Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis.

Published bySherilyn Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis."— Presentation transcript:

1 Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis and Angelos D. Keromytis, Columbia University, USA

2 Outline Introduction How Social Authentication Works Advantages and Shortcomings Attack Surface Estimation Breaking Social Authentication Face Recognition as a Service Experimental Evaluation Remediation and Limitations Conclusions

3 Introduction Facebook reports over 900 million active users as of March 2012. In 2011, Facebook has released a two-factor authentication mechanism, referred to as Social Authentication.

4 How Social Authentication Works Friend list A user must have at least 50 friends. Tagged photos The user’s friend must be tagged in an adequate number of photos. Face SA tests must be solvable by humans within the 5 minute (circa) time window enforced by Facebook. Triggering the user logs in from a different geographical location. uses a new device for the first time to access his account.

5 Advantages and Shortcomings Advantages Facebook’s SA is less cumbersome, especially because users have grown accustomed to tagging friends in photos. Shortcomings The number of friends can influence the applicability and the usability of SA. Their friends have erroneously tagged for fun or as part of a contest which required them to do so. Bypass the SA test by providing their date of birth.

6 Attack Surface Estimation The attacker has compromised the user’s credential. Facebook designed SA as a protection mechanism against strangers. we provide an empirical calculation of the probabilities of each phase of our attack. P(F) = 47% of the user’s have their friends list public. P(P) = 71% of them (236,752) exposed at least one public photo album. Attacker can try to befriend the friends of his victim to gain access to their private photos with a chance of P(B) ≃ 70% to succeed.

7 Attack Surface Estimation (Cont.)

8 Breaking Social Authentication Step 1: Crawling Friend List Python’s urllib HTTP library and regular expression MongoDB database GridFS filesystem Step 2: Issuing Friend Requests Step 3: Photo Collection/Modeling Photo collection Face Extraction and Tag Matching – OpenCV toolkit Facial Modeling – sklearn library Step 4: Name Lookup

9 Breaking Social Authentication

10 Face Recognition as a Service Face.com was recently acquired by Facebook. The service exposes an API through which developers can supply a set of photos to use as training data and then query the service with a new unknown photo for the recognition of known individuals. faces.detect – identify any existing faces tags.save - to label the good photos with the respective UIDs of their owners face.train faces.recongnize

11 Experimental Evaluation Overall Dataset

12 Experimental Evaluation (Cont.) Breaking SA: Determined Attacker shows the number of pages solved correctly out of 7.

13 Experimental Evaluation (Cont.) Breaking SA: Determined Attacker shows the CPU-time required to solve the full test

14 Breaking SA: Casual Attacker Implementation 11 dummy accounts play the role of victims. Selenium – login these account in a automated fashion. Tor - take advantage of the geographic dispersion of its exit nodes. face.com – solved SA test Result 22% (28/127) of tests solved 5-7 of the 7 test pages. 56% (71/127) of tests solved 3-4 of the 7 test pages. 44 seconds on average

15 Breaking SA: Casual Attacker (Cont.) In about 25% of the photos face.com was unable to detect a human face. in 50% of the photos face.com was able to detect a human face but marked it as unrecognizable. in the last 25% of the photos a face was detected but did not match any of the faces in our training set.

16 Ethical Consideration We never took advantage of accepted requests to collect photos or other private information otherwise unavailable; we solely collected public photos.

17 Compromise Prevention Users can add certain devices to a list of recognized, trusted devices. a user who fails to complete an SA challenge is redirected to an alert page, upon the next successful login, which reports the attempted login.

18 Slowing Sown Attacker CAPTCHAs may create a technical obstacle to automated attacks, but they should not be considered a definitive countermeasure. The presence of suggested names in SA tests is the major disadvantage of the current implementation as it greatly limits the search space for adversaries.

19 Conclusions on average, 42% of the data used to generate the second factor, thus, gaining the ability to identify randomly selected photos of the victim’s friends. Given that information, we managed to solve 22% of the real Facebook SA tests presented to us during our experiments and gain a significant advantage to an additional 56% of the tests with answers for more than half of pages of each test.

Download ppt "Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis."

Similar presentations

Securing Passwords against Dictionary Attacks

Securing Passwords against Dictionary Attacks
Learning to Suggest: A Machine Learning Framework for Ranking Query Suggestions Date: 2013/02/18 Author: Umut Ozertem, Olivier Chapelle, Pinar Donmez,

Learning to Suggest: A Machine Learning Framework for Ranking Query Suggestions Date: 2013/02/18 Author: Umut Ozertem, Olivier Chapelle, Pinar Donmez,
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.

All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.
By : Adham Suwan Mohammed Zaza Ahmed Mafarjeh. Achieving Security through Kinect using Skeleton Analysis (ASKSA)

By : Adham Suwan Mohammed Zaza Ahmed Mafarjeh. Achieving Security through Kinect using Skeleton Analysis (ASKSA)
Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team 2009.07.20.

Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Outline of presentation Brief introduction of Facebook as a social networking tool Research questions Methods Findings and Results Some Experimentation.

Outline of presentation Brief introduction of Facebook as a social networking tool Research questions Methods Findings and Results Some Experimentation.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Miscreant of Social Networks Paper1: Social Honeypots, Making Friends With A Spammer Near You Paper2: Social phishing Kai and Isaac.

Miscreant of Social Networks Paper1: Social Honeypots, Making Friends With A Spammer Near You Paper2: Social phishing Kai and Isaac.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Department Of Computer Engineering

Department Of Computer Engineering
Midterm Presentation Undergraduate Researchers: Graduate Student Mentor: Faculty Mentor: Jordan Cowart, Katie Allmeroth Krist Culmer Dr. Wenjun (Kevin)

Midterm Presentation Undergraduate Researchers: Graduate Student Mentor: Faculty Mentor: Jordan Cowart, Katie Allmeroth Krist Culmer Dr. Wenjun (Kevin)
Vision-Based Biometric Authentication System by Padraic o hIarnain Final Year Project Presentation.

Vision-Based Biometric Authentication System by Padraic o hIarnain Final Year Project Presentation.

Similar presentations

Ads by Google