Multi-Factor Authentication for Social Networking Website

Introduction

Social networking is not a new notion. Even before the advent of the internet, social networks existed in the form of, for example, a university, a club, etc. Social networking means at least three or more individuals meeting up and exchanging information. This was based on the understanding that the value of people working as a group is more than the sum of the value of each individual [1].

Social networks in those days were, however, limited geographically. The internet opened the doors to possibilities that were unthought-of before. Social networks are now possible for people who are diversely located. Social network websites allow friends and relatives to remain in touch, business men to increase their contacts and generate leads and like-minded people to discuss on their favourite topic. Social networks have changed the way the internet and World Wide Web was viewed as – from being a mere information repository, it is now considered as a major tool to connect and reconnect to people [1].

Face book, Orkut, and MySpace are typical examples of social networking websites meant for connecting on a personal level although these can also be used to maintain professional contact. Social networking websites like LinkedIn are dedicated to professional contacts – for keeping in touch professionally, generating sales leads, getting a job, etc. It is not surprising that social network services are used not only by adults – individuals and professionals, but also by teens [1].

Background to the Research Problem

Social networking websites have opened the doors to many new opportunities that were previously not possible, but not without bringing in new risks to the users. Previously social networking was usually face-to-face and identification and authentication was not a big problem; with the internet being the medium for socializing, the only method generally adopted to identify people is a unique user name and password. This allows anyone with access to the user name and password to access and possibly misuse a user’s personal information and account. Internet has also made it possible to steal someone’s identity – pretend to be someone else and take advantage of the situation. In terms of social networking, this could mean pretending to be a celebrity and get access to information on fans, directors, etc. and misuse it. For a company, this could mean that someone could pretend to be a company employee and speak negative about the company, spoiling their name and reputation. The same holds true for an individual.

Social networking websites store information about the user profile and some also allow maintaining of multiple profiles for different purposes. Most social networking websites offer some amount of privacy control, allowing the user to control who views his profile, who can search the user, who can know about his visits to a profile, etc. [2]. However, someone with access to the authentication credentials of a user can also get access to all this information. Some of the possible ways to misuse this information is through “targeted scams, identity theft, cyber-bullying, stalking, and child solicitation” [3]. Many studies on social networking sites reveal that in spite of availability of privacy settings, it is possible to crawl through user data [4], [5], [6] and even after removing names from the graph of data sets that are made anonymous, they can still be de-anonymized [7], [8] making it possible to misuse the information. These potential dangers can be possible by getting access to authentication information.

So how does one get access to the user name and password? The obvious is the leakage of information by the user. Tools are also available to conduct brute-force attacks that guess passwords based on dictionary words. However, the insecure channel (i.e. internet) and the web-based technologies also have security flaws that can make it easy for an attacker to obtain this information. This coupled with the characteristic of social network sites that includes centralized user data consisting of up-to-date personal information makes social network websites a vulnerable target for hackers.

A quick check on Google for the keywords “Facebook attack” led to several articles on first page itself indicating the vulnerability of social networking websites e.g. a virus attack [9], denial-of-service attack [10], phishing attack [11], [12], spyware attacks [13], and malware attacks [14]. This is just the tip of the iceberg. Getting access to a user’s login information only makes these sites more vulnerable.

User education, password policies, secure connections, warnings to users, etc. are some of the steps taken by social networking websites in order to prevent information leak. However, these measures have not been sufficient as attacks continue to happen leaving social networking websites based on user name – password combination for authentication as vulnerable and insecure. Hence, there is need for development of better authentication methods that would make it difficult for a hacker to obtain unauthorized access to private user information.

Problem Statement

Since social networking websites are prone to attacks, unauthorized access to user information can prove detrimental and can leave the user vulnerable. In order to gain more confidence of users, social networking websites need to provide better authentication system to ensure and provide better security to its users and the information that they store on these sites. Users lose trust on such sites when they find the site prone to attacks. Since social networking websites are based on users and user content, losing out on users can prove to be a big loss. Hence, these websites need a better authentication system.

This brings into picture multi-factor authentication which uses a combination of two or more authentication methods in order to verify a user making it more secure than simple user name – password authentication method. Email verification, image verification, virtual keyboards, mobile phone SMS are some of the ways of incorporating multi-factor authentication. However, neither of these methods are entirely secure on its own and hence, there is need to study existing authentication methods, their vulnerabilities and come up with a solution that is best in terms of security, usability, cost-effectiveness and robustness.

The dissertation therefore seeks to develop an approach to protect the users’ information from an unauthorized access by enhancing the security of the existing common text-based password with multifactor authentication. Authentication based on a combination of visual password and mobile SMS text would be used as and alternative to traditional text-based password. This would help overcome the some of the shortcomings of the textual passwords as well as enhance the security of the common text-based password with multifactor authentication.

Aims and Objectives of the Study

The aim of this project is to develop an authentication scheme based on graphical password and handheld devices (cell phone) that can be effectively and securely used as user-friendly multi-factor authentication mechanism for social networking websites. The objectives of the study are defined as:

  1. Identifying the vulnerable entities of existing authentication schemes.
  2. Deriving or identifying the security requirements necessary to implement on a social networking website.
  3. Assessing the strengths and weaknesses of existing authentication schemes.
  4. Propose and implement solution that ensures secure social networking websites.

Methodology and Outcomes

This dissertation is based on an exploratory research conducted on the security of social networking websites. The research began with a comprehensive literature search and review that involved social networking websites in terms of authentication, security threats and analysis of vulnerabilities of these sites. Using peer-reviewed journals and articles, books, conference papers, and websites, the literature review was conducted to understand the background of the research topic. The first objective of the dissertation was met by identifying and analyzing the security threats that can compromise the social networking websites. The results of this process coupled with more information from literature helped identify the requirements for providing a secure social networking experience. These requirements were then used to assess the authentication systems used by various social networking sites today. The results of all these steps were used to come up with a solution that provided a secure social networking experience. This method was proposed and implemented based on Microsoft.NET framework.

The outcome of the research can therefore be summarized as:

  1. Identification and analysis of vulnerabilities of social networking websites
  2. Identification of requirements for providing a secure social networking experience
  3. Proposal of and implementation of a solution that provides a secure social networking experience

Scope and Limitations

The security of social networking websites can be threatened in many ways; the focus of this dissertation is only on security threats arising as a result of inadequate authentication method. The dissertation focuses on analysis of susceptibility of existing social networking systems to the various attack strategies. This was partially achieved by reviewing the past literature while the majority of the analysis of existing systems was achieved by studying their websites either by becoming a member or using their public help systems that demonstrate authentication. Since there are many social networking websites, the study of existing systems was limited to the top 5 most popular social networking websites (FaceBook, MySpace, twitter, LinkedIn, and classmates) based on a study conducted by eBizMBA [14].

Structure of the Dissertation

The dissertation is divided into seven chapters. Chapter 1 introduced the research problem and the aim and objectives of the research.

The next chapter, Chapter 2, provides background on social networking web sites and the confidence in the security of these web sites. It also discusses digital identity, privacy, authentication and the types of authentication.

Chapter 3 provides an analysis on the vulnerabilities of social networking web sites as well as discusses the various attack strategies that are possible.

The next chapter, Chapter 4, analyzes the top 5 most popular social networking web sites in terms of how its authentication system works. It also explains the pros and cons of these systems. Based on the information from Chapter 3 and 4, the requirements of the social networking sites relevant to its security were derived.

Chapter 5 proposes the solution – a multi-factor authentication model. The design and implementation of the solution are discussed in detail.

Chapter 6 consists of the evaluation of the proposed solution against the requirements that were defined in Chapter 4.

The last chapter, Chapter 7, consists of the conclusion and recommendation for the dissertation.

Background

History of Social Network Services

Social networking websites focus on building and reflecting the social relationship that one shares with other people. Online social networking in its infant stages was available in the form of Bulletin Board System (BBS), AOL and CompuServe [16]. BBS allowed users to download files or games as well as send messages to other users. CompuServe also provided similar functionality; however, it introduced “emails” for ease in user communication. AOL is however considered a “true precursor to today’s social networking sites” as it allowed creation of searchable profiles.

According to boyd and Ellison [15], social networking websites have the following characteristics:

  1. allows creation of a user profile that is semi-public in nature
  2. allows creation of a list of other users that are socially connected to a user
  3. allows viewing their list of connections as well as those made by their connections

Web sites that provided above listed services individually existed. For example, dating sites and community sites that allowed creation of profiles but not other features, AIM and ICQ allowed creation of lists of friends but which were invisible to others, and classmates.com allowed connecting with friends but profiles couldn’t be created. However, SixDegrees.com was the first website that combined these features and hence is considered the first social networking website [15]. SixDegrees.com was launched in 1997 [15], [16].

AsianAvenue, BlackPlanet, MiGente, LiveJournal, Cyworld and LunarStorm were some of the social networking sites that sprung up between 1997 and 2001 [15], [16]. Ryze.com was launched in 2001 and was the first to focus on professional networks [15].

Timeline of launch dates of major social service networks
Figure 1: Timeline of launch dates of major social service networks

The popularity of social networking sites grew in 2002 with the launch of Friendster. Friendster utilized the degree of separation concept of SixDegrees.com calling it “Circle of Friends” [15], [16]. Friendster’s interface was similar to online dating sites which also attracted many users. Friendster’s technology could not match its growing popularity and significant technical problems kept arising that alienated users coupled with ousting of several genuine users along with fake ones [15].

LinkedIn was launched in 2003 but focused on connecting with other professionals and is still one of the major business networking sites today [16].

MySpace was also launched in the same year but it has been more popular than LinkedIn. MySpace took advantage of Friendster’s problems and attracted Friendster’s alienated users, thereby increasing its user base.

The most popular social networking site, however, is Facebook [14]. It was founded by university students in 2004 only for Harvard university and remained so for two years before it was launched to the general public in 2006 [15], [16].

Most social networking sites focus on a wide audience while others explicitly focus on niche audience. Examples include aSmallWorld and Beautiful People, Couchsurfing, BlackPlanet, and MyChurch that either are selective or are limited geographically [16]

Many social networking sites are on the rise; however, it is difficult to count them with social networking platforms like Ning allowing the creation of niche social networking site [15].

Digital Identity

Social networking sites represent a digital identity of an individual, that is, a digital representation of a human entity consisting of attributes that represent that human. The security requirements of social networking sites that maintain digital identities can be generalized into the following three (although more detailed and exhaustive security requirements may be implemented) [17], [18]:

  1. Confidentiality: Digital identity/resources should be available to authorized individuals only. This involves confirmation of an individual’s identity or authentication
  2. Integrity: Only authorized individuals should be able to modify digital identity/resources. This involves providing access rights or authorization to users.
  3. Availability: Resources should always be accessible to all authorized individuals based on their rights.

Authentication

Authentication is basically verification of an entity to ensure that the person is who he claims to be. This involves verifying that an unknown individual who claims to be one of the digital identities stored on the social networking site with some properties (e.g. username and password) is indeed the one by comparing these properties with those stored in the database of the site. It is important to distinguish authentication from identification of an individual. Identification involves recognition of an entity by providing attributes of the unknown individual which is achieved by matching these attributes with those stored in the database.

Authentication Process

The authentication process usually involves two steps. The first step consists of user identification whereby the identification of the user interacting with the system is carried out. Since this is a way to identify the user, the user name need not be secured. The next stage is authentication wherein it is verified that the user is indeed the owner of that user name. Hence, the authentication process and information have to be kept a secret.

The Authentication Process
Figure 2: The Authentication Process

Factors of Authentication

The type of attributes of the digital identity that is used to authenticate a user, authentication can be categorized into three factors of authentication which are explained in brief in the following sub sections.

Knowledge-based Authentication (Something the User Knows)

Authentication is based on the knowledge of the user i.e. something that the user knows but is deemed to be a secret to others. This is the most common authentication mechanism used. Examples of knowledge-based authentication include passwords and PINs. There is a difference however in secret and obscure passwords [19]. Obscure passwords are secret to most people such as birth date, place of birth, native place, maiden name, etc.

The main advantage of this type of authentication is that it is simple to implement and use and cost-effective. However, there are many disadvantages. It is easy to forget the passwords or it can be disclosed to others. The disclosure can be a deliberate attempt or could be an act of trickery [20], [21], [22], [23]. Also, sharing the password during the authentication process makes it less secret after each usage which could be then discovered and used for identity theft for example [19]. This makes it the least secure form of authentication [24]. Some of these problems are overcome by the requirement of the application to change passwords frequently; however, they have not been very effective since people tend to forget them.

Token-based Authentication (Something the User Has)

When authentication is done on the basis of a physical objects possessed by the user, it is known as token-based authentication [19], [20], [25]. The simplest example from real life is the use of birth certificates or driver’s license to confirm a person’s identity. For computer applications, it could be a USB device, smart cards such as credit card, debit card or loyalty cards, RFID (Radio-Frequency Identification) tags, grid cards, etc. The application can obtain information from these devices that contain unique information about the user which is used for authentication. Cryptographic operations are used to retrieve and store the information to prevent its misuse. This type of authentication is usually done in conjunction with knowledge-based authentication and hence, more secure.

The major disadvantage of token-based authentication is that being physical objects, they are liable to be stolen. In case of pure token-based authentication, anyone possessing the token would become a legitimate user. Duplication and forgery are also possible especially if the tokens are not very complex [19], [20]. However, the owner of the token can take preventive measures in case he realizes that the token is stolen.

Biometrics-based Authentication (Something the User Is)

This authentication method involves the use of physiological traits such as fingerprints, iris, voice etc. for authentication. To be suitable for biometrics-based authentication, the physical characteristic chosen should fulfill the following four requirements [26]:

  1. Universality – characteristic should be found in all individuals who need to be authenticated
  2. Distinctiveness – the characteristic should be identifiably different between two people so as to be able to distinguish between them
  3. Permanence – the characteristic should needs to remain the same for a long time-frame
  4. Collectability – the characteristic should be measureable quantitatively

Biometrics-based authentication involves capturing a user’s characteristic at the registration stage which is then stored for authentication in the future. This is more secure than knowledge-based and token-based authentications as physiological traits are difficult to steal, alter or forge [27].

The major disadvantage is the high cost of implementation since it requires new expensive hardware for authentication, for storage and a reader [19], [28], [29]. Samples of physiological traits may not be exactly the same each time resulting in false identification [27], [30]. If the authentication methods are not properly designed, they could be prone to attacks exposing the user physiological traits to the attackers. This is a more serious problem with biometrics-based authentication than others due to permanence of the characteristics [26], [27].

Multi-factor Authentication

Security has been a major concern for most businesses. To improve it, more than one of the above defined methods are used together for authentication. This is known as multi-factor authentication since it involves more than one factor. It is important to understand that multi-factor authentication does not mean multiple solutions from the same factor, but rather at least one solution from two of the factors discussed earlier [24]. For example, if you use passwords and secret images together, it only forms knowledge-based authentication but it is not multi-factor authentication. However, if you use passwords (knowledge-based authentication) along with USB device (token-based authentication), it is known as multi-factor authentication. A common example of multi-factor authentication in use is a bank card with PIN.

Innovations in Authentication Methods

This method discusses two of the authentication methods that are being increasingly used in web sites due to their potential benefits.

Graphical Password Authentication

In order to overcome the shortcomings of the text-based password, authentication mechanisms based on graphical passwords are being recommended by many researchers. The main idea behind utilizing graphical passwords is that human beings tend to remember and recall visuals easily as compared to text.

Perrig and others [54] proposed an authentication mechanism based on identification of images that were seen beforehand. It utilizes RandomArt that basically generates a visual representation of the users’ hashed passwords. Dhamija and others [55] created Déjà Vu suite that extended this work by requiring identification of sequence of images. Another method was touching areas of an image in sequence as determined earlier for authentication [56]. Jermyn and others suggested use of simple photos on a grid (cited in [55]). Real User Corporation’s Passfaces utilizes human faces instead of random images. Yardi and others [57] also suggest the use of photographs; however, this involves identification of subjects in the photographs which a genuine user would know.

Phone Authentication

Many organizations started making the use of tokens to overcome the shortcomings of the text-based passwords. However, these tokens also had their disadvantages – high initial cost to be borne by provider, ability to replicate these tokens, loss of tokens, etc. as discussed in section.

With the mobile phones becoming ubiquitous, many have proposed their use as tokens. Instead of mobile phones, “home phone, fax machine, netbook or laptop, PDA, smartphone or any number of other communication devices” could be used [58]. There are several advantages to using a phone for authentication. Firstly, a mobile phone is typically used by a single person and can be used as that person’s identity while eliminating the need of managing an additional token. Secondly, the cost of the “token” does not need to be borne by the provider. Thirdly, since the tokens are not provided by the provider, there is no need to manage tokens, put appropriate processes in place, train users, and manage issues with non-working and lost tokens [58]. According to PhoneFactor [59], “telephones are extremely difficult to duplicate and phone numbers are extremely difficult to intercept”.

Shu and others [60] utilize SMS as part of the authentication process recommended by them. PhoneFactor [59] involve calling the user and requiring them to enter a PIN.

Confidence in security of social networking sites

Social networking sites are typically meant for keeping in touch with friends and professionals and sharing personal information including photos, videos, etc. These sites require a user to be authenticated before they can access any of its features. The requirement of authenticating the user identity therefore becomes one of the major security risks. Authentication in social networking sites is usually dependent on user identification followed by authentication using one or more authentication factors. Knowledge-based authentication is the typical authentication used in social networking sites which as explained in earlier section, is the least secure authentication method. Increase in data breaches and identity theft has only made this type of authentication more unreliable for security purposes. 278,078 complaints regarding identity theft were registered in 2009 in US alone [31]. Also, almost 350 billion records have been breached since 2005 compromising the information of nearly 300 billion people [31]. Information stealing trojans are now even being offered as “fraud-as-a-service” model [32]. According to a research by Breach Security Labs, the most targeted category of all malicious attacks in 2009 was social networks [38].

Graham Cluley and Kerry Harvey are just two victims whose phony profiles were created in FaceBook in an attempt to wreak havoc [33]. Two researchers also demonstrated how easy it is to impersonate someone using resources available on the internet [34]. Another instance of security breach is where Facebook accounts were hijacked and message consisting of a link to a Trojan was sent which infected their machines once the link was opened [35]. Similarly, “Secret Crush”, actually a spyware, was circulated on Facebook on the pretext that it was to find who had a secret crush on him or her [36]. An email requesting users to change their Facebook credentials has also created havoc [37].

The current social networking sites either do not authenticate new members to ensure that the user is indeed who he says he is [33] or the authentication mechanism is not strong enough to catch fraudsters. The typical new member authentication method includes providing an email address that is verified by automatically sending an email to that address and clicking on a link provided in that email. Since emails can be easily created for free, this authentication method cannot tackle for example impersonation.

The user concerns regarding privacy protection and security have increased and such attacks only decrease their confidence in these social networking sites. While there are no security standards for social networking sites, their revenue stream depends on the number of users which decreases as the user confidence goes down. This has led the social networking sites to improve their security methods especially their authentication mechanism in order to protect their users.

Security Threat Modeling for Social Networks

Research Approach

In order to build high security into a web application, it is essential to conduct security analysis of the system. This involves identification of potential threats and their analysis to come up with the most appropriate response for ensuring the security of the system. This process is known as threat modelling. Threat modelling allows identifying and rating threats and involves addressing the top threats [40]. Threat modelling involves understanding the system, identifying threats (irrespective of whether they are exploitable or not) and security requirements in the process [39]. While some suggest identifying security requirements to enable better focus while conducting threat modelling [41], others suggest conducting threat modelling and deriving security requirements instead of relying on standard security requirements and thereby creating security requirements specific to the system [39]. The nature and subject of this research demands following the latter approach since the research seeks to understand the current issues and threats and coming up with security requirements and solution to overcome these threats.

In order to conduct threat modelling and arrive at a solution, the security system engineering method proposed by [39] will be used. According to this, there are three phases to system security engineering:

  1. Conducting threat modelling
  2. Derive security requirements
  3. Propose a solution

This method is depicted in the figure below:

System Security Engineering
Figure 3: System Security Engineering

The three phases are explained in brief in the following sub sections.

Phase 1: Threat Modeling

The approach for threat modeling suggested by [39], [40], [41] & [42] were studied and none of these could be directly applied to the social network applications directly. Hence, a threat model based on these approaches was derived that best fits the requirements:

Identify the components: This involves identifying the various components required to utilize social networking functionalities.

Create an architecture overview: This step involves creating a model of the architecture of the social networking applications.

Identify threats: This step involves identifying all threats to each of the components that were derived in step 1. This requires understanding the possible attack strategies on each of the components. The attack strategies will utilize the attack tree methods.

Attack tree methods provide a visual representation for analyzing the security of the system [39]. This is a top-down approach allowing a systematic analysis of the security of the system. By adding up the cost or complexity of the sub-goals, the overall cost of securing the system can be arrived at.

Attack tree analysis begins with the goal of the attack at the top. This goal is then branched into sub-goals, which represent the various events leading to the main goal. The sub-goals can have ‘AND’ and ‘OR’ relationships to indicate their dependency or independency with other sub-goals.

Analysis of the attack tree would also lead to the identification of assets that are critical from the security perspective.

Categorize the threats: The identified threats can be categorized based on the STRIDE or CIA system [39], [42]. The two systems are explained in brief in the tables below.

Table 1: Threat Categorization – STRIDE

S Spoofing This involves illegal acquisition and misuse of confidential information.
T Tampering This involves malicious modification of data – in storage, in transit or otherwise.
R Repudiation This involves denial of misuse of unauthorized actions by a malicious user and hence neither there is any record of this nor can it be proved.
I Information Disclosure This involves revealing information to someone who is not allowed to know it.
D Denial of Service This restricts the user from accessing the services offered by the website.
E Elevation of privileges This involves unrightfully increasing the user privileges.

Table 2: Threat Categorization – CIA

C Confidentiality This involves ensuring that information is accessible by authorized users only.
I Integrity This involves ensuring the consistency in data.
A Availability This involves ensuring that data is available to those who are authorized at all times.

For the purpose of this thesis, since the discussion is based on security of authentication credentials, STRIDE seems to be an obvious option over CIA.

Rate the threats: This step involves prioritizing the threats based on rank assigned to it thereby helping in understanding the ones that need to be addressed on high priority. The rating also provides an idea regarding the probability of the threat occurring and the possible impact if it occurs. This step helps identify those threats that may require no further action except educating users about it while others may require technical solutions and may warrant immediate attention. The DREAD [40], [41], [42] method is used to evaluate the risk and rate the threats. The rating table provided by [40] will be utilized for ranking the threats.

Table 3: DREAD Method 

Rating High (3) Medium (2) Low (1)
D Damage potential The attacker can subvert the security system; get full trust authorization; run as administrator; upload content. Leaking sensitive information Leaking trivial information
R Reproducibility The attack can be reproduced every time and does not require a timing window. The attack can be reproduced, but only with a timing window and a particular race situation. The attack is very difficult to reproduce, even with knowledge of the security hole.
E Exploitability A novice programmer could make the attack in a short time. A skilled programmer could make the attack, and then repeat the steps. The attack requires an extremely skilled person and in-depth knowledge every time to exploit.
A Affected users All users, default configuration, key customers Some users, non-default configuration Very small percentage of users, obscure feature; affects anonymous users
D Discoverability Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable. The vulnerability is in a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use. The bug is obscure, and it is unlikely that users will work out damage potential.

Threat modeling details are discussed in Chapter 4.

Phase 2: Security Requirements

The threat model prepared in first phase should help derive the security requirements of the social networking systems. If the security requirements are not well defined and has faults, then the application cannot be considered secure [39]. The security requirements of social networking systems are discussed in Chapter 5.

Phase 3: Propose Solution

Based on the threat modeling and the security requirements derived from it, the authentication system of the top 5 social networking sites are analyzed. This helps understand the weaknesses and strengths of each of the authentication mechanisms of each of these systems. Based on this understanding, a solution will be proposed that overcomes the weaknesses of these sites while retaining the strengths. The proposed solution will be discussed in detail in Chapter 6.

Threat Modeling

Identify the components

For using a social networking system, three categories of components are involved:

  1. The end-user or end-user terminal: This would be the end-user who utilizes the social networking application either through his desktop, laptop or mobile phone.
  2. Server: This is the terminal that accepts the user queries and responds to it.
  3. Communication channel: This is the medium used for the transmission of the data e.g. internet.

Create an architecture overview

The architecture overview is modeled based on the components identified in section 4.1.

For authentication, the end-user of the social networking site will use his terminal to communicate with the server over the communication channel. The server then communicates with its back-end to identify and authenticate the user. In case of multiple-channel authentication, there will be additional communication channels such as a GSM in case of SMS and landline in case of a voice call. Multi-factor authentication such as password generators is also depicted in the model.

Social Networking System Model
Figure 4: Social Networking System Model

Attack Strategies

In order to identify and rate threats, it is essential to understand the various attack strategies possible. Based on this, the threats will be identified and threat profiles will be created.

Attack Strategies on End-user and End-user Terminal

The target in this case is the end-user, end-user terminals and passwords that are generated one-time.

Social Engineering Attack

Social engineering attacks involve using technical or non-technical strategies to dig up information from the end-user. This requires that the end-user does not suspect anything fishy and therefore readily gives away their authentication credentials. Several methods can be employed in order to perform social engineering attack. These methods can be broadly categorized into technical and non-technical methods. The technical method mainly involves phishing while the non-technical methods involve a call or mail to the user.

Phishing: Phishing involves the combination of social engineering attack with spoofing techniques thereby tricking a user into divulging confidential information including authentication credentials that an attacker requires to impersonate the user [43]. Phishing attacks can be divided into two types – spoofing of emails and websites and pharming. Pharming is explained in detail in section 4.3.3.1.

Spoofing of emails is an old type of attack wherein the flaws of SMTP protocol are utilized in order to fake the email address from where the email is originating (that is, the FROM email header) [44]. The attacker sends spoofed emails that persuade the users to divulge their confidential information. With increasing user awareness about this type of attack, however, their success rate has reduced.

This has led to the modification of this attack so that instead of asking for confidential information, the email requests to follow a link that is basically a spoof of the organizational web site. The spoof web site appears just like the actual web site and appears to be as legitimate as possible which makes it difficult for the user to suspect. The main reason for the success of this kind of phishing is that users rely on the content of a web site instead of its URL to determine its legitimacy [45].

Phishing can also be carried out using malwares and Trojans. These can be delivered via emails, web sites, instant messaging programs, etc. Emails are used to send malicious content while the same may be present on such web sites. Instant messaging programs are also used to send malicious contents, spoof web site links, etc.

URL Obfuscation: Phishing attacks involve tricking users to follow a link to a spoof web site. Even though there have been attempts by most organizations to increase user awareness about checking the URL before providing authentication credentials, many studies indicate that users still do not check the URL of the web site [46]. URL can be obfuscated by several methods as explained below:

  1. Fake Domain Names: Attackers intentionally utilize domain names that are similar to that of the organization’s genuine web site domain name. Ollman explains how an organization could get Microsoft.com in Russia due to different language and character set [44].
    1. URL with Login: This was an old trick that is no longer supported by most web browsers now. It involved using a URL of the format.
    2. Host Name Obfuscation: This involves using IP addresses instead of the domain name thereby tricking the users.

Vishing: This involves calling a user and impersonating as employees or agents of the target organizations in an attempt to acquire information. Emails may also be sent to call up a certain number that is used by the attacker to obtain the confidential information.

Special Knowledge Attack

This involves taking advantage of the fact that the user might have stored the authentication credentials. Social networking sites may not always allow for your choice of user names and the user might end up with a user name that is not easy to remember. Also, with so many user names and passwords to remember, it is not unlikely that users prefer to write them down. Users can either write them down on a paper or in a file stored on their computer, or may even use their web browser’s auto-fill feature to store the password.

Shoulder Surfing: An attacker can observe a user when s/he is providing his/her authentication credentials and figure them out. This type of attack targets a particular user and cannot be conducted on a large scale. While this may not be a problem for those users who typically visit the web sites from home, those who use cyber cafes or computers in public areas are susceptible to such attacks. Cameras may also be used for this purpose.

Simple Brute Force Attacks: Like shoulder surfing, simple brute force attack also usually targets a particular user. In simple brute force attack, an attacker continually tries different permutations of authentication credentials in order to obtain access to the account. This type of attack works especially well when the password is non-numeric and also when the attacker knows the user personally. However, simple brute force attacks are easier to detect and the usual strategy of most organizations is to lock the account after a few (usually 3 or 5) unsuccessful attempts to login [46].

Identity Theft or Impersonation

In section 2.4, real-life examples of two victims of impersonation were provided. Attackers pretended to be the victim and created a user account on the victim’s name obtaining access to their social network and harming them by misusing their account. Bruce Schneier wrote an article [49] that explains how one could easily create fake accounts in social networking sites.

Attack Strategies on End-user Terminal

Authentication credentials can also be obtained through the user’s terminal (desktop, laptop, or mobile phone). There are many ways of achieving this:

  1. By compromising user’s terminal
  2. By stealing terminals
  3. By obtaining physical access to the terminal
  4. By exploiting the vulnerabilities of web browsers

Snooping using Malwares

Snooping is stealing of user’s confidential information. Malwares are malicious software that gets installed on a user’s terminal through social engineering attacks i.e. without the knowledge of the user about the harm it could do. Malwares allow an attacker to monitor the actions on the terminal thereby enabling them to take advantage. Viruses, Trojan horses, and spywares are examples of malwares. Malware creation has grown by a staggering 25,000% since 2000 [47]. Malwares can be easily reconfigured to target multiple sites, changing and adding new sites as required. Malwares are of the following types:

Key-loggers: Key-loggers are a type of electronic surveillance software that is capable of capturing and recording the keystrokes and mouse clicks made by a user. These keystrokes and mouse clicks are then communicated to the attacker through the malware. These are software key-loggers. Hardware key-loggers are also available but are limited in its usage since it requires physical access to the user’s PC. This method works well for public computers in cyber cafes for example. Use of virtual keyboards prevents this type of attack.

Screen loggers: Screen loggers are also a type of electronic surveillance software. These software search the terminal for sensitive information. This includes the registry, the auto-fill feature of web browsers, etc. This can also involve taking screen shots of login screens to obtain information. A real-life example is the screen logging attempt against Barclays. Barclays designed a special second level of authentication in an attempt to dodge key-loggers. With screen loggers, the attackers took an image of this screen to break the second level as well.

Trojan Horses: The strongest type of malware attack can be carried out using Trojans. Trojans can perform a host of other attacks already discussed like snooping using key logging or screen logging, or attacks on the communication channel (network sniffing, MITM attacks, etc. – see section 4.3.3. for more details). User awareness regarding phishing techniques has led to the attackers looking for alternate methods and Trojan seems to have answer to their needs. It is worth noting here that in 2000, there were 81% viruses and 14% Trojans in all of malwares while in 2007, there were 5% viruses and 90+% Trojans [47].

Token Theft

Tokens are usually small hardware devices that can be easily lost or stolen. These could then be misused. If the authentication is based on token alone, then it becomes easier for the attacker. However, even in two-factor authentication, it provides the attacker with one factor of authentication and the other factor such as passwords can be identified using other types of attacks discussed earlier.

Attack Tree of End-user and End-user Terminal

The attack tree of the end-user and end-user terminal can therefore be derived as:

Attack Tree of End-user and End-user Terminal
Figure 5: Attack Tree of End-user and End-user Terminal

Attack Strategies on Communication Channel

The communication channel which is usually the internet is used for transmitting data from the user’s terminal to the social networking server and vice versa. The attack strategies include redirecting traffic, sniffing, hijacking sessions, and man-in-the-middle attacks.

Traffic Redirection

One of the attack strategies on communication channel is to redirect traffic. This can be achieved by redirecting the traffic to a fraudulent web site, creating a rogue DHCP server or wireless access point. These are explained in brief below:

Pharming: Pharming attack redirects traffic to a fraudulent website. In this case, pharming would mean theft of authentication credentials of a user through redirection to a fraudulent web site. This can be easily achieved by changing the hosts file on a user’s terminal. It can also be achieved by exploiting the weaknesses in the DNS server software. DNS poisoning is one method whereby an authentic URL is resolved into an IP address that leads to the fraudulent web site [44].

Rogue DHCP Server: A Dynamic Host Configuration Protocol or DHCP server is a networking protocol that is utilized for retrieving information like which IP address is assigned to which machine and other networking related configuration information. If a rogue DHCP server is set up, then an attacker can send fraudulent network information. This can enable redirection of traffic.

Rogue Wireless Access Point: With free wireless access available in public locations such as cafés, airports, etc., they also have become favorite targets of attackers. An attacker can set up a rogue wireless access point which can be accessed by a user who would continue working normally while providing the attacker access to all information including authentication credentials.

Man-in-the-middle (MITM) Attacks

This is when the attacker becomes a medium between the user and the server so that when the user tries to log into a social networking site, it actually connects the user to the attacker’s server who in turn connects to that social networking site. Since all the information is passing to the social networking server via the attacker’s server, the attacker is able to save all confidential information including authentication credentials on his server. This type of attack also enables the attacker to modify information that it receives from the user’s machine when sending it across to the social networking server. Since the user is able to access all services and perform all the transactions normally, the use remains unaware of the MITM attack [47].

Session Hijack

Session hijacking involves exploiting the session key usually used for managing user information in a web application. This is implemented generally by using cookies which can be easily stolen from a user’s computer by an attacker using an MITM attack for example.

Network Sniffing

Network sniffing works is quite similar to the MITM attack except that the attacker is not in the middle but rather disguises as the server for a user and vice versa.

Attack Tree of Communication Channel

The attack tree of the communication channel in a social networking site can therefore be derived as:

Attack Tree of Communication Channel
Figure 6: Attack Tree of Communication Channel

Attack Strategies on Social Networking Server

Bulk Guessing Attack

Bulk guessing attack is explained nicely in [48] with a simple example. Assume that a social networking web site has 10 million users. If this social networking web site allows passwords of 6 digits, it would mean that on an average, considering each possible combination of passwords based on 6 digits, each password will be used by about ten different users. Based on this information, an attacker could then use a brute force attack to guess user names for a given password. Unlike brute force attack that would require multiple logins for a particular user name, this method would require only one login attempt per user. It is noteworthy, however, that 10 million attempts would be required to get 10 successful logins [48]. The success rate of this attack can be reduced by using longer passwords with combination of alphabets, numbers and symbols to make the guess work difficult.

Social Networking Policy Violation

All social networking web sites have their policies to protect the privacy of their users. According to these policies, system administrators and other employees are allowed to have access to the user information for strictly business purposes only. Employees who have access to the sensitive information can intentionally leak or accidentally expose a user account. This can usually occur if the social networking system has poor access control or has adopted a poor authentication methodology.

Attack Tree of Social Networking Server

The attack tree of the communication channel in a social networking site can therefore be derived as:

Attack Tree of Social Networking Server
Figure 7: Attack Tree of Social Networking Server

Attack Tree of the Social Networking System

The figure below shows an attack tree of the social networking system. Unlike a bank where the objective of an attacker is to get financial gain, the end-goal of an attacker of a social networking system could be many. The common goal is to obtain credentials which can then be used to obtain sensitive information about the user to obtain financial gain, defame him/her or the organization where s/he works, stalk or harass the user, etc. Hence, the attack tree starts with the common goal of obtaining credentials represented by a diamond. This is broken down into the components that an attacker could target to achieve the goal. The components are represented with rectangular boxes. Next within each component, hexagonal boxes are used to show the possible ways of attacking that component which are broken down into attack strategies represented again by hexagonal boxes. Attack vectors that could lead to achievement of an attack strategy are represented using circles. Attack vectors may need to combined with other attack vectors in an ‘AND’ or ‘OR’ relationship in order to achieve an attack strategy.

Attack Tree of the Social Networking System
Figure 8: Attack Tree of the Social Networking System

Identify Threats

The attack tree helps us identify the threats to the social networking system in terms of authentication. From the attack tree, it can be concluded that authentication credential can be obtained:

  1. through phishing (URL obfuscation, fake web site, and spoofed email)
  2. by stealing (credentials on paper, using brute force or shoulder surfing)
  3. by impersonating
  4. by snooping (malware)
  5. by obtaining physical access to terminal or token (malware)
  6. by network sniffing
  7. by redirecting transaction traffic (malwares)
  8. by modifying transaction (MITM)
  9. by hijacking session
  10. by modifying traffic (pharming)
  11. through bulk guessing attack
  12. through policy violation

Identify Assets

The attack tree analysis helped in identifying the assets that are critical to the security of the social networking system. These include:

  1. Authentication Credentials
  2. Authentication mechanism integrity
  3. Session integrity

Assessment of Existing Authentication Systems of Social Networks

Deriving Requirements for Social Networks

Security requirements are nothing but countermeasures that need to be implemented to make a system more secure by resolving the known vulnerabilities of the system. While maintaining security, however, there are non-security requirements that need to be kept in mind while designing the countermeasures. Non-security requirements are related to cost and usability associated with the implementation of security requirements. Hence, they need to be treated as important as security requirements.

Based on the security objectives discussed in each of the threat profile, the security requirements for each threat can be summarized in the table below:

Table 18: Security Requirements of Social Networking Systems

Threat Profile No. Threat Description Requirement
1 Obtain Authentication Credentials through phishing (URL obfuscation, fake web site, and spoofed email) Transaction authorization
2 Obtain Authentication Credentials by stealing (credentials on paper, using brute force or shoulder surfing) Maintain audit trail (logs)
3 Obtain Authentication Credentials by impersonating Enhanced authentication
4 Obtain Authentication Credentials by snooping (malware) Enhanced authentication
5 Obtain Authentication Credentials by obtaining physical access to terminal or token (malware) Confidentiality
Tamper-proof tokens (beyond project scope)
6 Obtain Authentication Credentials by network sniffing Confidentiality
7 Obtain Authentication Credentials by redirecting transaction traffic (malwares) Mutual authentication through enhanced authentication
8 Obtain Authentication Credentials by modifying transaction (MITM) Non-repudiation
Integrity
Transaction authorization
9 Obtain Authentication Credentials by hijacking session Prevent session intrusion
10 Obtain Authentication Credentials by modifying traffic (pharming) Improve DNS security (beyond project scope)
11 Obtain Authentication Credentials through bulk guessing attack Increase search space of authentication credentials
12 Obtain Authentication Credentials through privacy violation Enhanced authentication

Further explanation of each term used in the security requirements is provided in the next section.

Security Requirements

Confidentiality

This is one of the major aspects of security and was discussed previously in section 3.1.4 (Table 2) in brief. The confidentiality requirement requires that information be accessible by only those who are authorized to access it [39], [42]. One of the widely adopted methods of ensuring confidentiality is to encrypt the information in transition.

Integrity

This topic was also touched upon in section 3.1.4 (Table 2). Integrity requires that any information that is exchanged between the user terminal and the server should not be modified or deleted during transition. Integrity requires both preventing and detecting any change in data during transition. Standard hashing algorithms such as SHA1 and MD5 are generally used to ensure data integrity.

Mutual authentication

Just like the user is required to authenticate himself/herself to the social networking server, there is need for the server to authenticate itself to the user. This is called mutual authentication or two-way authentication. This can be done through enhanced authentication that will prevent impersonation attacks on a user. A server can authenticate itself via a server-side certificate for example.

Enhanced authentication

Enhanced authentication can be achieved by implementing multi-factor authentication. Enhanced authentication can help make a site more secure. Multi-factor authentication was discussed in detail in section 2.3.2.4.

Maintain audit trail (logs)

Maintaining logs of authentication attempts will help understand if there is any brute force attack. When the number of unsuccessful attempts to authenticate goes beyond a certain number (usually three to five), the system can lock the user account so as to ensure that there is no attack and the user account is safe. If the unsuccessful attempts continue, then the system can know that there is a brute force attack and take appropriate actions.

Non-repudiation

Non-repudiation in general terms is a two-way assurance that ensures that neither the sender nor the recipient can deny the fact that former sent the message and the latter received it [44]. In terms of technology, non-repudiation would be the use of a digital signature to sign a document. The person utilizing a digital signature for signing a document will not be able to refute it since digital signature can be created by one person only. Another commonly used method is the use of a trusted third party.

Session Integrity

During a session, a user may provide personal information which may be captured and stored. It is essential that this information is not available for the attacker; hence it is essential that the session expires and the user is required to login again post a period of inactivity in order to continue. This ensures that information gathered or transmitted during a particular session is available only during that session.

Prevent session intrusion

An attacker can intrude a user initiated session and impersonate a user based on the user initiated session. This requirement ensures that session intrusion is prevented.

Transaction authorization

A user may forget to log out or may leave their terminal unwatched while still logged in leaving scope for the attacker to perform transactions that can be harmful to the user. This is where transaction authorization helps as it requires re-authentication for carrying out important transactions. In a social networking site, it is essential to choose your “friends” carefully. This is one of the transactions on social networking site that would require authorization from the user.

Protection against password misuse

This requires that the passwords should be long enough and should consist of a mix of alphabets, numbers and symbols to increase the search space and thereby making it difficult for an attacker to guess it or easily crack it using brute force attack.

Non-Security Requirements

Universality

The current social networking sites are available from anywhere so long as internet is available in that area. It is essential that any security measure taken does not change this universality feature making it difficult for users to access the site from anywhere they could previously access.

Usability

Any security measure that is implemented must be user-friendly. If the customers do not find it easy to use or understand, it will not be useful. Hence, it is essential that the user interface of the social networking site remains simple and intuitive [50]. If the security measure requires any action from the user’s side, then it is essential that they not only understand what it is and how to perform that action, but also how to make sure that they have done the right thing [51].

Cost-effectiveness

Any security measure taken should not require large investment by the user or the social networking services provider. The security measure should be cost effective and the cost should be according to the risk level.

Assessment of authentication mechanisms

Online social networking services provider have taken several measures to tackle cyber crime. However, since this dissertation is based on authentication mechanisms, only measures adopted for improving the security of authentication credentials and the authentication process itself will be discussed. Since mutual authentication is one of the security requirements, the authentication process can be divided into server authentication and user authentication.

Server Authentication

To prevent phishing and other fraud attempts, it is essential that the user is able to authenticate the server. This can be accomplished by various methods. The first widely used method is the user of SSL/TLS protocol. Most login pages of social networking sites utilize the SSL protocol and this can be identified by checking the URL which would begin with HTTPS instead of HTTP. HTTPS uses SSL to transmit data. SSL prevents data from being eavesdropped or tampered thereby meeting both confidentiality and integrity security requirement.

SSL is usually used in conjunction with digital certificates. A digital certificate is a way of telling the users that the organization is genuine and not a fraud. A Signing Authority signs the digital certificate. When a user visits the web site of the organization, the web browser first checks the digital certificate of the server and upon validation provides security indicators like a closed padlock at the bottom of the browser for example. The digital certificate details also may be presented. It is important to note here that the responsibility lies on the user to verify the information and thereby authenticate the server. However, not every user understands the concept of server authentication and digital certificates and may end up being a prey to phishing. A well-designed phishing page has deceived 90% of the users [45]. It is also possible to spoof the security indicators with the help of JavaScript and DHTML [52]. Self-signed and expired digital certificates defeat the SSL/TLS server authentication process. In spite of a warning by the web browser, 70% of users continued with authentication [45].

Checking the correctness of the web site URL is another way to authenticate the server. However, users do not possess good understanding of URLs and domain names. Many users do not bother to look at the URL before providing their authentication credentials and fall prey to phishing [53]. Attackers can register domain names that are similar to the organization’s domain name and thereby trick users to authenticate themselves.

It can be concluded therefore that the current server authentication mechanisms are not sufficient as they are not well-understood by users.

User Authentication

To understand the current user authentication mechanism of social networking systems, the user authentication mechanism of the top five social networking systems (FaceBook, MySpace, Twitter, LinkedIn and classmates) will be studied. This section will also include information on how well each of the social networking systems meets the security and non-security requirements.

FaceBook

The user registration is done by providing a valid email address on which a confirmation email is sent. To confirm their account, a user needs to confirm their email address by clicking the link provided in the email. A captcha (words in an image) needs to be correctly submitted as well to ensure that the registration is being done by a human and not by a computer. Authentication is done by using this verified email address as username. Password needs to be of at least six characters.

The user needs to enter the words in the captcha for authorizing each transaction (adding friends, poking, etc.). In case, the user wants to stop providing verification for each transaction, the user needs to verify his/her mobile phone once using a code sent to it by FaceBook.

FaceBook

Strengths of the system

  1. Automatic registration is not possible preventing a machine from creating multiple accounts and using them for phishing attacks.
  2. Verification through mobile phone ensures that the user is legitimate and prevents impersonation. Even if mobile verification is not done, an attacker would have to use captcha to verify transactions every time making it difficult for the attacker.
  3. Secure connection using HTTPS – SSL/TSL is used for authentication only.
  4. Audit trails are maintained. If the user login attempt is unsuccessful the first time, it gives the user another opportunity to login. If the user fails in that also, then he is given the opportunity to reset password or try again. The process then continues. After a number of unsuccessful attempts, however, the user account is blocked.
  5. FaceBook logs out user post inactivity for a long time.
  6. Use of emails and mobile verification (with option to use captcha) also support the non-security requirements viz. universality, usability and cost-effectiveness.

Weaknesses of the system

  1. There is no provision for checking the strength of passwords or recommending that passwords need to be alphanumeric. This makes it an easy target for attackers to carry out a brute force attack or bulk guessing attack.
  2. Transaction authorization is limited to adding friends and poking while other transactions can still be executed. This means that while an attacker cannot add new friends, they can still use existing friend list to send them phishing messages or links.
  3. Since an email can be created for free on the internet, it is possible for anyone to create a profile in FaceBook and impersonate someone. Then using social engineering and other attacks, the attacker can become friends with the victim’s friends and send them phishing messages for example.
  4. It becomes easy to hack FaceBook account if one has already hacked the email address. It becomes even easier if the user maintains the same password for both.
  5. The “Keep me logged in” feature also gives attackers an opportunity to hack a FaceBook account since authentication status is stored to ensure that user does not have to log in again.
  6. The onus of authenticating the server lies on the user.
  7. While a user cannot deny a message being sent from his account, the user can pose as a legitimate user whose account has been hacked or phished. Hence, non-repudiation is not well implemented.
  8. Session intrusion and impersonation are further made easy with the use of cookies and hidden form IDs for authentication.

MySpace

MySpace works in exactly the same way as FaceBook. Here also, the user registration is based on a valid email address which is verified and then used as user name. A correct captcha is also required to ensure that the registration is being done by a human and not by a robot. Password needs to be of at least six characters.

In this case also, there is transaction authorization. The user needs to enter the words in the captcha for authorizing each transaction (adding friends, poking, etc.). In case, the user wants to stop providing verification for each transaction, the user needs to verify his/her mobile phone once using a code sent to it by MySpace.

MySpace

Strengths of the system

  1. Automatic registration is not possible preventing a machine from creating multiple accounts and using them for phishing attacks.
  2. Verification through mobile phone ensures that the user is legitimate and prevents impersonation. Even if mobile verification is not done, an attacker would have to use captcha to verify transactions every time making it difficult for the attacker.
  3. Secure connection using HTTPS – SSL/TSL is used for authentication only.
  4. Audit trails are maintained. After a number of unsuccessful attempts the user account is blocked for some time.
  5. MySpace logs out user post inactivity for a long time.
  6. Use of emails and mobile verification (with option to use captcha) also support the non-security requirements viz. universality, usability and cost-effectiveness.

Weaknesses of the system

  1. There is no provision for checking the strength of passwords or recommending that passwords need to be alphanumeric. This makes it an easy target for attackers to carry out a brute force attack or bulk guessing attack.
  2. Transaction authorization is limited to adding friends and poking while other transactions can still be executed. This means that while an attacker cannot add new friends, they can still use existing friend list to send them phishing messages or links.
  3. Since an email can be created for free on the internet, it is possible for anyone to create a profile in MySpace and impersonate someone. Then using social engineering and other attacks, the attacker can become friends with the victim’s friends and send them phishing messages for example.
  4. It becomes easy to hack MySpace account if one has already hacked the email address. It becomes even easier if the user maintains the same password for both.
  5. The “Remember Me” feature in MySpace remembers the user name but the password still needs to be entered unlike FaceBook that kept the user logged in. While this is better than FaceBook in term of security, it is still vulnerable because it provides the user name to an attacker and the password can be tried using brute force attack.
  6. The onus of authenticating the server lies on the user.
  7. While a user cannot deny a message being sent from his account, the user can pose as a legitimate user whose account has been hacked or phished. Hence, non-repudiation is not well implemented.
  8. Session intrusion and impersonation are further made easy with the use of cookies and hidden form IDs for authentication.

Twitter

Twitter also has the same authentication mechanism as FaceBook requiring a valid email address and captcha to register. However, a separate user name is also required during registration although either the email address or the user name could be used for logging into the site.

There is no transaction authorization. This may be because as compared to FaceBook and MySpace, there are very few transactions involved in Twitter.

Twitter

Strengths of the system

  1. Automatic registration is not possible preventing a machine from creating multiple accounts and using them for phishing attacks.
  2. Secure connection using HTTPS – SSL/TSL is used for authentication only.
  3. Audit trails are maintained. After a number of unsuccessful attempts, the user account is blocked.
  4. Twitter logs out user post inactivity for a long time.
  5. Use of emails supports the non-security requirements viz. universality, usability and cost-effectiveness.

Weaknesses of the system

  1. There is no provision for checking the strength of passwords or recommending that passwords need to be alphanumeric. This makes it an easy target for attackers to carry out a brute force attack or bulk guessing attack.
  2. No transaction authorization.
  3. Since email addresses can be created for free, and with no other authentication factor involved, there is no guarantee that the user is indeed who s/he is claiming to be. Although there is an option to use mobile for twitter and therefore getting an assurance, it is not compulsory. Using social engineering and other attacks, the attacker can become friends with the victim’s friends and send them phishing messages for example.
  4. The user name can however, be the same as the user name used in the email address (the part of the email before the “@” symbol) making it easier for social engineering attacks.
  5. It becomes easy to hack Twitter account if one has already hacked the email address. It becomes even easier if the user maintains the same password for both.
  6. The “Remember Me” feature in Twitter remembers the user name but the password still needs to be entered making it easier for using social engineering and brute force attack.
  7. The onus of authenticating the server lies on the user.
  8. While a user cannot deny a message being sent from his account, the user can pose as a legitimate user whose account has been hacked or phished. Hence, non-repudiation is not well implemented.
  9. Session intrusion and impersonation are further made easy with the use of cookies and hidden form IDs for authentication.

LinkedIn

LinkedIn also uses email address for registration; however it does not require one to enter a valid captcha. Without email verification, a user can set up his professional profile; however, s/he cannot add connections. Transaction authorization is not incorporated.

LinkedIn

Strengths of the system

  1. Since registration is on the basis of email address alone, it is possible to generate multiple accounts using a script and using those accounts for phishing attacks.
  2. Secure connection using HTTPS – SSL/TSL is used for authentication only.
  3. Audit trails are maintained. A user account is blocked if the number of unsuccessful attempts exceeds the maximum limit.
  4. LinkedIn logs out user post inactivity for a long time.
  5. Use of emails supports the non-security requirements viz. universality, usability and cost-effectiveness.

Weaknesses of the system

  1. There is no provision for checking the strength of passwords or recommending that passwords need to be alphanumeric. This makes it an easy target for attackers to carry out a brute force attack or bulk guessing attack.
  2. No transaction authorization.
  3. Since email addresses can be created for free, and with no other authentication factor involved, there is no guarantee that the user is indeed who s/he is claiming to be. Using social engineering and other attacks, the attacker can become friends with the victim’s friends and send them phishing messages for example.
  4. It becomes easy to hack LinkedIn account if one has already hacked the email address. It becomes even easier if the user maintains the same password for both.
  5. The onus of authenticating the server lies on the user.
  6. While a user cannot deny a message being sent from his account, the user can pose as a legitimate user whose account has been hacked or phished. Hence, non-repudiation is not well implemented.
  7. Session intrusion and impersonation are further made easy with the use of cookies and hidden form IDs for authentication.

classmates.com

A valid email address is again used for registration; however, unlike the social networking sites discussed earlier, the password is emailed to the user. No captcha is required for registration. Unlike other social networking sites, upon completion the user is automatically taken to the user page instead of requiring the user to login or confirm email address first. However, the user is required to log in before taking further steps.

Strengths of the system

  1. Since registration is on the basis of email address alone, it is possible to generate multiple accounts using a script and using those accounts for phishing attacks.
  2. Secure connection using HTTPS – SSL/TSL is used for authentication only.
  3. Audit trails are maintained. A user account is blocked if the number of unsuccessful attempts exceeds the maximum limit.
  4. classmates logs out user post inactivity for a long time.
  5. Use of emails supports the non-security requirements viz. universality, usability and cost-effectiveness.

Weaknesses of the system

  1. There is no provision for checking the strength of passwords or recommending that passwords need to be alphanumeric. This makes it an easy target for attackers to carry out a brute force attack or bulk guessing attack.
  2. No transaction authorization.
  3. Since email addresses can be created for free, and with no other authentication factor involved, there is no guarantee that the user is indeed who s/he is claiming to be. Using social engineering and other attacks, the attacker can become friends with the victim’s friends and send them phishing messages for example.
  4. It becomes easy to hack classmates account if one has already hacked the email address.
  5. The onus of authenticating the server lies on the user.
  6. While a user cannot deny a message being sent from his account, the user can pose as a legitimate user whose account has been hacked or phished. Hence, non-repudiation is not well implemented.
  7. Session intrusion and impersonation are further made easy with the use of cookies and hidden form IDs for authentication.

Data Flow Diagram

The flow diagram for all the sites is the same since they only ask for username and password for authentication. Hence, the flow of message can be summarized in the following diagram.

Data Flow Diagram

Summary of analysis

The table below provides a quick summary of how well each of the social networking sites satisfies the security and non-security requirements that were derived earlier in this chapter. The legend used in the table is:

  • A => Applicable
  • NA => Not Applicable
  • PA => Partially Applicable

Table 19: Summary of Analysis of Social Networking Sites

FaceBook MySpace Twitter LinkedIn classmates
Confidentiality A A A A A
Integrity A A A A A
Mutual authentication NA NA NA NA NA
Enhanced authentication PA PA NA NA NA
Maintain audit trail (logs) A A A A A
Non-repudiation NA NA NA NA NA
Session Integrity PA PA PA PA PA
Prevent session intrusion NA NA NA NA NA
Transaction authorization PA PA NA NA NA
Protection against password misuse PA PA PA PA PA
Universality A A A A A
Usability A A A A A
Cost-effectiveness A A A A A

Proposed Solution

Proposed Authentication Mechanism

Considering the non-security requirements viz. universality, usability, and cost-effectiveness, biometrics authentication method was ruled out. Knowledge-based authentication method satisfies these requirements well but the already implemented methods studied in previous chapter do not satisfy the security requirements. Hence, different knowledge-based authentication method was required to be used.

The token-based method could work only if it was a device that was either inexpensive and could be purchased by the user or the social networking site could distribute it or it was a device that was already available with most users. Since mobile phones are becoming ubiquitous, the latter option was feasible.

Considering the above, the researcher proposes a new two-factor authentication method for social networking sites using:

  1. Graphical password
  2. Mobile based confirmation code sent by SMS

Information Flow

For Login Process

The information flow for the proposed solution is:

  1. User provides a valid username to request access to login page.
  2. The server identifies the username by checking against the database. A correct username results in the server responding with a graphics grid consisting of several images including the images selected by the user as password during authentication. Each image has a randomly generated alphanumeric code attached to it.
  3. The user enters the code associated with the password images in the same sequence as s/he selected the images for password during registration.
  4. The system will check the graphical password and if it is correct, it will send an SMS code would be sent to the user.
  5. The user enters the SMS code.
  6. The server checks the SMS code and if it correct, it takes the user to the home page of the social networking system.

The figure below provides the information flow diagram of the authentication process.

Information Flow of proposed solution for login process
Figure 20: Information Flow of proposed solution for login process

For Transaction Authorization

The information flow for the proposed solution is:

  1. User initiates a transaction such as adding a new friend or connection.
  2. The server responds by providing a graphics grid.
  3. The user enters the code associated with the password images in the same sequence as s/he selected the images for password during registration.
  4. The system will check the graphical password and if it is correct, it will send an SMS code would be sent to the user.
  5. The user enters the SMS code.
  6. The server checks the SMS code and if it correct, it completes the transaction otherwise it is denied.

The figure below provides the information flow diagram of the transaction authentication process.

Information Flow of proposed solution for transaction authorization
Figure 21: Information Flow of proposed solution for transaction authorization

Web Site

There are three user interfaces:

For Login

The first page of login accepts username and sends it to the server. The second page of login displays the graphical password grid. Upon confirmation, it allows the user to provide SMS code.

Login Screen - Page 1
Figure 9: Login Screen – Page 1
 Login Screen - Page 2
Figure 10: Login Screen – Page 2

For Transaction Initiation

The transaction detail which in this is providing a friend’s email address for adding him/her to the user’s friend’s list is provided by the user. This information is sent to the server.

Successful login and transaction initiation
Figure 11: Successful login and transaction initiation

For Transaction Confirmation

It displays the graphical grid and upon confirmation of the graphical grid, it allows user to enter the SMS code. Upon confirmation, the transaction is completed.

Testing

Usability Testing

With the help of about seven users, the system was tested. These users were provided with user name. Graphical passwords were selected by them and entered into the database by the researcher. The users were able to successfully log into their account and perform a transaction.

White Box Testing

White box testing ensures that all system requirements are met. The system requirements, expected outcome and actual results are noted in the table below:

Table 22: White Box Testing Result

Sr. No. Test Action Expected Outcome Result
1 Login using the right username The graphics along with codes should be displayed. The graphics along with codes is displayed.
2 Login using an incorrect username Incorrect username message should be displayed. Incorrect username message is displayed.
3 Enter correct graphical password code The user should be taken to the SMS code authentication page The user is taken to the SMS code authentication page
4 Enter incorrect graphical password code Incorrect password message should be displayed. Incorrect password message is displayed.
5 Enter correct SMS code The user is taken to the home page The user is taken to the home page
6 Enter incorrect SMS code Incorrect password message should be displayed. Incorrect password message is displayed.
7 Test transaction authorization using the right codes Message stating that transaction was successful should be displayed Message stating that transaction was successful is displayed
8 Test transaction authorization using the incorrect codes Transaction should be denied Transaction denied
9 Enter wrong codes five times User account should be blocked User account is blocked

Design Evaluation

Security Requirements

Confidentiality

The proposed solution does not include any special mechanism for ensuring confidentiality of transmitted data. The system would need to use security protocols like SSL/TLS to ensure confidentiality.

Integrity

SHA1 hashing is used to maintain integrity of the data transmitted.

Mutual authentication

While the user authentication was achieved through a two-factor authentication mechanism, no special mechanism for server authentication was proposed.

Enhanced authentication

The solution uses enhanced authentication through the use of two-factor authentication with graphical password (knowledge-based authentication) and mobile phone SMS (token-based authentication).

Maintain audit trail (logs)

The server keeps a record of failed logins and blocks the account of a user after 5 failed logins.

Non-repudiation

It is assumed here that only the user has access to the mobile phone and in case it is stolen, due care has been taken to block the number or mobile phone from being misused.

Session Integrity

Through transaction authorization, session integrity is achieved. Graphical passwords generate a unique password code and a random code is sent as SMS to mobile phone, which together makes it difficult to use stolen authentication credentials.

Prevent session intrusion

This is achieved by generating random graphic passwords and random SMS code. Only authentic responses are accepted.

Transaction authorization

Users are required to authenticate themselves again with the same method for important transactions.

Protection against password misuse

Since the solution makes use of graphical passwords that are randomly placed and mapped to different codes each time, the password changes each time making it difficult for attackers to use it. Also, the password so generated is 9 letters consisting of a mix of lower case and upper case alphabets, numbers and symbols. This makes it challenging to guess authentication credentials with brute force or bulk guessing attacks.

Non-Security Requirements

Universality

Except for visually impaired, graphical passwords would work for everyone. Mobile phones are also universally available and users are trained to read SMS. This ensures universality of the solution.

Usability

Graphics are expected to be easier to remember as compared to random numbers or text-based passwords. Mobile users also know how to read SMS. This makes the solution more user-friendly for users.

Cost-effectiveness

Since the authentication mechanism involves a graphical password and a token (mobile phone) which is ubiquitously available with users, there is no extra cost to be borne by either the social networking sites or its users.

Conclusion

The dissertation identified four objectives at the beginning. The first objective was to identify the vulnerable entities of existing authentication schemes. This was achieved in chapter 3 where vulnerability analysis was carried and threat profiles for social networking systems were developed. These threats were also rated to get an understanding of how risky they were. Based on the analysis and threat modelling, it became possible to derive security and non-security requirements of the social networking web sites.

The second objective of the dissertation was to derive or identify the security requirements necessary to implement on a social networking website. This was discussed in detail in chapter 4. Confidentiality, Integrity, Mutual authentication, Enhanced authentication, Maintain audit trail (logs), Non-repudiation, Session Integrity, Prevent session intrusion, Transaction authorization and Protection against password misuse were the security requirements of social networking systems while the non-security requirements included Universality, Usability, and Cost-effectiveness.

The third objective was to assess the strengths and weaknesses of existing authentication schemes. In this case, the top five social networking sites viz. Facebook, MySpace, Twitter, LinkedIn and classmates were studied. The results were presented in chapter 4. All these sites relied on email address for verification of an individual and did not have very strong authentication mechanism to protect against impersonation, phishing, social engineering, spoofing and other attacks. The need for a solution that provided better authentication mechanism while meeting the non-security requirements was evident.

The last objective was to propose and implement solution that ensures secure social networking websites. This was achieved by proposing a two-factor authentication method based on graphical password and authentication code through mobile SMS. This method was implemented using Visual Studio C#.NET 2005 and Microsoft SQL Server, tested and assessed against the requirements derived in chapter 4. The authentication mechanism was able to satisfy all of them except for server authentication and confidentiality.

Based on the analysis and the proposed solution, it is recommended that social networking sites consider two-factor authentication methods utilizing graphical passwords and a token (mobile phone) that is universal in nature.

References

  1. Weaver, A. C., & Morrison, B. B. (2008) “Social Networking”, IEEE Computer, 97-100.
  2. Aïmeur, E., Gambs, S. & Ho, A. (2006) “UPP: User Privacy Policy for Social Networking Sites”. 2009 Fourth International Conference on Internet and Web Applications and Services.
  3. Bonneau, J., Anderson, J. & Danezis, G. “Prying Data out of a Social Network”. 2009 Advances in Social Network Analysis and Mining, 2006, 249-254.
  4. Krishnamurthy, B. & Wills, C. E. (2008) “Characterizing Privacy in Online Social Networks”, WOSN: Workshop on Online Social Networks, 2008, 37-42.
  5. Chau, D. H., Pandit, S., Wang, S. & Faloutsos, C. (2007) “Parallel Crawling for Online Social Networks”, WWW ’07: Proceedings of the 16th international conference on World Wide Web, 2007, 1283–1284.
  6. Mislove, A., Marcon, M., Gummadi, K. P., Druschel, P., & Bhattacharjee, B. (2007) “Measurement and Analysis of Online Social Networks,” Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, 2007, 29–42.
  7. Backstrom, L., Dwork, C. & Kleinberg, J. (2007) “Wherefore Art Thou R3579x?: Anonymized Social networks, Hidden Patterns, and Structural Steganography”, Proceedings of the 16th international conference on World Wide Web.
  8. Narayanan, A. & Shmatikov, V. (2006) “How To Break Anonymity of the Netflix Prize Dataset,” CoRR, abs/cs/0610105.
  9. Adhikari, R. (2008) Latest Facebook Attack Stems from Previous One [online]. Web.
  10. Mills, E. (2009) Twitter, Facebook attack targeted one user [online] Web.
  11. Siegler, M. G. (2009) Phishing Attack Underway At Facebook. [online] Web.
  12. Thompson, R. (2009) Automated Facebook Attack underway [online] Web.
  13. Dybwad, B. (2009) WARNING: New Facebook Malware Attack Is Spreading [online] Web.
  14. eBizMBA Inc. “Top 20 Most Popular Social Networking Websites | 2010”. [online] Web.
  15. boyd, d. & Ellison, N. (2007) “Social Network Sites: Definition, History, and Scholarship”, Journal of Computer-Mediated Communication, 13(1).
  16. Nickson, C. (2009) The History of Social Networking [online] Web.
  17. National Research Council (1990) Computers at Risk: Safe Computing in the Information Age, National Academies Press.
  18. Lampson, B. W. (2004) “Computer Security in the Real World”, IEEE Computer, 37(6), 37-46.
  19. O’Gorman, L. (2003) “Comparing Passwords, Tokens, and Biometrics for User Authentication,” Proceedings of the IEEE, 91(12), 2019 – 2020.
  20. Clarke, R. (1994) “Human Identification in Information Systems:Management Challenges and Public Policy Issues,” Information Technology & People, 7(4), 6-37.
  21. Adams, A. & Sasse, M. A. (1999) “Users are not the enemy,” Communications of the ACM, 42(12), 40-46.
  22. Berghel, H. (2007) “Phishing mongers and posers” Communications of the ACM, 49(4), 21-25.
  23. Dhamija, R., Tygar, J. D. & Hearst, M. (2006) “Why phishing works,” Proceedings of the SIGCHI conference on Human Factors in computing systems, 581-590.
  24. Federal Financial Institutions Examination Council (n.d.) “Authentication in an Internet Banking Environment” [online] Web.
  25. Pfleeger, C. P. & Pfleeger, S. L. (2003) Security in Computing, Prentice Hall Professional Technical Reference.
  26. Jain, A. K. (2004) “Biometric recognition: how do I know who you are?,” The IEEE 12th Signal Processing and Communications Applications Conference.
  27. Prabakhar, S., Pankanti, S. and Jain, A. K. (2003) “Biometric Recognition: Security and Privacy Concerns,” IEEE Security & Privacy Magazine, 1(2), 33 – 42.
  28. Rejman-Greene, M. (2001) “Biometrics — Real Identities for a Virtual World,” BT Technology Journal, 19 (3).
  29. United States Government Accountability Office (2007). Personal Information. Report to Congressional Requesters. [online] Web.
  30. Bhargav-Spantzel, A., Squicciarini, A. & Bertino, E. (2006) “Privacy preserving multifactor authentication with biometrics,” The second ACM workshop on Digital identity management.
  31. Florence, J. (2010) IDentity Statistics Update [online] Web.
  32. Muncaster, P. (2008) Fraud-as-a-service looms over firms [online] Web.
  33. Higgins, K. J. (2008) The Seven Deadliest Social Networking Hacks [online] Web.
  34. Higgins, K. J. (2008) The Seven Deadliest Social Networking Hacks (Page 2 of 7) [online] Web.
  35. Higgins, K. J. (2008) The Seven Deadliest Social Networking Hacks (Page 3 of 7) [online] Web.
  36. Higgins, K. J. (2008) The Seven Deadliest Social Networking Hacks (Page 4 of 7) [online] Web.
  37. Yahoo! News UK & Ireland (2010) “New password-stealing virus targets Facebook “. [online] Web.
  38. Smail, M. (2010) How to Protect Your Social Network Identity [online] Web.
  39. Myagmar, S. Lee, A. J. & Yurcik W. (2005). Threat Modeling as a Basis for Security Requirements. [online] Web.
  40. Microsoft Corporation (2010). “Chapter 3 – Threat Modeling”. [online] Web.
  41. Microsoft Corporation (2007). The Developer Highway Code. Microsoft.
  42. Wernli, E. (2009). Threat modeling: overview. [online] Web.
  43. Engin K., Kruegel C., (2005). Protecting Users against Phishing Attacks. British Computer Society Journal. [online] Web.
  44. Ollman, G. (2004). The Phishing Guide—Understanding and Preventing. White Paper, Next Generation Security Software Ltd.
  45. Dhamija, R., Tygar, J. D. & Hearst, M. (2006). Why Phishing Works, in the Proceedings of the Conference on Human Factors in Computing Systems (CHI).
  46. Florencio, D., Herley, C. & Coskun, B. (2007). Do Strong Web Passwords Accomplish Any- thing? Proc. Usenix Hot Topics in Security.
  47. Milletary, J., 2007. Technical Trends in Phishing Attacks. [online] Web.
  48. Florencio, D., Herley, C. & Coskun, B. (2007). Do Strong Web Passwords Accomplish Any- thing? Proc. Usenix Hot Topics in Security.
  49. Schneier, B. (2009). Social Networking Identity Theft Scams. [online] Web.
  50. AlZomai, M., Alfayyadh, B., Josang, A. and McCullagh, A. (2008). An Experimental Investigation of the Usability of Transaction Authorization in Online Bank Security Systems. In Proc. Sixth Australasian Information Security Conference (AISC).
  51. Josang, A., Alfayyadh, B., Grandison, T., Alzomai, M. & McNamara, J. (2007). Security Usability Principles for Vulnerability Analysis and Risk Assessment, in ‘The Proceedings of the Annual Computer Security Applications Conference.
  52. Ye, Z., Smith, S. & Anthony, D. (2002). Trusted Paths for Browsers, in Proceedings of the 11th USENIX Security Symposium.
  53. SecuritySpace (2007). Secure Server Survey. [online] Web.
  54. Perrig, A. & Song, D. “Hash Visualization: A New Technique to Improve Real- World Security,” in Proceedings of the 1999 International Workshop on Cryptography Techniques and E-Commerce.
  55. Dhamija, R. & Perrig, A. (2000) “Déjà Vu: User study using images for authentication”. Ninth Usenix Security Symposium
  56. Blonder, G. E. (1996).”Graphical passwords”, Lucent Technologies, Inc.
  57. Yardi, S., Feamster, N. & Bruckman, A. (2008) “Photo-Based Authentication Using Social Networks”. ACM.
  58. Gamby, R. (2010) “SMS two-factor authentication for electronic identity verification “. [online] Web.
  59. Shu, M., Tan, C. & Wang, H. (2009) “Mobile Authentication Scheme Using SMS”. IITA International Conference on Services Science, Management and Engineering.
  60. Dispensa, S. (2008) “Tokenless Two-Factor Authentication: It Finally Adds Up”. PhoneFactor, Inc.

Appendices

Appendix A

Multi-Factor Authentication for Social Networking Website

Introduction

Social networking websites have opened the doors to many new opportunities that were previously not possible, but not without bringing in new risks to the users. Impersonation, identity theft, scams, etc. are some of the problems. The dissertation therefore seeks to develop an approach to protect the users’ information from an unauthorized access by enhancing the security of the existing common text-based password with multifactor authentication.

Project Objectives
  • Identifying the vulnerable entities of existing authentication schemes.
  • Deriving or identifying the security requirements necessary to implement on a social networking website.
  • Assessing the strengths and weaknesses of existing authentication schemes.
  • Propose and implement solution that ensures secure social networking websites.
Methodology

This dissertation is based on an exploratory research conducted on the security of social networking websites using peer-reviewed journals and articles, books, conference papers, and websites. It involved three phases:

Phase I: Vulnerability Analysis through Threat Modeling

Vulnerability Analysis Results: Authentication Credentials can be obtained:

  • through phishing (URL obfuscation, fake web site, and spoofed email)
  • by stealing (credentials on paper, using brute force or shoulder surfing)
  • by impersonating
  • by snooping (malware)
  • by obtaining physical access to terminal or token (malware)
  • by network sniffing
  • by redirecting transaction traffic (malwares)
  • by modifying transaction (MITM)
  • by hijacking session
  • by modifying traffic (pharming)
  • through bulk guessing attack
  • through privacy violation

Security Requirements: Confidentiality, Integrity, Mutual authentication, Enhanced authentication, Maintain audit trail (logs), Non-repudiation, Session Integrity, Prevent session intrusion, Transaction authorization, and Protection against password misuse. Non-Security Requirements: Universality, Usability and Cost-effectiveness.

Phase II: Analyzing existing social networking sites

This phase involved studying the authentication mechanism of the top five social networking sites. The authentication mechanism turns out to be more or less same for all the sites.

FaceBook MySpace Twitter LinkedIn classmates
Confidentiality A A A A A
Integrity A A A A A
Mutual authentication NA NA NA NA NA
Enhanced authentication PA PA NA NA NA
Maintain audit trail (logs) A A A A A
Non-repudiation NA NA NA NA NA
Session Integrity PA PA PA PA PA
Prevent session intrusion NA NA NA NA NA
Transaction authorization PA PA NA NA NA
Protection against password misuse PA PA PA PA PA
Universality A A A A A
Usability A A A A A
Cost-effectiveness A A A A A

A=>Applicable; NA=>Not Applicable; PA=>Partially Applicable

Phase III: Solution

This involves graphical password and utilization of token (mobile phone). User provides a valid username that result in the server responding with a graphics grid consisting of several images including the images selected by the user as password. Each image has a randomly generated alphanumeric code attached to it. The user enters the code associated with the password images in the same sequence as selected during registration. Upon correct entry, an SMS code would be sent to the user which when correctly entered by user results in authentication.

Solution

Conclusion

The proposed solution was successfully implemented and tested and was able to achieve all requirements except confidentiality and mutual authentication. Based on the analysis and the proposed solution, it is recommended that social networking sites consider two-factor authentication methods utilizing graphical passwords and a token (mobile phone) that is universal in nature.

Appendix B – Code

using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Collections.Generic;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Resources;
using System.Security.Cryptography;
using System.Text;
using System.Net;
using System.IO;
using System.Net.Mail;
using System.Diagnostics;
public partial class Login2 : System.Web.UI.Page
{
private static Random random = new Random();
public static int attempts;
public string smsCode;
static int[] imgPos = new int[25];
System.Collections.Hashtable controlHashtable = new Hashtable();
protected void Page_Load(object sender, EventArgs e)
{
LoadControls();
if (Page.IsPostBack)
{
if (attempts >= 5)
{
this.Label26.Text = “Your account has been blocked. Please contact customer service.”;
}
attempts += 1;
}
else
{
attempts = 1;
this.Title.Text = “Welcome!”;
//HashGenerator hg = new HashGenerator();
//this.Title.Text = hg.ComputeHash(“061324”, null) + “——-” + hg.ComputeHash(“011521”, null) + “——-” + hg.ComputeHash(“221909”, null) + “——-” + hg.ComputeHash(“250117”, null);
for (int i = 1; i < 26; i++)
{
imgPos[i – 1] = i;
}
imgPos = ShuffleList(imgPos);
RandomPassword rp = new RandomPassword();
for (int i = 1; i < 26; i++) { Image img = (Image)this.GetControlByName(“Image” + i); if (img != null) { img.ImageUrl = imgPos[i – 1] + “.jpg”; } Label lbl = (Label)this.GetControlByName(“Label” + i); if (lbl != null) { lbl.Text = rp.GeneratePassword(true); } } } } private void LoadControls() { foreach (System.Web.UI.Control c in this.form1.Controls) { if (c.ID != null) { if (c.ID.Length > 5)
{
if (c.ID.Substring(0, 3) == “Ima” || c.ID.Substring(0, 3) == “Lab”)
{
this.controlHashtable.Add(c.ID, c);
}
}
}
}
}
private Control GetControlByName(string id)
{
return this.controlHashtable[id] as Control;
}
protected void Button1_Click(object sender, EventArgs e)
{
if (this.txtPassword.Visible = true)
{
string s = this.txtPassword.Text;
string[] p = new string[3];
p[0] = s.Substring(0, 3);
p[1] = s.Substring(3, 3);
p[2] = s.Substring(6, 3);
this.controlHashtable.Clear();
LoadControls();
HashGenerator hg = new HashGenerator();
RandomPassword rp = new RandomPassword();
string pwd = GetImageName(p[0]).PadLeft(2, ‘0’) + GetImageName(p[1]).PadLeft(2, ‘0’) + GetImageName(p[2]).PadLeft(2, ‘0’);
DataView dvAccess = (DataView)AccessDataSource1.Select(DataSourceSelectArguments.Empty);
foreach (DataRowView drvAccess in dvAccess)
{
bool userAuthenticated = hg.VerifyHash(pwd, drvAccess[“password”].ToString());
string username = drvAccess[“username”].ToString();
string mobile = drvAccess[“mobile”].ToString();
if (userAuthenticated)
{
SMS sms1 = new SMS();
smsCode = rp.GeneratePassword(false);
sms1.SendMessage(smsCode, mobile, username);
}
else
{
this.Label26.Text = “Incorrect graphical password. Please try again.”;
}
}
this.txtPassword.Visible = false;
this.txtSMS.Visible = true;
this.Label27.Text = “Please enter the SMS code sent to you.”;
}
else
{
if (this.txtSMS.Text==this.smsCode)
Response.Redirect(“HomePage.aspx”);
}
}
private string GetImageName(string passtext)
{
int j=0;
for (j = 1; j< 26; j++ ) { Label lbl = (Label)this.GetControlByName(“Label” + j); if (lbl != null) { if (lbl.Text == passtext) { return imgPos[j-1].ToString(); } } else { this.Title.Text = this.Title.Text + “its null!!! “; } } return “0”; } public int[] ShuffleList(int[] list) { int tmp; if (list.Length> 1)
{
for (int i = list.Length – 1; i >= 0; i–)
{
tmp = list[i];
int randomIndex = random.Next(i + 1);
//Swap elements
list[i] = list[randomIndex];
list[randomIndex] = tmp;
}
return list;
}
return null;
}
public class RandomPassword
{
private static int Image_PASSWORD_LENGTH = 3;
private static int SMS_PASSWORD_LENGTH = 8;
private static string PASSWORD_LCASE = “abcdefgijkmnopqrstwxyz”;
private static string PASSWORD_UCASE = “ABCDEFGHJKLMNPQRSTWXYZ”;
private static string PASSWORD_NUMERIC = “23456789”;
private static string PASSWORD_SPECIAL = “$-+?_&=!%{}/”;
public string GeneratePassword(bool bImage)
{
char[][] charGroups = new char[][]
{
PASSWORD_LCASE.ToCharArray(),
PASSWORD_UCASE.ToCharArray(),
PASSWORD_NUMERIC.ToCharArray(),
PASSWORD_SPECIAL.ToCharArray()
};
int[] charsLeft = new int[charGroups.Length];
for (int i = 0; i < charsLeft.Length; i++)
charsLeft[i] = charGroups[i].Length;
int[] leftGroupsOrder = new int[charGroups.Length];
for (int i = 0; i < leftGroupsOrder.Length; i++)
leftGroupsOrder[i] = i;
byte[] randomBytes = new byte[4];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(randomBytes);
int seed = (randomBytes[0] & 0x7f) << 24 | randomBytes[1] << 16 | randomBytes[2] << 8 | randomBytes[3];
Random random = new Random(seed);
char[] password = null;
if (bImage)
password = new char[Image_PASSWORD_LENGTH];
else
password = new char[SMS_PASSWORD_LENGTH];
int nextCharIndex;
int nextGroupIndex;
int nextLeftGroupsOrderIndex;
int lastCharIndex;
int lastLeftGroupsOrderIndex = leftGroupsOrder.Length – 1;
for (int i = 0; i < password.Length; i++)
{
if (lastLeftGroupsOrderIndex == 0)
nextLeftGroupsOrderIndex = 0;
else
nextLeftGroupsOrderIndex = random.Next(0, lastLeftGroupsOrderIndex);
nextGroupIndex = leftGroupsOrder[nextLeftGroupsOrderIndex];
lastCharIndex = charsLeft[nextGroupIndex] – 1;
if (lastCharIndex == 0)
nextCharIndex = 0;
else
nextCharIndex = random.Next(0, lastCharIndex + 1);
password[i] = charGroups[nextGroupIndex][nextCharIndex];
if (lastCharIndex == 0)
charsLeft[nextGroupIndex] =
charGroups[nextGroupIndex].Length;
else
{
if (lastCharIndex != nextCharIndex)
{
char temp = charGroups[nextGroupIndex][lastCharIndex];
charGroups[nextGroupIndex][lastCharIndex] =
charGroups[nextGroupIndex][nextCharIndex];
charGroups[nextGroupIndex][nextCharIndex] = temp;
}
charsLeft[nextGroupIndex]–;
}
if (lastLeftGroupsOrderIndex == 0)
lastLeftGroupsOrderIndex = leftGroupsOrder.Length – 1;
else
{
if (lastLeftGroupsOrderIndex != nextLeftGroupsOrderIndex)
{
int temp = leftGroupsOrder[lastLeftGroupsOrderIndex];
leftGroupsOrder[lastLeftGroupsOrderIndex] =
leftGroupsOrder[nextLeftGroupsOrderIndex];
leftGroupsOrder[nextLeftGroupsOrderIndex] = temp;
}
lastLeftGroupsOrderIndex–;
}
}
return new string(password);
}
}
public class HashGenerator
{
public string ComputeHash(string plainText, byte[] saltBytes)
{
if (saltBytes == null)
{
int minSaltSize = 4;
int maxSaltSize = 8;
Random random = new Random();
int saltSize = random.Next(minSaltSize, maxSaltSize);
saltBytes = new byte[saltSize];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetNonZeroBytes(saltBytes);
}
byte[] plainTextBytes = Encoding.UTF8.GetBytes(plainText);
byte[] plainTextWithSaltBytes =
new byte[plainTextBytes.Length + saltBytes.Length];
for (int i=0; i < plainTextBytes.Length; i++)
plainTextWithSaltBytes[i] = plainTextBytes[i];
for (int i=0; i < saltBytes.Length; i++)
plainTextWithSaltBytes[plainTextBytes.Length + i] = saltBytes[i];
HashAlgorithm hash = new SHA1Managed();
byte[] hashBytes = hash.ComputeHash(plainTextWithSaltBytes);
byte[] hashWithSaltBytes = new byte[hashBytes.Length + saltBytes.Length];
for (int i=0; i < hashBytes.Length; i++)
hashWithSaltBytes[i] = hashBytes[i];
for (int i=0; i < saltBytes.Length; i++)
hashWithSaltBytes[hashBytes.Length + i] = saltBytes[i];
string hashValue = Convert.ToBase64String(hashWithSaltBytes);
return hashValue;
}
public bool VerifyHash(string plainText, string hashValue)
{
byte[] hashWithSaltBytes = Convert.FromBase64String(hashValue);
int hashSizeInBits, hashSizeInBytes;
hashSizeInBits = 160;
hashSizeInBytes = hashSizeInBits / 8;
if (hashWithSaltBytes.Length < hashSizeInBytes)
return false;
byte[] saltBytes = new byte[hashWithSaltBytes.Length –
hashSizeInBytes];
for (int i=0; i < saltBytes.Length; i++)
saltBytes[i] = hashWithSaltBytes[hashSizeInBytes + i];
string expectedHashString =
ComputeHash(plainText, saltBytes);
return (hashValue == expectedHashString);
}
}
public class SMS
{
public void SendMessage(string msg, string mobile, string username)
{
try
{
string sMsg = msg;
sMsg = System.Web.HttpUtility.UrlEncode(sMsg);
// send the message to aql:
HttpWebRequest req = (HttpWebRequest)WebRequest.Create
(“http://www.freebiesms.co.uk/SMSForm.aspx?ToMobile=” + mobile
+ “&ToName=” + username + “&FromMobile=123132&FromName=ABC&Message=”
+ sMsg);
req.Method = “POST”;
req.KeepAlive = false;
req.ContentType = “application/x-www-form-urlencoded”;
// Get the request stream.
// Get the response.
WebResponse response = req.GetResponse();
// Get the stream containing content returned by the server.
Stream dataStream = response.GetResponseStream();
// Open the stream using a StreamReader for easy access.
StreamReader reader = new StreamReader(dataStream);
// Read the content.
string responseFromServer = reader.ReadToEnd();
// Clean up the streams.
reader.Close();
dataStream.Close();
response.Close();
}
catch (Exception e)
{
System.Console.WriteLine(“Error in SendMessage with message := ” + e.Message + ” ” + e.InnerException);
}
}
}
}

Appendix C – Installation Instructions

System Requirements

These are the software needed to run the application.

  • Windows XP Operating System
  • Microsoft Visual Studio 2005

Steps

  1. Install the simulated security device. It has been changed to an executable file and can be installed on any WINDOWS OS. The setup file is in artefact folder.
  2. Set up the server using to work on your local PC. The following steps guide you through.
  3. Open Control Panel
  4. Open Add or Remove Programs
  5. Click Add or Remove Windows Components
  6. Check Internet Information Services
  7. Go to C drive (root drive)
  8. Open Inetpub file
  9. The server resides in wwwroot folder.
  10. Run the virtual social networking website from Microsoft Visual Studio 2005
  11. Open the attached artefact folder
  12. Right click and open the executable file in the folder
  13. Click play on the MS VS 2005 tools bar
  14. Follow the web site instructions to test the application or the instructions in chapter 5.