Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication

In an effort to hinder attackers from compromising user accounts, Facebook launched a form of two-factor authentication called social authentication (SA), where users are required to identify photos of their friends to complete a log-in attempt. Recent research, however, demonstrated that attackers can bypass the mechanism by employing face recognition software. Here we demonstrate an alternative attack. that employs image comparison techniques to identify the SA photos within an offline collection of the users' photos. In this paper, we revisit the concept of SA and design a system with a novel photo selection and transformation process, which generates challenges that are robust against these attacks. The intuition behind our photo selection is to use photos. that fail software-based face recognition, while remaining recognizable to humans who are familiar with the depicted people. The photo transformation process. creates challenges in the form of photo collages, where faces are transformed so as to render image matching techniques ineffective. We experimentally confirm the robustness of our approach against three template. matching algorithms that solve 0.4% of the challenges, while requiring four orders of magnitude more processing effort. Furthermore, when the transformations are applied, face detection software fails to detect even a single face. Our user studies confirm that users are able to identify their friends in over 99% of the photos with faces unrecognizable by software, and can solve over 94\% of the challenges with transformed photos.

[1]  Zicheng Liu,et al.  ARTiFACIAL: automated reverse turing test using FACIAL features , 2003, MULTIMEDIA '03.

[2]  Angelos D. Keromytis,et al.  All your face are belong to us: breaking Facebook's social authentication , 2012, ACSAC '12.

[3]  Jon Howell,et al.  Asirra: a CAPTCHA that exploits interest-aligned manual image categorization , 2007, CCS '07.

[4]  Leyla Bilge,et al.  CAPTCHA smuggling: hijacking web browsing sessions to create CAPTCHA farms , 2010, SAC '10.

[5]  Angelos D. Keromytis,et al.  Privacy-Preserving Social Plugins , 2012, USENIX Security Symposium.

[6]  Chris Kanich,et al.  Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context , 2010, USENIX Security Symposium.

[7]  Lior Wolf,et al.  Leveraging Billions of Faces to Overcome Performance Barriers in Unconstrained Face Recognition , 2011, ArXiv.

[8]  Konstantin Beznosov,et al.  The socialbot network: when bots socialize for fame and money , 2011, ACSAC '11.

[9]  Nick Feamster,et al.  Photo-based authentication using social networks , 2008, WOSN '08.

[10]  Gianluca Stringhini,et al.  COMPA: Detecting Compromised Accounts on Social Networks , 2013, NDSS.

[11]  Chao Yang,et al.  Attacks and design of image recognition CAPTCHAs , 2010, CCS '10.

[12]  Amichai Shulman The underground credentials market , 2010 .

[13]  Martín Abadi,et al.  SocialWatch: detection of online service abuse via large-scale social graphs , 2013, ASIA CCS '13.

[14]  Richa Singh,et al.  FaceDCAPTCHA: Face detection based color image CAPTCHA , 2014, Future Gener. Comput. Syst..

[15]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[16]  Tobias Höllerer,et al.  Evaluation of Interest Point Detectors and Feature Descriptors for Visual Tracking , 2011, International Journal of Computer Vision.

[17]  Krishna P. Gummadi,et al.  Analyzing facebook privacy settings: user expectations vs. reality , 2011, IMC '11.

[18]  Ross J. Anderson,et al.  Social Authentication: Harder Than It Looks , 2012, Financial Cryptography.

[19]  Blase Ur,et al.  Evaluating Attack Amplification in Online Social Networks , 2009 .

[20]  Guofei Gu,et al.  SEMAGE: a new image-based two-factor CAPTCHA , 2011, ACSAC '11.

[21]  Calton Pu,et al.  Reverse Social Engineering Attacks in Online Social Networks , 2011, DIMVA.

[22]  John C. Mitchell,et al.  How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation , 2010, 2010 IEEE Symposium on Security and Privacy.