA models on website#

*https://github.com/das-th-koeln/HOSIT

#https://riskbasedauthentication.org

51
slide-52
SLIDE 52

Lisbon, Portugal | IFIPSEC 2019 Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth

Th Thank yo you

52

stephan.wiefling@th-koeln.de @swiefling riskbasedauthentication.org das.th-koeln.de