Saturday, July 24, 2010

Facebook FriendPhotoCaptcha Roadblock

Update: I was subject to the captcha again, and this time I took screenshots.
Update 2: I have created a Facebook group for fighting this security feature. Once you have your account back, join the group and invite your friends!

Facebook has recently and silently introduced a new "security" feature, that does a lot to prevent legitimate users from accessing facebook, but almost nothing to deter determined scammers and hackers.

The security feature works as follows:

Suppose you try to log in to Facebook from a location you don't usually use, for example when traveling (which is usually when it's most important for you to keep in touch with friends and family). Facebook asks you to verify your identity.

Please review recent activity on your facebook account


And how would you do that? First, you have to solve a CAPTCHA. Fair enough, just prove you're human.

Next, starts the tricky part. You need to identify your facebook "friends" by identifying photos where your Facebook friends have been tagged. In order to regain access to your account you need to solve a CAPTCHA, then identify 7 out of 9 photos of friends. Even a single error fails the test but you do have two "skip"s.


The photos are selected randomly from all photos in which any of your friends have been tagged. If you fail, you can try again within an hour. Returning to a "verified" location does not help once the roadblock has been triggered.

Please come back in a little while

I guess the reasoning behind this: If you are really you, you should be able to identify your friends by their pictures. Right? Wrong! First of all, Facebook (and certain apps) keep pushing you to add more and more distant acquaintances as friends. People who you're unlikely to even identify by seeing a clear picture of their face. Second of all, people tag each other in photos that are nothing like a clear portait. When I was faced with the challenge I had to tag pictures of feet, pictures of dogs, blurry pictures of people from behind, and "funny" drawings. I am not the only one. Many people have been locked out of their accounts for hours due to this impossible "security" challenge.

Below is an example of one of the worst images I've got in my challenge:

The pictures are low resolution, and the pic itself is an xmas card. One of the faces is almost completely obscured by a hand holding a camera. The person in the picture is a work acquaintance I have never met it person, and the worst thing security-wise (and lucky for me) is that the greeting text includes his name!

How did I eventually regain access to my account? The same way any attacker who isn't me could have. The questions in the challenge are multiple-choice. One or two pictures and five names to choose from. Since my profile is relatively open to the public I could create a bogus Facebook account and see my friend list and their public pages. Most of these include a profile picture which allowed me to try and verify the person. Some have a more public profile where all pictures are available, and then I could find the actual picture from the challenge -- just like anyone who isn't me could have.

After finally succeeding in solving the challenge, I was presented with the oh-so-horrible offensive access. I tried to login to Facebook Chat from the United States. Thanks for being so specific, Facebook.

Please review recent activity on your Facebook accountAfter guessing this is probably OK comes the next screen asking me to be a fan of Facebook Security. What can I tell you, I am not a fan!

Thanks Alon - you've successfully restored your account

From a security perspective, this is not at all useful. An attacker's arsenal would include looking up public friend info, and creating a new account with my name and photo, and trying to "friend" all my Facebook friends. With enough people accepting this friendship (which many will), you can access all their photos and easily solve the challenge. In fact, this could be automated, and the only obstacle is several CAPTCHAs that need to be solved, a problem easily solved by spammers using outsourcing or fake "free porn" sites.

Finally, I would like to suggest several other security methods that could actually work:

  • Require a user to tag only photos he or she has uploaded, or that he or she appears in. Ask about where or when a picture was taken, and be more lenient.

  • Require a user to use an alternative method to contact a few of his or her friends (of the user's choice) and have them log in can confirm they are OK (for example by giving them some kind of key).

  • Get security questions or challenges from the users in advance -- something the user knows he or she can solve. Make it clear that these questions are not ONLY for the case of lost passwords.

  • Make a phone call or send a text message to a phone number that is in the user's profile with a key to access the site.


Better still, allow several of these methods at once. Besides, Facebook is not a bank. Just let go of the stupid security.

Here is Facebook's real world contact information. Call them, send them a letter, or drop by their offices:

1601 S. California Ave.
Palo Alto, CA 94304
USA
+1-650-543-4800 (Phone)

27 comments:

  1. Right. The biggest obstacle to their solution is that a lot of people don't use tags the way FB thinks they do. People use "tag" instead of "share" (don't know why, btw. Do you?)

    I agree with your suggestions. I'd correct their implementation by requiring to identify friends in photos the user has uploaded -- or, if there are too little, to at least sort the friends according to some "closeness" criteria (e.g.: commenting on someone's post -- 2 points, liking -- 1 point, sending message -- 3 points, etc.) That way, I'm pretty sure it would actually identify the people that you really know. But one of the additional challenges is that they need to use only public photos! Most of people's photos are private.

    I think the best idea was to just use security questions, as usual. Beats me why they didn't simply go for that...

    ReplyDelete
  2. They used something like that before, verifying things like birthdays and phone numbers, but these were easy to overcome. Security questions require users to set those when they sign up, which might be a problem.

    ReplyDelete
  3. Just happened to me on my new work laptop - I used the "I don't know" option up on the first two and took a lucky guess on the next before I realized I could still use my mobile phone (and process of elimination) to make it through by finding the actual photos in question on FB. This is a perfect example of why clever ideas often go down in flames in the real world. My earnest desire is that the brilliant idiots that conceived this be forced to re-take this test daily until they too have experienced this special kind of hell.

    ReplyDelete
  4. I tried the facebook mobile route but after I got it wrong the first time, I was locked out of Facebook on my phone too.

    ReplyDelete
  5. So the same thing happened to me I am at my parents and out of the state it gave me problems since fri night I cant bypass the friend pic route they r of feet and stupid things, Idk what to do? I wonder if it will recognize my own computer once im back to my own state??? does anyone know this answer?? Or will I have to delete my whole account and start fresh w/ my same name but obviosuly different email??!!!! My real Question here is will it still roadblock me once im on my Normal Pc..??????
    Thanks much, shelby

    ReplyDelete
  6. Hi Shelby. I don't have official word from facebook, but my experience is that it would still roadblock you when you're back home, at least if you've had one failed attempt.

    Before deleting your entire account I suggest creating a dummy account and using it to access some of your friends' pictures, hopefully enough to pass the roadblock. Try friending them from the new account until you can access enough pictures.

    Obviously, facebook might realize their mistake and let people access their accounts. Stay tuned.

    ReplyDelete
  7. Yeah, I heard that facebook was "easier to use" and "much better than myspace", The thing is, I've never had any kind of problem with myspace at all.

    I tried making a facebook since my friends said it's probably safer and you know what the funny thing is? I tried making an account for the first time on facebook and it said i already had an account. I finally did the password retrieval and as it turns out some girl half way across the world from me that i don't know has a facebook account with my email adress. I'm thinking to myself, safer?

    I Haven't even made an account yet and i can already see it has major problems. I don't know the girl, she's under age to be on facebook, and to have my email she would have to have my password right? That's scary. So i changed my password on my email, reported the poor chinese or maybe mexican girl, and started a facebook.

    I got onto facebook and started putting information in, making it a bit more secure so that wouldn't happen again, and finally added some of my friends from high school. Little did i know that when i went to visit my grandparent's house and accept them as a friend (since i was there and made one for each of them too) that i wouldn't be able to login in without going through a test.

    I thought, "Okay then, maybe this is just something to show that they are safe" so i did the Captcha and moved on... Then something else popped up called 'FriendPhotoCaptcha'... "Alrighty then, lets do this, no one knows my friends better than me." Yeah well, i got pictures of their favorite bands, places they ate, pictures they liked, but since my friends are safe they don't really upload pictures of themselves. "Gah, hold on grandma, i can't accept you as a friend yet because i got to call all my friends and see which one's went to this place for their birthday and who's favorite picture is the one with the cat saying Nom nom nom."

    Can you see how frustrating this can be on an adverage day for me? It turned my visit to my grandparent's house into a nonstop calling to all my friends. After a while i gave up and i no longer use facebook because i don't think it's worth making another email just to have to do it all over again. I'm going to stick with myspace and maybe facebook can be more reasonable in their desperate attempt at a secure site.

    There's no way i'm telling people facebook is more safe than any other site on the enternet unless they figure out how to work things out. I've never had a reason to complain about a site in my life and it's crazy that the one i do find a reason to complain about is supposed to be "easier". My friends have all suffered through this same problem now and are pretty much boycotting facebook until they have their accounts back. Let this be a warning to anyone who tries to make a facebook for their first time.

    ReplyDelete
  8. I hate this dumb security thing too - -. I am currently travelling overseas, and had the same questionaire pop up.

    Although I am able to recodnise all the people in use for the photomatchup, everytime I select a name and click *go to the next picture* it instantly tells me that I am wrong or something of the sort.

    Then I have to wait an hour for the next round!

    Moreover, I am unable to contact facebook support because - well I CANT LOG IN and facebook doesn't HAVE an email support system.

    Pretty pissed off.

    ReplyDelete
  9. Jai i am in the same boat. let me know if you sort the problem. I get locked out as soon as the select a name page appears.

    ReplyDelete
  10. trying to log into facebook...I know all the people in the pictures it just doesn't give me enough time..the pictures FLASH and then tells me to come back in an hour.
    I read that someone else was having the same problem. How can we slow the pictures down to give enough time to correctly identify the picture.
    So frustrating..

    ReplyDelete
  11. I have been trying to get back on facebook for over a week, nearly everyday I have tried to no avail. I went out of town and tried to check my facebook from another computer and that's when it all started, then I couldn't even sign in from my normal laptop that I always use it on, and can't even sign in now that I'm back home.

    I wish I knew what to do, I emailed info@facebook.com and of course they said they don't help people there anymore and sent me to the "help center" however there is nothing in there about what to do if you get kicked out of the photo security screen before you even have a chance to identify your friends.

    I think they are going to lose a lot of people by this instead of just keeping away the hackers, they will lose those of us that aren't rats and refuse to keep spinning in this wheel that's going no where.

    ReplyDelete
  12. Thanks for this tip!

    A friend came over for some holidays and his FB account got blocked.
    Due to this tutorial we managed to get in to his account. Thanks for sharing!

    What a stupid way of "securing" an account. It's very user unfriendly and impossible!!!!

    ReplyDelete
  13. I do not know who did this and got into my facebook site but it is rediculous what is going on. Last Monday we had a lightening storm here and my computer had to be taken in to get fixed. Last Thursday I got it back on August 5th and i was blocked. I have a lot of friends to and dont recognize half of them. A lot of them asked me for friend request so they could get neighbors they needed. It is not right, facebook should be askin me questions about me, security questions like pogo has on it. I have been tryin for 24 hours so far and no luck. I cannot get past those stupid pictures, I have 7 family members on facebook and 2 really close friends right here in town, why dont they just put on there pictures. This is not right, but i am not giving up. Actually this is not security for us it is a way for facebook to steal our site from us and it is wrong!!!!! It is very user unfriendly and impossible!!!!!!!!!!!!!!!!

    ReplyDelete
  14. Could someone pls help me?

    the samething happened to me today, but on reaching step 2 (i.e. FriendPhotoCaptcha) and after identifying just one friend it immediately redirects to a page saying "Your answers were not accurate enough. User did not identify enough friends correctly in 'FriendPhotoCaptcha'".

    This is really annoying and I just don't know what to do anymore- fb help centre is absolutely no HELP!!!

    ReplyDelete
  15. Please can anyone advise me how to get past this? Now three weeks since returning from holiday when i first encountered this security feature and I still cannot access my account despite emailing Facebook on several occasions. I admit I added a large number of friends only to play MobWars on line so it is impossible for me to identify many of the photos. Has anyone actually ever received any replies to help requests from Facebook?

    Also if it comes to it how would I delete my account so I can set up a new one. Thanks!

    ReplyDelete
  16. Every game on facebook requires friends that i have encountered. A lot of my friends i dont even know because of the fact you get a requst from them so they can get the neighbors they need and i never go into anyones pictures, not actually interested in pictures, or i would be into photography. This is not security it is very Annoying and very unfair practice that Facebook is doing. It is not right. I have 7 family members on here and 4 friends that i know really well. PUT THEM ON HERE. Between Clinton,Dubuque and Maquoketa Iowa. Facebook should wake up and realize this is highly unfair what they have going. You can email them but they never answer you back. We figured out where i got my computer fixed last week did the hacking, had to of, cause i never had this problem before that. It is not right, FACEBOOK WAKE UP, LET ME HAVE MY SITE BACK!!!!!!!!!!!!!!!!!! The only thing Facebook is doing is helping HACKERS.

    ReplyDelete
  17. I have the same problem. Is anyone has a solutions on this?
    If yes, please email to me. thanks.

    ReplyDelete
  18. may be free users can not use facebook

    ReplyDelete
  19. Worst thing about it for me is that many of my friends like to post tags for people on random pictures of blank areas of colour or on the wrong people just for a laugh so I really have no chance.

    ReplyDelete
  20. I have multiple accounts ONLY for games, all accounts have hundreds of friends of which I don't know. I'd be lucky to regonize a couple let alone 7 random photos from thousands. I was lucky to guess 3 of my accounts so why cant a hacker do the same thing.
    Completely useless security feature. My advice, don't access your account from any other computer unless you only have 1 or 2 friends or FB will &@*$ you.
    VERY PISSED as I still don't have access to other accounts!!!

    ReplyDelete
  21. None of this works here.

    I tried login from my new blackberry phone and the facebook login said it did not recognize where I was accessing from. Then when I tried to login to facebook from computer, it took me through some security questions to identify pics tagged by friends, but I cannot as I have over 2,500 friends whom joined for Mafia Wars game. Some of the pics are, like a basket of flowers. That’s just stupid, and I cannot answer the 7 questions correctly. I have searched high and low and even clicked on Change my password, which sent a new password to my e-mail, but now I can’t even access facebook from blackberry because it says invalid login/password. I am frustrated beyond belief, and cannot possibly start over building a new account. I sent an e-mail to what appears to be some kind of support desk, but reply back to my e-mail stated they cannot look at all questions and would try and solve user problems that are common. Basically, an automated non-response e-mail.
    Please help me get the security questions prompts removed from my login so I can access my account. Please help!!!

    Facebook does everything in their power to encourage and reward users for adding more friends in games within the site, but puts this impossible step in place, with absolutely no way around the problem. I guess this is the end for my Facebook.com experience. Unless they can remove this ridiculous bullcrap.

    ReplyDelete
  22. By some bit of luck I managed to guess the five photos they gave me the other day and finally got back in!

    Here is the kicker, a few hours after getting back in I received a reply from Facebook privacy to my five emails regarding this problem. This stated that their records showed that my account was unlocked and there should be no problem!

    Unbelievable

    ReplyDelete
  23. I still don't know how I got in...after 10 days. This calls for class action lawsuit from those who pay for apps and for our time/effort for service denial. This can be considered random discrimination...or intentional. What about the visually impared?

    ReplyDelete
  24. 1. only using Google chrome
    2. check ur internet provider
    3. Check ur IP, coz ONLY with "Suspected Network device", you can login successfully from anywhere in the world....cheers...

    ReplyDelete
  25. I didn't have this problem. I barely use facebook. BUT an easy solution would be:
    1. take the cookie of facebook on a disk on key and put it in the other browser when you are away with other laptop.

    2. Besides, their "security crap", who they are kidding? Login is done via HTTP and not HTTPS. so what is this crap?

    3. How they know it's from a different location? By hostname or geoip location? If the latest try this:
    http://www.broll.at/2010/01/disable_geo_ip_in_firefox/

    Unfortunately, geoip is enabled by default.

    ReplyDelete
  26. my facebook has road blocks can you help me to open my facebook

    ReplyDelete
  27. shiela encinas28 April, 2011 19:03

    my facebook has road blocks can you help me to open my facebook

    ReplyDelete