Saturday, July 24, 2010

Facebook FriendPhotoCaptcha Roadblock

Update: I was subject to the captcha again, and this time I took screenshots.
Update 2: I have created a Facebook group for fighting this security feature. Once you have your account back, join the group and invite your friends!

Facebook has recently and silently introduced a new "security" feature, that does a lot to prevent legitimate users from accessing facebook, but almost nothing to deter determined scammers and hackers.

The security feature works as follows:

Suppose you try to log in to Facebook from a location you don't usually use, for example when traveling (which is usually when it's most important for you to keep in touch with friends and family). Facebook asks you to verify your identity.

Please review recent activity on your facebook account

And how would you do that? First, you have to solve a CAPTCHA. Fair enough, just prove you're human.

Next, starts the tricky part. You need to identify your facebook "friends" by identifying photos where your Facebook friends have been tagged. In order to regain access to your account you need to solve a CAPTCHA, then identify 7 out of 9 photos of friends. Even a single error fails the test but you do have two "skip"s.

The photos are selected randomly from all photos in which any of your friends have been tagged. If you fail, you can try again within an hour. Returning to a "verified" location does not help once the roadblock has been triggered.

Please come back in a little while

I guess the reasoning behind this: If you are really you, you should be able to identify your friends by their pictures. Right? Wrong! First of all, Facebook (and certain apps) keep pushing you to add more and more distant acquaintances as friends. People who you're unlikely to even identify by seeing a clear picture of their face. Second of all, people tag each other in photos that are nothing like a clear portait. When I was faced with the challenge I had to tag pictures of feet, pictures of dogs, blurry pictures of people from behind, and "funny" drawings. I am not the only one. Many people have been locked out of their accounts for hours due to this impossible "security" challenge.

Below is an example of one of the worst images I've got in my challenge:

The pictures are low resolution, and the pic itself is an xmas card. One of the faces is almost completely obscured by a hand holding a camera. The person in the picture is a work acquaintance I have never met it person, and the worst thing security-wise (and lucky for me) is that the greeting text includes his name!

How did I eventually regain access to my account? The same way any attacker who isn't me could have. The questions in the challenge are multiple-choice. One or two pictures and five names to choose from. Since my profile is relatively open to the public I could create a bogus Facebook account and see my friend list and their public pages. Most of these include a profile picture which allowed me to try and verify the person. Some have a more public profile where all pictures are available, and then I could find the actual picture from the challenge -- just like anyone who isn't me could have.

After finally succeeding in solving the challenge, I was presented with the oh-so-horrible offensive access. I tried to login to Facebook Chat from the United States. Thanks for being so specific, Facebook.

Please review recent activity on your Facebook accountAfter guessing this is probably OK comes the next screen asking me to be a fan of Facebook Security. What can I tell you, I am not a fan!

Thanks Alon - you've successfully restored your account

From a security perspective, this is not at all useful. An attacker's arsenal would include looking up public friend info, and creating a new account with my name and photo, and trying to "friend" all my Facebook friends. With enough people accepting this friendship (which many will), you can access all their photos and easily solve the challenge. In fact, this could be automated, and the only obstacle is several CAPTCHAs that need to be solved, a problem easily solved by spammers using outsourcing or fake "free porn" sites.

Finally, I would like to suggest several other security methods that could actually work:

  • Require a user to tag only photos he or she has uploaded, or that he or she appears in. Ask about where or when a picture was taken, and be more lenient.

  • Require a user to use an alternative method to contact a few of his or her friends (of the user's choice) and have them log in can confirm they are OK (for example by giving them some kind of key).

  • Get security questions or challenges from the users in advance -- something the user knows he or she can solve. Make it clear that these questions are not ONLY for the case of lost passwords.

  • Make a phone call or send a text message to a phone number that is in the user's profile with a key to access the site.

Better still, allow several of these methods at once. Besides, Facebook is not a bank. Just let go of the stupid security.

Here is Facebook's real world contact information. Call them, send them a letter, or drop by their offices:

1601 S. California Ave.
Palo Alto, CA 94304
+1-650-543-4800 (Phone)