1 / 19

All Your Face Belong to Us: Breaking Facebook’s Social Authentication

All Your Face Belong to Us: Breaking Facebook’s Social Authentication. Jason Polakis and Sotiris Ioannidis, FORTH-ICS , Greece; Marco Lancini , Federico Maggi, and Stefano Zanero , Politecnico di Milano, Italia;

ulani
Download Presentation

All Your Face Belong to Us: Breaking Facebook’s Social Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. All Your Face Belong to Us: Breaking Facebook’s Social Authentication Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; GeorgiosKontaxis and Angelos D. Keromytis, Columbia University, USA

  2. Outline • Introduction • How Social Authentication Works • Advantages and Shortcomings • Attack Surface Estimation • Breaking Social Authentication • Face Recognition as a Service • Experimental Evaluation • Remediation and Limitations • Conclusions

  3. Introduction • Facebook reports over 900 million active users as of March 2012. • In 2011, Facebook has released a two-factor authentication mechanism, referred to as Social Authentication.

  4. How Social Authentication Works • Friend list • A user must have at least 50 friends. • Tagged photos • The user’s friend must be tagged in an adequate number of photos. • Face • SA tests must be solvable by humans within the 5 minute (circa) time window enforced by Facebook. • Triggering • the user logs in from a different geographical location. • uses a new device for the first time to access his account.

  5. Advantages and Shortcomings • Advantages • Facebook’s SA is less cumbersome, especially because users have grown accustomed to tagging friends in photos. • Shortcomings • The number of friends can influence the applicability and the usability of SA. • Their friends have erroneously tagged for fun or as part of a contest which required them to do so. • Bypass the SA test by providing their date of birth.

  6. Attack Surface Estimation • The attacker has compromised the user’s credential. • Facebook designed SA as a protection mechanism against strangers. • we provide an empirical calculation of the probabilities of each phase of our attack. • P(F) = 47% of the user’s have their friends list public. • P(P) = 71% of them (236,752) exposed at least one public photo album. • Attacker can try to befriend the friends of his victim to gain access to their private photos with a chance of P(B) ≃ 70% to succeed.

  7. Attack Surface Estimation (Cont.)

  8. Breaking Social Authentication • Step 1: Crawling Friend List • Python’s urllibHTTP library and regular expression • MongoDB database • GridFSfilesystem • Step 2: Issuing Friend Requests • Step 3: Photo Collection/Modeling • Photo collection • Face Extraction and Tag Matching – OpenCV toolkit • Facial Modeling – sklearn library • Step 4: Name Lookup

  9. Breaking Social Authentication

  10. Face Recognition as a Service • Face.com • was recently acquired by Facebook. • The service exposes an API through which developers can supply a set of photos to use as training data and then query the service with a new unknown photo for the recognition of known individuals. • faces.detect – identify any existing faces • tags.save - to label the good photos with the respective UIDs of their owners • face.train • faces.recongnize

  11. Experimental Evaluation • Overall Dataset

  12. Experimental Evaluation (Cont.) • Breaking SA: Determined Attacker • shows the number of pages solved correctly out of 7.

  13. Experimental Evaluation (Cont.) • Breaking SA: Determined Attacker • shows the CPU-time required to solve the full test

  14. Breaking SA: Casual Attacker • Implementation • 11 dummy accounts play the role of victims. • Selenium – login these account in a automated fashion. • Tor - take advantage of the geographic dispersion of its exit nodes. • face.com – solved SA test • Result • 22% (28/127) of tests solved 5-7 of the 7 test pages. • 56% (71/127) of tests solved 3-4 of the 7 test pages. • 44 seconds on average

  15. Breaking SA: Casual Attacker (Cont.) • In about 25% of the photos face.com was unable to detect a human face. • in 50% of the photos face.com was able to detect a human face but marked it as unrecognizable. • in the last 25% of the photos a face was detected but did not match any of the faces in our training set.

  16. Ethical Consideration • We never took advantage of accepted requests to collect photos or other private information otherwise unavailable; we solely collected public photos.

  17. Compromise Prevention • Users can add certain devices to a list of recognized, trusted devices. • a user who fails to complete an SA challenge is redirected to an alert page, upon the next successful login, which reports the attempted login.

  18. Slowing Sown Attacker • CAPTCHAs may create a technical obstacle to automated attacks, but they should not be considered a definitive countermeasure. • The presence of suggested names in SA tests is the major disadvantage of the current implementation as it greatly limits the search space for adversaries.

  19. Conclusions • on average, 42% of the data used to generate the second factor, thus, gaining the ability to identify randomly selected photos of the victim’s friends. • Given that information, we managed to solve 22% of the real Facebook SA tests presented to us during our experiments and gain a significant advantage to an additional 56% of the tests with answers for more than half of pages of each test.

More Related