security questions in the facebook era
Download
Skip this Video
Download Presentation
Security questions in the Facebook era

Loading in 2 Seconds...

play fullscreen
1 / 26

Security questions in the Facebook era - PowerPoint PPT Presentation


  • 324 Views
  • Uploaded on

Security questions in the Facebook era. Ari Rabkin [email protected] Definitions. Security question = ask the user something Secret security question = ask for a secret fact SSN, account number, pin, etc Personal security question = question about something meaningful to user

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security questions in the Facebook era' - medwin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
definitions
Definitions
  • Security question = ask the user something
  • Secret security question = ask for a secret fact
    • SSN, account number, pin, etc
  • Personal security question = question about something meaningful to user
    • Not “secret”
the problem
The problem
  • Security for personal sec. Qs is based on:
  • Information-retrieval hardness assumptions, plus secrecy assumptions.
    • But IR is improving rapidly
    • Humans like to talk about themselves and each other -- share ever more information.
  • Hard to know what an attacker might know.
methodology
Methodology
  • I and a handful of volunteers went through forgotten password mechanisms at 20 banks.
  • Checked whether mechanism recognizes hosts.
  • Wrote down steps in authentication process.
  • Made list of all accessible security questions.
  • Coded and analyzed questions in use
coded by type
Coded by type

Key: Banks, Online Banks, Credit Cards, Brokerages, Credit Unions Institutions without password reset mechanism

classifying the qs
Classifying the Qs
  • Different sorts of security weaknesses
    • Guessable
    • Automatically attackable
    • Human Attackable
guessable
Guessable
  • Definition: Can guess correct answer at least 1% of the time, without any knowledge of [honest] user
  • “What is the last name of your favorite president?”
  • Years and ages are guessable.
    • “In which year did you meet your spouse?”
  • First names are guessable.
auto attackable
Auto. Attackable
  • Can algorithmically answer some security questions using Facebook and similar sites
  • For instance, educational background.
    • Where and when you went to school.
    • College athletic rivals
  • Also, preference: “favorite {book,movie, ...}”.
human attackable
Human Attackable
  • Many Qs answerable from blogs, webpages.
    • E.g., favorite pastime, first employer.
    • “What was your high school mascot?”
  • Hard to catch all such cases, since no full enumeration of available sources.
  • Also varies from person to person.
the mechanisms
The mechanisms
  • The major banks and credit cards mostly don’t rely on personal security questions alone.
    • Many ask for SSN + acct number + PIN.
    • A few send email messages.
  • Brokerages and online-only banks rely more heavily on security questions
statistics
Statistics
  • Only a third of questions appeared secure.
    • About 15% of Qs were auto. attackable
    • About 35% were guessable.
  • Rates varied widely from bank to bank.
    • No clear patterns in question quality.
popular topics
Popular topics
  • Many questions about family
    • Names of relatives, life events, etc
  • Many questions about preferences.
    • Favorite {book, movie, etc}
the popular questions
The popular questions
  • Name of first pet (6 banks of 11)
  • Favorite sports team (4 of 11)
  • Grandmother’s first name (4 of 11)
  • High school mascot (4 of 11)
related work
Related Work
  • Michael Just: “Designing and evaluating challenge-question systems”
  • Mannan & van Oorschot: “Security and usability: The gap in real-world online banking”
  • Griffith & Jakobsson: “Messin’ with Texas”
  • Haga & Zviran (‘91). “Question-and-answer passwords: an empirical evaluation”
some quick fixes
Some quick fixes
  • Can limit guessability by rejecting overly common answers.
  • Can try to ask questions with secure answers.
  • Remove weakest questions
  • CAPTCHAs, to reduce auto. attack
  • Warn users to pick good questions
deeper fixes
Deeper fixes
  • Want to ask Qs users can’t disclose answers to.
    • Recognition-based, instead of recall
  • Try to embed media into questions?
    • Ask about images, audio, etc to make attacker’s info retrieval problem harder.
alternate q styles
Alternate Q. Styles
  • O’Gorman, Bagga & Bentley: “Call Center Customer Verification by Question-Directed passwords”
  • Jakobsson, Stolterman, Wetzel & Yang: “Love and authentication”
  • Asgharpour & Jakobsson: “Adaptive Challenge Questions Algorithm in Password Reset/Recovery”
takeaways
Takeaways
  • Many personal security questions are weak.
  • Security Qs are getting weaker due to improved IR and increase in online content.
  • Research needed in order to keep up.
questions
Questions?
  • My data files are available from:
  • http://www.cs.berkeley.edu/~asrabkin/securityquestions.tgz
inapplicable
Inapplicable
  • Lot of questions about family:
    • Names of children, spouses, grandparents
    • Details of weddings, honeymoons, etc
  • Assumptions about lifestyles
    • “In what city is your vacation home?”
ambiguous
Ambiguous
  • Many questions with multiple true answers, or multiple ways of reading it
  • “What is your favorite {book,movie,place...}
  • “Who was your best friend from high school?”
not memorable
Not Memorable
  • Sometimes, there’s one unambiguous answer that many users are unlikely to remember.
  • Early childhood events, obscure family history.
    • Names of kindergarten teachers, etc
    • “What was the price of your first car?”
    • Unfortunately, no clear line here.
ad