social authentication
play

Social Authentication: Vulnerabilities, Mitigations, and Redesign - PowerPoint PPT Presentation

Dec 21, 2023 •169 likes •664 views

Social Authentication: Vulnerabilities, Mitigations, and Redesign Marco Lancini DEEPSEC 2014 November 21 2 About 2013 - M.Sc. in Engineering of Computing Systems @ Computer Security Group This talk is based on my M.Sc. Thesis

  1. Social Authentication: Vulnerabilities, Mitigations, and Redesign Marco Lancini DEEPSEC 2014 November 21

  2. 2 About 2013 - M.Sc. in Engineering of Computing Systems @ • Computer Security Group • This talk is based on my M.Sc. Thesis • 2013 - Researcher @ • Security Research • Vulnerability Assessment & Penetration Testing • Web Applications & Mobile Security • @lancinimarco • Marco Lancini

  3. 3 Online Social Networks Huge user base • Massive amount of personal information • Widespread adoption of single sign-on services • Appealing targets for online crime • Identity theft • Spamming • Phishing • Selling stolen credit cards numbers Selling compromised accounts • 97% of malicious accounts are compromised, not fake • Marco Lancini

  4. 4 Keeping Stolen Accounts Safe TWO-FACTOR AUTHENTICATION • Knowledge factor: “something the user KNOWS ” ( password) • Possession factor: “something the user HAS ” (hardware token) • Adopted by high-value services (online banking, Google services) • Pro • Prevent adversaries from compromising accounts using stolen credentials • The risk of an adversary acquiring both is very low • Drawbacks (token) Drawbacks (SMS) • • Inconvenient for users Sent in plain text • • Costly deploy Can be intercepted & forwarded • • Phones easily lost and stolen • Marco Lancini

  5. 5 Social Authentication Challenge = balance strong security with usability • Social Authentication • 2FA scheme that tests the user’s personal social knowledge • • only the intended user is likely to be able to answer Using a “ social CAPTCHA ” • • one or more challenge questions based on information available in the social network (user’s activities and/or connections) Eliminates the key issues of traditional CAPTCHAs • • (at times) incredibly hard to decipher • vulnerable to human hackers (only meant to defend against attacks by computers) • “ CAPTCHA farming ” Marco Lancini

  6. 6 FACEBOOK’S SOCIAL AUTHENTICATION Marco Lancini

  7. 7 Social Authentication (SA) Two-factor authentication scheme • Tests the user’s personal social knowledge • 2 nd factor: • “something the user HAS ” (hardware token) “something the user KNOWS ” ( FRIEND ) User’s credentials authentic only if he can correctly identify his friends • The user can recognize his friends whereas a stranger cannot • Attackers halfway across the world might know a user’s password, but they don’t know who his friends are Triggering: When login considered suspicious • Marco Lancini

  8. 8 How It Works 7 challenges • Each challenge (page) • 3 photos of a friend • 6 possible answers (“ suggestions ”) • User has to correctly answer 5 challenges (2 errors/skips) • Within the 5 minutes time limit • Marco Lancini

  9. 9 Threat Model Friend = anyone inside a user’s online social circle • Has access to information used by the SA mechanism • SA considered • Safe against adversaries that • • Have stolen credentials • Are strangers (not members of the victim’s social circle) Not safe against • • Close friends • Family • Any tightly connected network (university) • Any member has enough information to solve the SA for any other user in the circle Marco Lancini

  10. 10 VULNERABILITY ASSESSMENT OF SA Marco Lancini

  11. 11 SA Photo Selection “Are photos randomly selected?” 2,667 photos from real SA tests 84% containing faces in manual inspection • 80% in automatic inspection by software • 3,486 random Facebook photos (from our dataset of 16M) 69% contained faces in manual inspection • The baseline number of faces per photo is lower in general than in the • photos found in SA tests Face detection procedures used for selecting photos with faces • Marco Lancini

  12. 12 Motivation 84% are photos with faces • SA solvable by humans 80% are photos with faces that can be detected by face-detection software • Can a stranger bypass SA in an automated manner? • position himself inside the victim’s social circle • gaining the information necessary to defeat the SA Marco Lancini

  13. 13 Attacker Models CASUAL ATTACKER • Interested in compromising the greatest possible number of accounts • Collects publicly available data • May lack some information • DETERMINED ATTACKER • Focused on a particular target • Penetrates victim’s social circle • Collect as much private data as possible • Marco Lancini

  14. 15 Attack Surface Estimation – Friends Attack tree to estimate the vulnerable FB population Marco Lancini

  15. 16 Attack Surface Estimation – Photos Attack tree to estimate the vulnerable FB population Marco Lancini

  16. 17 Attack Surface Estimation – Tags Attack tree to estimate the vulnerable FB population Marco Lancini

  17. 19 Automated Attack - 1 Preparatory Phase (offline) 1. Crawling Friend List Marco Lancini

  18. 20 Automated Attack – 2 Preparatory Phase (offline) 1. Crawling Friend List 2. Issuing Friend Requests (optional) Creation of Fake Profiles  Infiltration in the Social Graph  Marco Lancini

  19. 21 Automated Attack – 3 Preparatory Phase (offline) 1. Crawling Friend List 2. Issuing Friend Requests (optional) Creation of Fake Profiles  Infiltration in the Social Graph  3. Photo Collection (public/private) Marco Lancini

  20. 22 Automated Attack – 4 Preparatory Phase (offline) 1. Crawling Friend List 2. Issuing Friend Requests (optional) Creation of Fake Profiles  Infiltration in the Social Graph  3. Photo Collection (public/private) 4. Modeling Face Extraction and Tag Matching  Facial Modeling and Training  Marco Lancini

  21. 23 Automated Attack – 5 Preparatory Phase (offline) Execution Step (real-time) 1. Crawling Friend List 5. Name Lookup 2. Issuing Friend Requests (optional) Creation of Fake Profiles  Infiltration in the Social Graph  3. Photo Collection (public/private) 4. Modeling Face Extraction and Tag Matching  Facial Modeling and Training  Marco Lancini

  22. 24 Experimental Evaluation We collect data as Casual Attackers (publicly available data) • We have not compromised or damaged any user account • 236,752 users 167,359 - 71% PUBLIC • 69,393 - 29% keep private albums • 38% ( 11% of total) SEMI-PUBLIC • 62% ( 18% of toal) PRIVATE • Summary of the collected dataset CASUAL ATTACKER experiment • DETERMINED ATTACKER experiment • Marco Lancini

  23. 25 Casual Attacker – Experiment Used our fake accounts as “victims” • Automated SA triggering through ToR • Geographic dispersion of its exit nodes • Appear to be logging in from remote locations • Face recognition: cloud service (face.com) • Exposes REST API to developers • Superior accuracy • Testing dataset • 127 real SA tests collected • Training dataset • From our dataset, we extracted information • of the 1,131 distinct UIDs that are friends with the fake profiles Marco Lancini

  24. 26 Casual Attacker – Accuracy Manual verification 22% solved (28/127) • 56% need 1-2 guesses • (71/127) 78% in which Tests defeated or • Obtained a significant advantage • Failed photos 25% no face in photo • Solved SA pages out of the collected samples • hard also for humans 50% unrecogn . face • ~44 seconds to solve a complete test << 300 seconds • poor quality photos 25% no face model found • Marco Lancini

  25. 27 Determined Attacker – Experiment Used simulation • As only public data was used • Selected users with enough photos • Face recognition: custom implementation (OpenCV) • Evaluate the accuracy and efficiency of our attack • Define number of faces per user needed to train a • classifier to successfully solve the SA tests Cons • • Lower accuracy • Computational power required Simulate SA tests from public photos • Train system with K = 10, 20, …, 120 faces per friend • Generate 30 simulated SA tests from photos not used for training • Marco Lancini

  26. 28 Determined Attacker – Accuracy Always successful • even when a scarce number of faces is available • K > 100 ensures a more robust outcome Faces Min Success Rate Solved SA pages as a function of the size of the training set 30 42% 90 57% 120 100% Marco Lancini

  27. 29 Determined Attacker – Efficiency Efficient time required for both • “on the fly” training and testing remains within the 5-minute timeout Time required to lookup photos as a function of solved pages Max Time Required Min Success Rate 100s 42% 140s 57% 150s < 300s 100% Marco Lancini

  28. 30 Facebook’s Response We informed Facebook • Acknowledged our results • But • Deployed SA to raise the bar in large-scale phishing attacks • Not designed for small-scale or targeted attacks • Marco Lancini

  29. 31 REDESIGN Marco Lancini

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Implementing Ad-hoc Message Authentication in Social Media Platforms Charles A. Clarke Faculty

Implementing Ad-hoc Message Authentication in Social Media Platforms Charles A. Clarke Faculty

Implementing Ad-hoc Message Authentication in Social Media Platforms Charles A. Clarke Faculty of Science, Engineering and Computing Kingston University About This Research Research Outline Domain Social Media Platforms (SMPs) Problem

436 views • 17 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication overview Current state of Authentication The future of authentication MY JOURNEY 2012-2015 2004-2011 2015-Present 1998-2004 Staff at MIT

453 views • 34 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Wjets bkg. Estimation in WW analysis Jun Gao , Yanwen Liu, Emmanuel Monnier U niversity of S

Wjets bkg. Estimation in WW analysis Jun Gao , Yanwen Liu, Emmanuel Monnier U niversity of S

Wjets bkg. Estimation in WW analysis Jun Gao , Yanwen Liu, Emmanuel Monnier U niversity of S cience and T echnology of C hina &amp; C entre de P hysique des P articules de M arseille 6 March 2014 1 Introduction W+jets background for WW

484 views • 23 slides
Who Are You Online? commonsense.org/education Shareable with attribution for noncommercial use.

Who Are You Online? commonsense.org/education Shareable with attribution for noncommercial use.

DIGITAL CITIZENSHIP | GRADE 6 Who Are You Online? commonsense.org/education Shareable with attribution for noncommercial use. Remixing is permitted. Essential Question What are the benefits and drawbacks of presenting yourself in different

391 views • 15 slides
Yin Xu, Wai Kay Leong, Ali Razeen Ben Leong Duke University National University of Singapore 1

Yin Xu, Wai Kay Leong, Ali Razeen Ben Leong Duke University National University of Singapore 1

Yin Xu, Wai Kay Leong, Ali Razeen Ben Leong Duke University National University of Singapore 1 US smartphone penetration exceeded 50% in Q2, 2012 Mobile data traffic growing rapidly as well Source:

1.06k views • 53 slides
Data-Intensive Distributed Computing CS 431/631 451/651 (Winter 2020) Part 8b: Mutable State

Data-Intensive Distributed Computing CS 431/631 451/651 (Winter 2020) Part 8b: Mutable State

Data-Intensive Distributed Computing CS 431/631 451/651 (Winter 2020) Part 8b: Mutable State (2/2) Ali Abedi 1 1 Motivating Scenarios Money shouldnt be created or destroyed: Alice transfers $100 to Bob and $50 to Carol The total amount

776 views • 31 slides
Generative models and adversarial training Kevin McGuinness kevin.mcguinness@dcu.ie Research

Generative models and adversarial training Kevin McGuinness kevin.mcguinness@dcu.ie Research

Day 4 Lecture 1 Generative models and adversarial training Kevin McGuinness kevin.mcguinness@dcu.ie Research Fellow Insight Centre for Data Analytics Dublin City University What is a generative model? A model P(X; ) that we can draw

416 views • 20 slides
Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018

Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018

Yale Intro Tutorial on GANs Michela Paganini Fermilab Machine Learning Group Meeting March 21, 2018 Yale Outline Overview: Generative modeling Generative Adversarial Networks (GANs) Hands-on : build vanilla GAN on FashionMNIST GAN

965 views • 22 slides
Image Domains Niloy Mitra Iasonas Kokkinos Paul Guerrero Nils Thuerey Tobias Ritschel UCL

Image Domains Niloy Mitra Iasonas Kokkinos Paul Guerrero Nils Thuerey Tobias Ritschel UCL

CreativeAI: Deep Learning for Graphics Image Domains Niloy Mitra Iasonas Kokkinos Paul Guerrero Nils Thuerey Tobias Ritschel UCL UCL UCL TUM UCL Timetable Niloy Paul Nils Introduction 2:15 pm X X X 2:25 pm Machine Learning

984 views • 53 slides
challenges and lessons learned Pierre-Louis Bossart UMG Platform Architecture LPC2009 Ultra

challenges and lessons learned Pierre-Louis Bossart UMG Platform Architecture LPC2009 Ultra

Audio playback on mobile devices: challenges and lessons learned Pierre-Louis Bossart UMG Platform Architecture LPC2009 Ultra Mobility Group Intel Confidential Outline PulseAudio is a fundamental component of the Moblin distribution Goal:

474 views • 18 slides

More recommend