1 / 26

Security questions in the Facebook era

Security questions in the Facebook era. Ari Rabkin asrabkin@cs.berkeley.edu. Definitions. Security question = ask the user something Secret security question = ask for a secret fact SSN, account number, pin, etc Personal security question = question about something meaningful to user

medwin
Download Presentation

Security questions in the Facebook era

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security questions in the Facebook era • Ari Rabkin • asrabkin@cs.berkeley.edu

  2. Definitions • Security question = ask the user something • Secret security question = ask for a secret fact • SSN, account number, pin, etc • Personal security question = question about something meaningful to user • Not “secret”

  3. The problem • Security for personal sec. Qs is based on: • Information-retrieval hardness assumptions, plus secrecy assumptions. • But IR is improving rapidly • Humans like to talk about themselves and each other -- share ever more information. • Hard to know what an attacker might know.

  4. The context

  5. Methodology • I and a handful of volunteers went through forgotten password mechanisms at 20 banks. • Checked whether mechanism recognizes hosts. • Wrote down steps in authentication process. • Made list of all accessible security questions. • Coded and analyzed questions in use

  6. The banks in question

  7. Coded by type Key: Banks, Online Banks, Credit Cards, Brokerages, Credit Unions Institutions without password reset mechanism

  8. Classifying the Qs • Different sorts of security weaknesses • Guessable • Automatically attackable • Human Attackable

  9. Guessable • Definition: Can guess correct answer at least 1% of the time, without any knowledge of [honest] user • “What is the last name of your favorite president?” • Years and ages are guessable. • “In which year did you meet your spouse?” • First names are guessable.

  10. Auto. Attackable • Can algorithmically answer some security questions using Facebook and similar sites • For instance, educational background. • Where and when you went to school. • College athletic rivals • Also, preference: “favorite {book,movie, ...}”.

  11. Human Attackable • Many Qs answerable from blogs, webpages. • E.g., favorite pastime, first employer. • “What was your high school mascot?” • Hard to catch all such cases, since no full enumeration of available sources. • Also varies from person to person.

  12. The mechanisms • The major banks and credit cards mostly don’t rely on personal security questions alone. • Many ask for SSN + acct number + PIN. • A few send email messages. • Brokerages and online-only banks rely more heavily on security questions

  13. Statistics • Only a third of questions appeared secure. • About 15% of Qs were auto. attackable • About 35% were guessable. • Rates varied widely from bank to bank. • No clear patterns in question quality.

  14. Popular topics • Many questions about family • Names of relatives, life events, etc • Many questions about preferences. • Favorite {book, movie, etc}

  15. The popular questions • Name of first pet (6 banks of 11) • Favorite sports team (4 of 11) • Grandmother’s first name (4 of 11) • High school mascot (4 of 11)

  16. Related Work • Michael Just: “Designing and evaluating challenge-question systems” • Mannan & van Oorschot: “Security and usability: The gap in real-world online banking” • Griffith & Jakobsson: “Messin’ with Texas” • Haga & Zviran (‘91). “Question-and-answer passwords: an empirical evaluation”

  17. Some quick fixes • Can limit guessability by rejecting overly common answers. • Can try to ask questions with secure answers. • Remove weakest questions • CAPTCHAs, to reduce auto. attack • Warn users to pick good questions

  18. Deeper fixes • Want to ask Qs users can’t disclose answers to. • Recognition-based, instead of recall • Try to embed media into questions? • Ask about images, audio, etc to make attacker’s info retrieval problem harder.

  19. Alternate Q. Styles • O’Gorman, Bagga & Bentley: “Call Center Customer Verification by Question-Directed passwords” • Jakobsson, Stolterman, Wetzel & Yang: “Love and authentication” • Asgharpour & Jakobsson: “Adaptive Challenge Questions Algorithm in Password Reset/Recovery”

  20. Takeaways • Many personal security questions are weak. • Security Qs are getting weaker due to improved IR and increase in online content. • Research needed in order to keep up.

  21. Questions? • My data files are available from: • http://www.cs.berkeley.edu/~asrabkin/securityquestions.tgz

  22. What they did

  23. Inapplicable • Lot of questions about family: • Names of children, spouses, grandparents • Details of weddings, honeymoons, etc • Assumptions about lifestyles • “In what city is your vacation home?”

  24. Ambiguous • Many questions with multiple true answers, or multiple ways of reading it • “What is your favorite {book,movie,place...} • “Who was your best friend from high school?”

  25. Not Memorable • Sometimes, there’s one unambiguous answer that many users are unlikely to remember. • Early childhood events, obscure family history. • Names of kindergarten teachers, etc • “What was the price of your first car?” • Unfortunately, no clear line here.

  26. Statistics about Qs

More Related