Abstract
A number of web service firms have started to authenticate users via their social knowledge, such as whether they can identify friends from photos. We investigate attacks on such schemes. First, attackers often know a lot about their targets; most people seek to keep sensitive information private from others in their social circle. Against close enemies, social authentication is much less effective. We formally quantify the potential risk of these threats. Second, when photos are used, there is a growing vulnerability to face-recognition algorithms, which are improving all the time. Network analysis can identify hard challenge questions, or tell a social network operator which users could safely use social authentication; but it could make a big difference if photos weren’t shared with friends of friends by default. This poses a dilemma for operators: will they tighten their privacy default settings, or will the improvement in security cost too much revenue?
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Acquisti, A., Gross, R., Stutzman, F.: Faces of facebook: Privacy in the age of augmented reality (2011), http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/
Acquisti, A., Gross, R.: Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 36–58. Springer, Heidelberg (2006)
Ahern, S., Eckles, D., Good, N.S., King, S., Naaman, M., Nair, R.: Over-exposed?: privacy patterns and considerations in online and mobile photo sharing. In: CHI 2007: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 357–366. ACM, New York (2007)
Becker, B.C., Ortiz, E.G.: Evaluation of face recognition techniques for application to facebook. In: IEEE International Conference on Automatic Face and Gesture Recognition, pp. 1–6 (2008)
Blondel, V.D., Guillaume, J.L., Lambiotte, R., Lefebvre, E.: Unfolding communities in large complex networks: Combining defensive and offensive label propagation for core extraction. Physical Review E 83(3), 036103 (2011)
Bonneau, J., Anderson, J., Anderson, R., Stajano, F.: Eight friends are enough: social graph approximation via public listings. In: Proceedings of the Second ACM EuroSys Workshop on Social Network Systems, SNS 2009, pp. 13–18. ACM, New York (2009)
Bonneau, J., Just, M., Matthews, G.: What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 98–113. Springer, Heidelberg (2010)
Daugman, J.: The importance of being random: statistical principles of iris recognition. Pattern Recognition 36(2), 279–291 (2003)
Golle, P.: Machine learning attacks against the Asirra CAPTCHA. In: CCS 2008: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 535–542. ACM, New York (2008)
Just, M.: On the design of challenge question systems. IEEE Security and Privacy 2, 32–39 (2004)
Kim, H., Bonneau, J.: Privacy-enhanced public view for social graphs. In: SWSM 2009: Proceeding of the 2nd ACM Workshop on Social Web Search and Mining, pp. 41–48. ACM, New York (2009)
Kluever, K.A., Zanibbi, R.: Balancing usability and security in a video CAPTCHA. In: SOUPS 2009: Proceedings of the 5th Symposium on Usable Privacy and Security, pp. 1–11. ACM, New York (2009)
Krishnamurthy, B., Wills, C.E.: Characterizing privacy in online social networks. In: WOSP 2008: Proceedings of the First Workshop on Online Social Networks, pp. 37–42. ACM, New York (2008)
Lipford, H.R., Besmer, A., Watson, J.: Understanding privacy settings in facebook with an audience view. In: Proceedings of the 1st Conference on Usability, Psychology, and Security, pp. 2:1–2:8. USENIX, Berkeley (2008)
Rice, A.: A Continued Commitment to Security (January 2011), http://blog.facebook.com/blog.php?post=486790652130
Wasserman, S., Faust, K.: Social Network Analysis: Methods and Applications. Cambridge University Press (1994)
Willinger, W., Rejaie, R., Torkjazi, M., Valafar, M., Maggioni, M.: Research on online social networks: time to face the real challenges. SIGMETRICS Performance Evaluation Review 37, 49–54 (2010)
Yardi, S., Feamster, N., Bruckman, A.: Photo-based authentication using social networks. In: WOSP 2008: Proceedings of the First Workshop on Online Social Networks, pp. 55–60. ACM, New York (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, H., Tang, J., Anderson, R. (2012). Social Authentication: Harder Than It Looks. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32946-3_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-32946-3_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32945-6
Online ISBN: 978-3-642-32946-3
eBook Packages: Computer ScienceComputer Science (R0)