Security questions in the Facebook era

1
Security questions in the Facebook era

• Ari Rabkin
• asrabkin_at_cs.berkeley.edu

2
Definitions

• Security question ask the user something
• Secret security question ask for a secret fact
• SSN, account number, pin, etc
• Personal security question question about
  something meaningful to user
• Not secret

3
The problem

• Security for personal sec. Qs is based on
• Information-retrieval hardness assumptions, plus
  secrecy assumptions.
• But IR is improving rapidly
• Humans like to talk about themselves and each
  other -- share ever more information.
• Hard to know what an attacker might know.

4
The context
5
Methodology

• I and a handful of volunteers went through
  forgotten password mechanisms at 20 banks.
• Checked whether mechanism recognizes hosts.
• Wrote down steps in authentication process.
• Made list of all accessible security questions.
• Coded and analyzed questions in use

6
The banks in question
7
Coded by type
Key Banks, Online Banks, Credit Cards,
Brokerages, Credit Unions Institutions without
password reset mechanism
8
Classifying the Qs

• Different sorts of security weaknesses
• Guessable
• Automatically attackable
• Human Attackable

9
Guessable

• Definition Can guess correct answer at least 1
  of the time, without any knowledge of honest
  user
• What is the last name of your favorite
  president?
• Years and ages are guessable.
• In which year did you meet your spouse?
• First names are guessable.

10
Auto. Attackable

• Can algorithmically answer some security
  questions using Facebook and similar sites
• For instance, educational background.
• Where and when you went to school.
• College athletic rivals
• Also, preference favorite book,movie, ....

11
Human Attackable

• Many Qs answerable from blogs, webpages.
• E.g., favorite pastime, first employer.
• What was your high school mascot?
• Hard to catch all such cases, since no full
  enumeration of available sources.
• Also varies from person to person.

12
The mechanisms

• The major banks and credit cards mostly dont
  rely on personal security questions alone.
• Many ask for SSN acct number PIN.
• A few send email messages.
• Brokerages and online-only banks rely more
  heavily on security questions

13
Statistics

• Only a third of questions appeared secure.
• About 15 of Qs were auto. attackable
• About 35 were guessable.
• Rates varied widely from bank to bank.
• No clear patterns in question quality.

14
Popular topics

• Many questions about family
• Names of relatives, life events, etc
• Many questions about preferences.
• Favorite book, movie, etc

15
The popular questions

• Name of first pet (6 banks of 11)
• Favorite sports team (4 of 11)
• Grandmothers first name (4 of 11)
• High school mascot (4 of 11)

16
Related Work

• Michael Just Designing and evaluating
  challenge-question systems
• Mannan van Oorschot Security and usability
  The gap in real-world online banking
• Griffith Jakobsson Messin with Texas
• Haga Zviran (91). Question-and-answer
  passwords an empirical evaluation

17
Some quick fixes

• Can limit guessability by rejecting overly common
  answers.
• Can try to ask questions with secure answers.
• Remove weakest questions
• CAPTCHAs, to reduce auto. attack
• Warn users to pick good questions

18
Deeper fixes

• Want to ask Qs users cant disclose answers to.
• Recognition-based, instead of recall
• Try to embed media into questions?
• Ask about images, audio, etc to make attackers
  info retrieval problem harder.

19
Alternate Q. Styles

• OGorman, Bagga Bentley Call Center Customer
  Verification by Question-Directed passwords
• Jakobsson, Stolterman, Wetzel Yang Love and
  authentication
• Asgharpour Jakobsson Adaptive Challenge
  Questions Algorithm in Password Reset/Recovery

20
Takeaways

• Many personal security questions are weak.
• Security Qs are getting weaker due to improved IR
  and increase in online content.
• Research needed in order to keep up.

21
Questions?

• My data files are available from
• http//www.cs.berkeley.edu/asrabkin/securityquest
  ions.tgz

22
What they did
23
Inapplicable

• Lot of questions about family
• Names of children, spouses, grandparents
• Details of weddings, honeymoons, etc
• Assumptions about lifestyles
• In what city is your vacation home?

24
Ambiguous

• Many questions with multiple true answers, or
  multiple ways of reading it
• What is your favorite book,movie,place...
• Who was your best friend from high school?

25
Not Memorable

• Sometimes, theres one unambiguous answer that
  many users are unlikely to remember.
• Early childhood events, obscure family history.
• Names of kindergarten teachers, etc
• What was the price of your first car?
• Unfortunately, no clear line here.

26
Statistics about Qs