All Your Faces Are Belong to Us --Breaking Facebook's Social Authentication presented at Hackcon 2013

by Stefano Zanero,

Tags: Security

URL : In this presentation we will study the attack surface of social authentication in practice, and show how any attacker can obtain the information needed to solve the challenges presented by Facebook. W

Summary : Under the assumptions of Facebook\'s threat model, our results show that an attacker can obtain access to (sensitive) information for at least 42% of the tagged friends that Facebook uses to generate social authentication challenges. By relying solely on publicly accessible information, a casual attacker can solve 22% of the social authentication tests in an automated fashion, and gain a significant advantage for an additional 56% of the tests, as opposed to just guessing.
Additionally, we simulate the scenario of a determined attacker placing himself inside the victim?s social circle by employing dummy accounts. In this case, the accuracy of our attack greatly increases and reaches 100% when as little as 100 faces per friend are accessible by the attacker.
Presentation will be held by Stefano Zanero. Stefano received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an assistant professor with the Dipartimento di Elettronica e Informazione. His research focuses on intrusion detection, malware analysis, and systems security.
Besides teaching Computer Security at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 40 scientific papers and books. He is an associate editor for the "Journal in computer virology". He\'s a Senior Member of the IEEE (covering volunteer positions at national and regional level), the IEEE Computer Society (for which he is a member of the Board of Governors), and the ACM.
Stefano co-founded the Italian chapter of ISSA (Information System Security Association), of which he is a senior member. He sits in the International Board of Directors of the same association. A long time op-ed writer for magazines (among which "Computer World").