Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

All Your Faces Are Belong to Us: Breaking Facebook's Social Authentication

Presentation
View File
pdf
3.1MB
Paper
View File
pdf
431KB

Jason Polakis
Institute of Computer Science, Foundation for Research and Technology Hellas
Greece

Marco Lancini
Dipartimento di Elettronica e Informazione, Politecnico di Milano
Italy

Georgios Kontaxis
Computer Science Department, Columbia University
United States

Federico Maggi
Dipartimento di Elettronica e Informazione, Politecnico di Milano
Italy

Sotiris Ioannidis
Institute of Computer Science, Foundation for Research and Technology Hellas
Greece

Angelos D. Keromytis
Columbia University
United States

Stefano Zanero
Dipartimento di Elettronica e Informazione, Politecnico di Milano
Italy

Abstract:
Two-factor authentication is widely used by high value services to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication, which requires users to identify some of their friends in randomly selected photos. A recent study has provided a formal analysis regarding the weaknesses of social authentication against users in the victim’s social circles. In this paper, we extend the threat model and study the attack surface of social authentication in practice, and show how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implement a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluate it using real public data collected from Facebook. Under the assumptions of Facebook’s threat model, our results show that an attacker can obtain access to (sensitive) information for at least 42% of the tagged friends that Facebook uses to generate social authentication challenges. By relying solely on publicly accessible information, a casual attacker can solve 22% of the social authentication tests in an automated fashion, and gain a significant advantage for an additional 56% of the tests, as opposed to just guessing. Additionally, we simulate the scenario of a determined attacker placing himself inside the victim’s social circle by employing dummy accounts. In this case, the accuracy of our attack greatly increases and reaches 100% when as little as 100 faces per friend are accessible by the attacker.

 

Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC