You should enable two-factor authentication everywhere that you can. Facebook previously added and then removed mobile phone numbers as two-factor authentication ‘Login Approvals’ because “Facebook's reverse lookup feature can be abused to search for thousands of sequential phone numbers in order to find any Facebook profiles associated with them.” Facebook has another two-factor authentication mechanism known as Social Authentication (SA) to add another layer of security to help fight against stolen account passwords. When a suspicious login is detected, then Facebook will show you a series up to seven photos of your friends and ask you to identify them in order to verify your account. At the Annual Computer Security Applications Conference (ACSAC2012), on Friday, Dec 7, researchers will present All Your Faces Are Belong to Us: Breaking Facebook's Social Authentication by Jason Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos D. Keromytis, and Stefano Zanero.
Because Facebook is presenting authentication based on user-related social information, it is supposed to stop an attacker who would not know whose name goes with what Facebook friend photos. Some people have complained that photos can be tagged with a friend’s name, despite it not being a photo of a person. Previous research has shown that we can maintain a stable social relationship with a maximum 150 “friends,” so another issue for some people is that they have friended so many people that they really don’t “know” their friends to identify the photo. However, researchers said, that Facebook’s SA, “to the best of our knowledge, is the first instance of an authentication scheme based on the 'who you know' rationale.” And then the researchers successfully set out to create an automated system capable of breaking Facebook’s Social Authentication system.
All Your Face Are Belong to Us: Breaking Facebook’s Social Authentication [PDF]:
We implement a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluate it using real public data collected from Facebook. Under the assumptions of Facebook’s threat model, our results show that an attacker can obtain access to (sensitive) information for at least 42% of a user’s friends that Facebook uses to generate social authentication challenges. By relying solely on publicly accessible information, a casual attacker can solve 22% of the social authentication tests in an automated fashion, and gain a significant advantage for an additional 56% of the tests, as opposed to just guessing. Additionally, we simulate the scenario of a determined attacker placing himself inside the victim’s social circle by employing dummy accounts. In this case, the accuracy of our attack greatly increases and reaches 100% when 120 faces per friend are accessible by the attacker, even though it is very accurate with as little as 10 faces.
The security researchers said in their paper, “71% of Facebook users expose at least one publicly-accessible photo album.” An attacker “needs access to the victim’s friends list” so he or she can “see the photos and try to befriend the victim’s friends, further widening the attack surface.” The victim “must have at least 50 friends and the ‘user’s friends must be tagged’.” Next, an attacker can extract the tags of people’s faces and keep the photos. They explained the image below as an “Overview of our automated SA-breaking system. It operates in four steps:”
In Step 1, we retrieve the victim’s friend list using his or her UID. Then, in Step 2 (optional), we send befriend requests, so that we have more photos to extract faces from and build face classifiers in Step 3. In Step 4, given a photo, we query the models to retrieve the corresponding UID and thus match a name to face.
When asked about the “All Your Face Are Belong to Us” research, Stefano Zanero, from the Department of Electronics and Information, Polytechnic of Milan, Italy, told me: "Social authentication is an interesting proposal to make it easier for users to log into a website without having to remember complex passwords. Our research aims to show what are the pitfalls in designing such a system, and what level of security can be achieved with it."
Is Facebook aware of the SA vulnerability, and, if so, then what did the company reply?
Zanero: First of all - as you may have glimpsed - our work is somehow broader than "Facebook's SA is broken."
Our research aims to point out the potential flaws in the concept of "social authentication", using Facebook's specific one (the most widely deployed and thus the most interesting example!) as a case study.
We made Facebook aware of the work recently. We contacted our POC at Facebook, and this is the answer that Alex Rice of Facebook allowed us to forward to you:
Thanks so much for reaching out to us and recognizing that keeping the internet safe is a collaborative effort, and that people, like yourself, around the world can make valuable contributions. We encourage security researchers who identify security problems to embrace the practice of notifying security teams of problems and giving us the opportunity to address the vulnerability. In this case, your research has provided deeper insight into characteristics of our authentication system that we have been aware of during its evolving development.
We employ multiple layers of security and Social Authentication is only one of several potential responses that our authentication systems may trigger when suspicious activity is detected. While Social Authentication is not designed to stop small-scale or targeted attacks, it has proven incredibly effective at stopping large-scale phishing attacks. It is also important to keep in mind that users are only enrolled in Social Authentication after they have provided the correct password to the account.
For those who want to take additional steps to secure their account, we have provided true two-factor authentication with our Login Approvals product.
We remain confident in the ability of Social Authentication to combat the current threat presented by large-scale phishing attacks. As we move forward, we will continue to improve these systems to become more sophisticated and configure our protections to be more robust against any emerging threat that seeks to compromise user accounts.
When I commented that their research was interesting, but also a bit scary, Zanero said, “We would not see the result as scary, but definitely we do agree it's interesting :-) The point is to explore how robust this form of authentication can be made, without making it too difficult for users. It's a bit like the CAPTCHA you find on forms and websites: designed to tell humans from computers, they are becoming so annoying that humans are getting turned aside as a result.”