260 likes | 272 Views
This article discusses the weaknesses of security questions in the era of Facebook and increased online content. It examines different types of security weaknesses and suggests quick fixes and deeper solutions. The article also provides statistics and popular topics for security questions.
E N D
Security questions in the Facebook era • Ari Rabkin • asrabkin@cs.berkeley.edu
Definitions • Security question = ask the user something • Secret security question = ask for a secret fact • SSN, account number, pin, etc • Personal security question = question about something meaningful to user • Not “secret”
The problem • Security for personal sec. Qs is based on: • Information-retrieval hardness assumptions, plus secrecy assumptions. • But IR is improving rapidly • Humans like to talk about themselves and each other -- share ever more information. • Hard to know what an attacker might know.
Methodology • I and a handful of volunteers went through forgotten password mechanisms at 20 banks. • Checked whether mechanism recognizes hosts. • Wrote down steps in authentication process. • Made list of all accessible security questions. • Coded and analyzed questions in use
Coded by type Key: Banks, Online Banks, Credit Cards, Brokerages, Credit Unions Institutions without password reset mechanism
Classifying the Qs • Different sorts of security weaknesses • Guessable • Automatically attackable • Human Attackable
Guessable • Definition: Can guess correct answer at least 1% of the time, without any knowledge of [honest] user • “What is the last name of your favorite president?” • Years and ages are guessable. • “In which year did you meet your spouse?” • First names are guessable.
Auto. Attackable • Can algorithmically answer some security questions using Facebook and similar sites • For instance, educational background. • Where and when you went to school. • College athletic rivals • Also, preference: “favorite {book,movie, ...}”.
Human Attackable • Many Qs answerable from blogs, webpages. • E.g., favorite pastime, first employer. • “What was your high school mascot?” • Hard to catch all such cases, since no full enumeration of available sources. • Also varies from person to person.
The mechanisms • The major banks and credit cards mostly don’t rely on personal security questions alone. • Many ask for SSN + acct number + PIN. • A few send email messages. • Brokerages and online-only banks rely more heavily on security questions
Statistics • Only a third of questions appeared secure. • About 15% of Qs were auto. attackable • About 35% were guessable. • Rates varied widely from bank to bank. • No clear patterns in question quality.
Popular topics • Many questions about family • Names of relatives, life events, etc • Many questions about preferences. • Favorite {book, movie, etc}
The popular questions • Name of first pet (6 banks of 11) • Favorite sports team (4 of 11) • Grandmother’s first name (4 of 11) • High school mascot (4 of 11)
Related Work • Michael Just: “Designing and evaluating challenge-question systems” • Mannan & van Oorschot: “Security and usability: The gap in real-world online banking” • Griffith & Jakobsson: “Messin’ with Texas” • Haga & Zviran (‘91). “Question-and-answer passwords: an empirical evaluation”
Some quick fixes • Can limit guessability by rejecting overly common answers. • Can try to ask questions with secure answers. • Remove weakest questions • CAPTCHAs, to reduce auto. attack • Warn users to pick good questions
Deeper fixes • Want to ask Qs users can’t disclose answers to. • Recognition-based, instead of recall • Try to embed media into questions? • Ask about images, audio, etc to make attacker’s info retrieval problem harder.
Alternate Q. Styles • O’Gorman, Bagga & Bentley: “Call Center Customer Verification by Question-Directed passwords” • Jakobsson, Stolterman, Wetzel & Yang: “Love and authentication” • Asgharpour & Jakobsson: “Adaptive Challenge Questions Algorithm in Password Reset/Recovery”
Takeaways • Many personal security questions are weak. • Security Qs are getting weaker due to improved IR and increase in online content. • Research needed in order to keep up.
Questions? • My data files are available from: • http://www.cs.berkeley.edu/~asrabkin/securityquestions.tgz
Inapplicable • Lot of questions about family: • Names of children, spouses, grandparents • Details of weddings, honeymoons, etc • Assumptions about lifestyles • “In what city is your vacation home?”
Ambiguous • Many questions with multiple true answers, or multiple ways of reading it • “What is your favorite {book,movie,place...} • “Who was your best friend from high school?”
Not Memorable • Sometimes, there’s one unambiguous answer that many users are unlikely to remember. • Early childhood events, obscure family history. • Names of kindergarten teachers, etc • “What was the price of your first car?” • Unfortunately, no clear line here.