25 Jul 2010 epsalon   » (Journeyer)

Facebook FriendPhotoCaptcha Roadblock

Facebook has recently and silently introduced a new “security” feature, that does a lot to prevent legitimate users from accessing facebook, but almost nothing to deter determined scammers and hackers.

The security feature works as follows: Suppose you try to log in to Facebook from a location you don’t usually use, for example when traveling (which is usually when it’s most important for you to keep in touch with friends and family). Facebook asks you to verify your identity. And how would you do that? By identifying photos where your Facebook friends have been tagged. In order to regain access to your account you need to solve a CAPTCHA, then identify 7 out of 9 photos of friends. Even a single error fails the test but you do have two “skip”s. The photos are selected randomly from all photos in which any of your friends have been tagged. If you fail, you can try again within an hour. Returning to a “verified” location does not help once the roadblock has been triggered.

I guess the reasoning behind this: If you are really you, you should be able to identify your friends by their pictures. Right? Wrong! First of all, Facebook (and certain apps) keep pushing you to add more and more distant acquaintances as friends. People who you’re unlikely to even identify by seeing a clear picture of their face. Second of all, people tag each other in photos that are nothing like a clear portait. When I was faced with the challenge I had to tag pictures of feet, pictures of dogs, blurry pictures of people from behind, and “funny” drawings. I am not the only one. Many people have been locked out of their accounts for hours due to this impossible “security” challenge.

How did I eventually regain access to my account? The same way any attacker who isn’t me could have. The questions in the challenge are multiple-choice. One or two pictures and five names to choose from. Since my profile is relatively open to the public I could create a bogus Facebook account and see my friend list and their public pages. Most of these include a profile picture which allowed me to try and verify the person. Some have a more public profile where all pictures are available, and then I could find the actual picture from the challenge — just like anyone who isn’t me could have.

An attacker’s arsenal would also include creating a new account with my name and photo, and trying to “friend” all my Facebook friends. With enough people accepting this friendship (which many will), you can access all their photos and easily solve the challenge. In fact, this could be automated, and the only obstacle is several CAPTCHAs that need to be solved, a problem easily solved by spammers using outsourcing or fake “free porn” sites.

Finally, I would like to suggest several other security methods that could actually work:

  • Require a user to tag only photos he or she has uploaded, or that he or she appears in. Ask about where or when a picture was taken, and be more lenient.
  • Require a user to use an alternative method to contact a few of his or her friends (of the user’s choice) and have them log in can confirm they are OK (for example by giving them some kind of key).
  • Get security questions or challenges from the users in advance — something the user knows he or she can solve. Make it clear that these questions are not ONLY for the case of lost passwords.
  • Make a phone call or send a text message to a phone number that is in the user’s profile with a key to access the site.

Better still, allow several of these methods at once. Besides, Facebook is not a bank. Just let go of the stupid security.

Syndicated 2010-07-25 08:11:43 from Alon's Blog

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!