All your face are belong to us: breaking Facebook's social authentication

Two-factor authentication is widely used by high-value services to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication, which requires users to identify some of their friends in randomly selected photos. A recent study has provided a formal analysis of social authentication weaknesses against attackers inside the victim's social circles. In this paper, we extend the threat model and study the attack surface of social authentication in practice, and show how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implement a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluate it using real public data collected from Facebook. Under the assumptions of Facebook's threat model, our results show that an attacker can obtain access to (sensitive) information for at least 42% of a user's friends that Facebook uses to generate social authentication challenges. By relying solely on publicly accessible information, a casual attacker can solve 22% of the social authentication tests in an automated fashion, and gain a significant advantage for an additional 56% of the tests, as opposed to just guessing. Additionally, we simulate the scenario of a determined attacker placing himself inside the victim's social circle by employing dummy accounts. In this case, the accuracy of our attack greatly increases and reaches 100% when 120 faces per friend are accessible by the attacker, even though it is very accurate with as little as 10 faces.

[1]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[2]  Lisa Singh,et al.  Can Friends Be Trusted? Exploring Privacy in Online Social Networks , 2009, 2009 International Conference on Advances in Social Network Analysis and Mining.

[3]  Robin I. M. Dunbar Grooming, Gossip and the Evolution of Language , 1996 .

[4]  Steven M. Bellovin,et al.  A study of privacy settings errors in an online social network , 2012, 2012 IEEE International Conference on Pervasive Computing and Communications Workshops.

[5]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[6]  Blase Ur,et al.  Evaluating Attack Amplification in Online Social Networks , 2009 .

[7]  John C. Mitchell,et al.  How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Jessica Staddon,et al.  Public vs. Publicized: Content Use Trends and Privacy Expectations , 2011, HotSec.

[9]  Amichai Shulman The underground credentials market , 2010 .

[10]  Jun Hu,et al.  Detecting and characterizing social spam campaigns , 2010, IMC '10.

[11]  Luc Van Gool,et al.  Augmented faces , 2011, 2011 IEEE International Conference on Computer Vision Workshops (ICCV Workshops).

[12]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[13]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[14]  Sriram Subramanian,et al.  Talking about tactile experiences , 2013, CHI.

[15]  Evangelos P. Markatos,et al.  Using social networks to harvest email addresses , 2010, WPES '10.

[16]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[17]  Cormac Herley,et al.  The Plight of the Targeted Attacker in a World of Scale , 2010, WEIS.

[18]  Christopher Krügel,et al.  Abusing Social Networks for Automated User Profiling , 2010, RAID.

[19]  John C. Mitchell,et al.  Text-based CAPTCHA strengths and weaknesses , 2011, CCS '11.

[20]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.

[21]  Spyros Antonatos,et al.  Enhanced CAPTCHAs: Using Animation to Tell Humans and Computers Apart , 2006, Communications and Multimedia Security.

[22]  Ross J. Anderson,et al.  Social Authentication: Harder Than It Looks , 2012, Financial Cryptography.

[23]  Keith W. Ross,et al.  Facebook users have become much more private: A large-scale study , 2012, 2012 IEEE International Conference on Pervasive Computing and Communications Workshops.

[24]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.