Security questions in the facebook era
1 / 26

Security questions in the Facebook era - PowerPoint PPT Presentation

  • Updated On :

Security questions in the Facebook era. Ari Rabkin [email protected] Definitions. Security question = ask the user something Secret security question = ask for a secret fact SSN, account number, pin, etc Personal security question = question about something meaningful to user

Related searches for Security questions in the Facebook era

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security questions in the Facebook era' - medwin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security questions in the facebook era l.jpg
Security questions in the Facebook era

  • Ari Rabkin

  • [email protected]

Definitions l.jpg

  • Security question = ask the user something

  • Secret security question = ask for a secret fact

    • SSN, account number, pin, etc

  • Personal security question = question about something meaningful to user

    • Not “secret”

The problem l.jpg
The problem

  • Security for personal sec. Qs is based on:

  • Information-retrieval hardness assumptions, plus secrecy assumptions.

    • But IR is improving rapidly

    • Humans like to talk about themselves and each other -- share ever more information.

  • Hard to know what an attacker might know.

Methodology l.jpg

  • I and a handful of volunteers went through forgotten password mechanisms at 20 banks.

  • Checked whether mechanism recognizes hosts.

  • Wrote down steps in authentication process.

  • Made list of all accessible security questions.

  • Coded and analyzed questions in use

Coded by type l.jpg
Coded by type

Key: Banks, Online Banks, Credit Cards, Brokerages, Credit Unions Institutions without password reset mechanism

Classifying the qs l.jpg
Classifying the Qs

  • Different sorts of security weaknesses

    • Guessable

    • Automatically attackable

    • Human Attackable

Guessable l.jpg

  • Definition: Can guess correct answer at least 1% of the time, without any knowledge of [honest] user

  • “What is the last name of your favorite president?”

  • Years and ages are guessable.

    • “In which year did you meet your spouse?”

  • First names are guessable.

Auto attackable l.jpg
Auto. Attackable

  • Can algorithmically answer some security questions using Facebook and similar sites

  • For instance, educational background.

    • Where and when you went to school.

    • College athletic rivals

  • Also, preference: “favorite {book,movie, ...}”.

Human attackable l.jpg
Human Attackable

  • Many Qs answerable from blogs, webpages.

    • E.g., favorite pastime, first employer.

    • “What was your high school mascot?”

  • Hard to catch all such cases, since no full enumeration of available sources.

  • Also varies from person to person.

The mechanisms l.jpg
The mechanisms

  • The major banks and credit cards mostly don’t rely on personal security questions alone.

    • Many ask for SSN + acct number + PIN.

    • A few send email messages.

  • Brokerages and online-only banks rely more heavily on security questions

Statistics l.jpg

  • Only a third of questions appeared secure.

    • About 15% of Qs were auto. attackable

    • About 35% were guessable.

  • Rates varied widely from bank to bank.

    • No clear patterns in question quality.

Popular topics l.jpg
Popular topics

  • Many questions about family

    • Names of relatives, life events, etc

  • Many questions about preferences.

    • Favorite {book, movie, etc}

The popular questions l.jpg
The popular questions

  • Name of first pet (6 banks of 11)

  • Favorite sports team (4 of 11)

  • Grandmother’s first name (4 of 11)

  • High school mascot (4 of 11)

Related work l.jpg
Related Work

  • Michael Just: “Designing and evaluating challenge-question systems”

  • Mannan & van Oorschot: “Security and usability: The gap in real-world online banking”

  • Griffith & Jakobsson: “Messin’ with Texas”

  • Haga & Zviran (‘91). “Question-and-answer passwords: an empirical evaluation”

Some quick fixes l.jpg
Some quick fixes

  • Can limit guessability by rejecting overly common answers.

  • Can try to ask questions with secure answers.

  • Remove weakest questions

  • CAPTCHAs, to reduce auto. attack

  • Warn users to pick good questions

Deeper fixes l.jpg
Deeper fixes

  • Want to ask Qs users can’t disclose answers to.

    • Recognition-based, instead of recall

  • Try to embed media into questions?

    • Ask about images, audio, etc to make attacker’s info retrieval problem harder.

Alternate q styles l.jpg
Alternate Q. Styles

  • O’Gorman, Bagga & Bentley: “Call Center Customer Verification by Question-Directed passwords”

  • Jakobsson, Stolterman, Wetzel & Yang: “Love and authentication”

  • Asgharpour & Jakobsson: “Adaptive Challenge Questions Algorithm in Password Reset/Recovery”

Takeaways l.jpg

  • Many personal security questions are weak.

  • Security Qs are getting weaker due to improved IR and increase in online content.

  • Research needed in order to keep up.

Questions l.jpg

  • My data files are available from:


Inapplicable l.jpg

  • Lot of questions about family:

    • Names of children, spouses, grandparents

    • Details of weddings, honeymoons, etc

  • Assumptions about lifestyles

    • “In what city is your vacation home?”

Ambiguous l.jpg

  • Many questions with multiple true answers, or multiple ways of reading it

  • “What is your favorite {book,movie,place...}

  • “Who was your best friend from high school?”

Not memorable l.jpg
Not Memorable

  • Sometimes, there’s one unambiguous answer that many users are unlikely to remember.

  • Early childhood events, obscure family history.

    • Names of kindergarten teachers, etc

    • “What was the price of your first car?”

    • Unfortunately, no clear line here.