the cups blog

07-24-08

Security Questions in the Facebook Era

Ari Rabkin

Summary: Due to an environment where information sharing is common, security questions are becoming easier and easier to attack. What to do? Redesign security questions so that they are not easily attackable.  Add additional elements (i.e. audio or video) that can still be easy for the user to remember, but unique to the user.

Security questions assume there is an information asymmetry between the attacker and the user.

Def:
Security Question – Ask user something
Secret question – Ask for a secret fact
Personal security question – Ask about something meaningful to user (NOT SECRET)

The problem:
Security for personal sec. Q is based on
– Information retrieval hardness assumptions and security assumptions
But IR is improving rapidly
– Humans like to talk about themselves and share info
– Hard to know what an attacker might know

User Study Context:
Online Banking

Study
– Looked at forgotten password mechanisms at 20 banks
– Checked to see if the mechanism recognized hosts

Credit Unions do not do lost passwords

Classification:
– Guessable (Can guess more than 1% of the time)
– Automatically attackable (Info on Facebook)
– Human Attackable (Get answer from blogs/Internet, CV)

Popular Topics
– Family
Relatives, life events
– Preferences
Favorite books, movies, etc
– Name of first pet
-Favorite sports team
-Grandmother’s first name
-High school mascot

Quck fixes:
– Limit guessability by rejecting overly common answers
– Ask questions w/ secure answers
– remove weakest questions
– Use CAPTCHAS
– Warn users to pick good question

Deeper fixes:
– Ask Qs users can’t disclose answer to
– Recognition-based instead of recall
-Try to imbed media into questions?
– Ask about images, audio, etc to make it more difficult

Takeaways:
– Many security questions are week, and getting weaker.
– Research needed to keep up