270 likes | 656 Views
Security questions in the Facebook era. Ari Rabkin asrabkin@cs.berkeley.edu. Definitions. Security question = ask the user something Secret security question = ask for a secret fact SSN, account number, pin, etc Personal security question = question about something meaningful to user
E N D
Security questions in the Facebook era • Ari Rabkin • asrabkin@cs.berkeley.edu
Definitions • Security question = ask the user something • Secret security question = ask for a secret fact • SSN, account number, pin, etc • Personal security question = question about something meaningful to user • Not “secret”
The problem • Security for personal sec. Qs is based on: • Information-retrieval hardness assumptions, plus secrecy assumptions. • But IR is improving rapidly • Humans like to talk about themselves and each other -- share ever more information. • Hard to know what an attacker might know.
Methodology • I and a handful of volunteers went through forgotten password mechanisms at 20 banks. • Checked whether mechanism recognizes hosts. • Wrote down steps in authentication process. • Made list of all accessible security questions. • Coded and analyzed questions in use
Coded by type Key: Banks, Online Banks, Credit Cards, Brokerages, Credit Unions Institutions without password reset mechanism
Classifying the Qs • Different sorts of security weaknesses • Guessable • Automatically attackable • Human Attackable
Guessable • Definition: Can guess correct answer at least 1% of the time, without any knowledge of [honest] user • “What is the last name of your favorite president?” • Years and ages are guessable. • “In which year did you meet your spouse?” • First names are guessable.
Auto. Attackable • Can algorithmically answer some security questions using Facebook and similar sites • For instance, educational background. • Where and when you went to school. • College athletic rivals • Also, preference: “favorite {book,movie, ...}”.
Human Attackable • Many Qs answerable from blogs, webpages. • E.g., favorite pastime, first employer. • “What was your high school mascot?” • Hard to catch all such cases, since no full enumeration of available sources. • Also varies from person to person.
The mechanisms • The major banks and credit cards mostly don’t rely on personal security questions alone. • Many ask for SSN + acct number + PIN. • A few send email messages. • Brokerages and online-only banks rely more heavily on security questions
Statistics • Only a third of questions appeared secure. • About 15% of Qs were auto. attackable • About 35% were guessable. • Rates varied widely from bank to bank. • No clear patterns in question quality.
Popular topics • Many questions about family • Names of relatives, life events, etc • Many questions about preferences. • Favorite {book, movie, etc}
The popular questions • Name of first pet (6 banks of 11) • Favorite sports team (4 of 11) • Grandmother’s first name (4 of 11) • High school mascot (4 of 11)
Related Work • Michael Just: “Designing and evaluating challenge-question systems” • Mannan & van Oorschot: “Security and usability: The gap in real-world online banking” • Griffith & Jakobsson: “Messin’ with Texas” • Haga & Zviran (‘91). “Question-and-answer passwords: an empirical evaluation”
Some quick fixes • Can limit guessability by rejecting overly common answers. • Can try to ask questions with secure answers. • Remove weakest questions • CAPTCHAs, to reduce auto. attack • Warn users to pick good questions
Deeper fixes • Want to ask Qs users can’t disclose answers to. • Recognition-based, instead of recall • Try to embed media into questions? • Ask about images, audio, etc to make attacker’s info retrieval problem harder.
Alternate Q. Styles • O’Gorman, Bagga & Bentley: “Call Center Customer Verification by Question-Directed passwords” • Jakobsson, Stolterman, Wetzel & Yang: “Love and authentication” • Asgharpour & Jakobsson: “Adaptive Challenge Questions Algorithm in Password Reset/Recovery”
Takeaways • Many personal security questions are weak. • Security Qs are getting weaker due to improved IR and increase in online content. • Research needed in order to keep up.
Questions? • My data files are available from: • http://www.cs.berkeley.edu/~asrabkin/securityquestions.tgz
Inapplicable • Lot of questions about family: • Names of children, spouses, grandparents • Details of weddings, honeymoons, etc • Assumptions about lifestyles • “In what city is your vacation home?”
Ambiguous • Many questions with multiple true answers, or multiple ways of reading it • “What is your favorite {book,movie,place...} • “Who was your best friend from high school?”
Not Memorable • Sometimes, there’s one unambiguous answer that many users are unlikely to remember. • Early childhood events, obscure family history. • Names of kindergarten teachers, etc • “What was the price of your first car?” • Unfortunately, no clear line here.