Saturday, July 24, 2010

Facebook FriendPhotoCaptcha Roadblock

Update: I was subject to the captcha again, and this time I took screenshots.
Update 2: I have created a Facebook group for fighting this security feature. Once you have your account back, join the group and invite your friends!

Facebook has recently and silently introduced a new "security" feature, that does a lot to prevent legitimate users from accessing facebook, but almost nothing to deter determined scammers and hackers.

The security feature works as follows:

Suppose you try to log in to Facebook from a location you don't usually use, for example when traveling (which is usually when it's most important for you to keep in touch with friends and family). Facebook asks you to verify your identity.

Please review recent activity on your facebook account


And how would you do that? First, you have to solve a CAPTCHA. Fair enough, just prove you're human.

Next, starts the tricky part. You need to identify your facebook "friends" by identifying photos where your Facebook friends have been tagged. In order to regain access to your account you need to solve a CAPTCHA, then identify 7 out of 9 photos of friends. Even a single error fails the test but you do have two "skip"s.


The photos are selected randomly from all photos in which any of your friends have been tagged. If you fail, you can try again within an hour. Returning to a "verified" location does not help once the roadblock has been triggered.

Please come back in a little while

I guess the reasoning behind this: If you are really you, you should be able to identify your friends by their pictures. Right? Wrong! First of all, Facebook (and certain apps) keep pushing you to add more and more distant acquaintances as friends. People who you're unlikely to even identify by seeing a clear picture of their face. Second of all, people tag each other in photos that are nothing like a clear portait. When I was faced with the challenge I had to tag pictures of feet, pictures of dogs, blurry pictures of people from behind, and "funny" drawings. I am not the only one. Many people have been locked out of their accounts for hours due to this impossible "security" challenge.

Below is an example of one of the worst images I've got in my challenge:

The pictures are low resolution, and the pic itself is an xmas card. One of the faces is almost completely obscured by a hand holding a camera. The person in the picture is a work acquaintance I have never met it person, and the worst thing security-wise (and lucky for me) is that the greeting text includes his name!

How did I eventually regain access to my account? The same way any attacker who isn't me could have. The questions in the challenge are multiple-choice. One or two pictures and five names to choose from. Since my profile is relatively open to the public I could create a bogus Facebook account and see my friend list and their public pages. Most of these include a profile picture which allowed me to try and verify the person. Some have a more public profile where all pictures are available, and then I could find the actual picture from the challenge -- just like anyone who isn't me could have.

After finally succeeding in solving the challenge, I was presented with the oh-so-horrible offensive access. I tried to login to Facebook Chat from the United States. Thanks for being so specific, Facebook.

Please review recent activity on your Facebook accountAfter guessing this is probably OK comes the next screen asking me to be a fan of Facebook Security. What can I tell you, I am not a fan!

Thanks Alon - you've successfully restored your account

From a security perspective, this is not at all useful. An attacker's arsenal would include looking up public friend info, and creating a new account with my name and photo, and trying to "friend" all my Facebook friends. With enough people accepting this friendship (which many will), you can access all their photos and easily solve the challenge. In fact, this could be automated, and the only obstacle is several CAPTCHAs that need to be solved, a problem easily solved by spammers using outsourcing or fake "free porn" sites.

Finally, I would like to suggest several other security methods that could actually work:

  • Require a user to tag only photos he or she has uploaded, or that he or she appears in. Ask about where or when a picture was taken, and be more lenient.

  • Require a user to use an alternative method to contact a few of his or her friends (of the user's choice) and have them log in can confirm they are OK (for example by giving them some kind of key).

  • Get security questions or challenges from the users in advance -- something the user knows he or she can solve. Make it clear that these questions are not ONLY for the case of lost passwords.

  • Make a phone call or send a text message to a phone number that is in the user's profile with a key to access the site.


Better still, allow several of these methods at once. Besides, Facebook is not a bank. Just let go of the stupid security.

Here is Facebook's real world contact information. Call them, send them a letter, or drop by their offices:

1601 S. California Ave.
Palo Alto, CA 94304
USA
+1-650-543-4800 (Phone)

68 comments:

  1. Right. The biggest obstacle to their solution is that a lot of people don't use tags the way FB thinks they do. People use "tag" instead of "share" (don't know why, btw. Do you?)

    I agree with your suggestions. I'd correct their implementation by requiring to identify friends in photos the user has uploaded -- or, if there are too little, to at least sort the friends according to some "closeness" criteria (e.g.: commenting on someone's post -- 2 points, liking -- 1 point, sending message -- 3 points, etc.) That way, I'm pretty sure it would actually identify the people that you really know. But one of the additional challenges is that they need to use only public photos! Most of people's photos are private.

    I think the best idea was to just use security questions, as usual. Beats me why they didn't simply go for that...

    ReplyDelete
  2. They used something like that before, verifying things like birthdays and phone numbers, but these were easy to overcome. Security questions require users to set those when they sign up, which might be a problem.

    ReplyDelete
  3. Just happened to me on my new work laptop - I used the "I don't know" option up on the first two and took a lucky guess on the next before I realized I could still use my mobile phone (and process of elimination) to make it through by finding the actual photos in question on FB. This is a perfect example of why clever ideas often go down in flames in the real world. My earnest desire is that the brilliant idiots that conceived this be forced to re-take this test daily until they too have experienced this special kind of hell.

    ReplyDelete
  4. I tried the facebook mobile route but after I got it wrong the first time, I was locked out of Facebook on my phone too.

    ReplyDelete
  5. So the same thing happened to me I am at my parents and out of the state it gave me problems since fri night I cant bypass the friend pic route they r of feet and stupid things, Idk what to do? I wonder if it will recognize my own computer once im back to my own state??? does anyone know this answer?? Or will I have to delete my whole account and start fresh w/ my same name but obviosuly different email??!!!! My real Question here is will it still roadblock me once im on my Normal Pc..??????
    Thanks much, shelby

    ReplyDelete
  6. Hi Shelby. I don't have official word from facebook, but my experience is that it would still roadblock you when you're back home, at least if you've had one failed attempt.

    Before deleting your entire account I suggest creating a dummy account and using it to access some of your friends' pictures, hopefully enough to pass the roadblock. Try friending them from the new account until you can access enough pictures.

    Obviously, facebook might realize their mistake and let people access their accounts. Stay tuned.

    ReplyDelete
  7. Yeah, I heard that facebook was "easier to use" and "much better than myspace", The thing is, I've never had any kind of problem with myspace at all.

    I tried making a facebook since my friends said it's probably safer and you know what the funny thing is? I tried making an account for the first time on facebook and it said i already had an account. I finally did the password retrieval and as it turns out some girl half way across the world from me that i don't know has a facebook account with my email adress. I'm thinking to myself, safer?

    I Haven't even made an account yet and i can already see it has major problems. I don't know the girl, she's under age to be on facebook, and to have my email she would have to have my password right? That's scary. So i changed my password on my email, reported the poor chinese or maybe mexican girl, and started a facebook.

    I got onto facebook and started putting information in, making it a bit more secure so that wouldn't happen again, and finally added some of my friends from high school. Little did i know that when i went to visit my grandparent's house and accept them as a friend (since i was there and made one for each of them too) that i wouldn't be able to login in without going through a test.

    I thought, "Okay then, maybe this is just something to show that they are safe" so i did the Captcha and moved on... Then something else popped up called 'FriendPhotoCaptcha'... "Alrighty then, lets do this, no one knows my friends better than me." Yeah well, i got pictures of their favorite bands, places they ate, pictures they liked, but since my friends are safe they don't really upload pictures of themselves. "Gah, hold on grandma, i can't accept you as a friend yet because i got to call all my friends and see which one's went to this place for their birthday and who's favorite picture is the one with the cat saying Nom nom nom."

    Can you see how frustrating this can be on an adverage day for me? It turned my visit to my grandparent's house into a nonstop calling to all my friends. After a while i gave up and i no longer use facebook because i don't think it's worth making another email just to have to do it all over again. I'm going to stick with myspace and maybe facebook can be more reasonable in their desperate attempt at a secure site.

    There's no way i'm telling people facebook is more safe than any other site on the enternet unless they figure out how to work things out. I've never had a reason to complain about a site in my life and it's crazy that the one i do find a reason to complain about is supposed to be "easier". My friends have all suffered through this same problem now and are pretty much boycotting facebook until they have their accounts back. Let this be a warning to anyone who tries to make a facebook for their first time.

    ReplyDelete
  8. I hate this dumb security thing too - -. I am currently travelling overseas, and had the same questionaire pop up.

    Although I am able to recodnise all the people in use for the photomatchup, everytime I select a name and click *go to the next picture* it instantly tells me that I am wrong or something of the sort.

    Then I have to wait an hour for the next round!

    Moreover, I am unable to contact facebook support because - well I CANT LOG IN and facebook doesn't HAVE an email support system.

    Pretty pissed off.

    ReplyDelete
  9. Jai i am in the same boat. let me know if you sort the problem. I get locked out as soon as the select a name page appears.

    ReplyDelete
  10. trying to log into facebook...I know all the people in the pictures it just doesn't give me enough time..the pictures FLASH and then tells me to come back in an hour.
    I read that someone else was having the same problem. How can we slow the pictures down to give enough time to correctly identify the picture.
    So frustrating..

    ReplyDelete
  11. I have been trying to get back on facebook for over a week, nearly everyday I have tried to no avail. I went out of town and tried to check my facebook from another computer and that's when it all started, then I couldn't even sign in from my normal laptop that I always use it on, and can't even sign in now that I'm back home.

    I wish I knew what to do, I emailed info@facebook.com and of course they said they don't help people there anymore and sent me to the "help center" however there is nothing in there about what to do if you get kicked out of the photo security screen before you even have a chance to identify your friends.

    I think they are going to lose a lot of people by this instead of just keeping away the hackers, they will lose those of us that aren't rats and refuse to keep spinning in this wheel that's going no where.

    ReplyDelete
  12. Thanks for this tip!

    A friend came over for some holidays and his FB account got blocked.
    Due to this tutorial we managed to get in to his account. Thanks for sharing!

    What a stupid way of "securing" an account. It's very user unfriendly and impossible!!!!

    ReplyDelete
  13. I do not know who did this and got into my facebook site but it is rediculous what is going on. Last Monday we had a lightening storm here and my computer had to be taken in to get fixed. Last Thursday I got it back on August 5th and i was blocked. I have a lot of friends to and dont recognize half of them. A lot of them asked me for friend request so they could get neighbors they needed. It is not right, facebook should be askin me questions about me, security questions like pogo has on it. I have been tryin for 24 hours so far and no luck. I cannot get past those stupid pictures, I have 7 family members on facebook and 2 really close friends right here in town, why dont they just put on there pictures. This is not right, but i am not giving up. Actually this is not security for us it is a way for facebook to steal our site from us and it is wrong!!!!! It is very user unfriendly and impossible!!!!!!!!!!!!!!!!

    ReplyDelete
  14. Could someone pls help me?

    the samething happened to me today, but on reaching step 2 (i.e. FriendPhotoCaptcha) and after identifying just one friend it immediately redirects to a page saying "Your answers were not accurate enough. User did not identify enough friends correctly in 'FriendPhotoCaptcha'".

    This is really annoying and I just don't know what to do anymore- fb help centre is absolutely no HELP!!!

    ReplyDelete
  15. Please can anyone advise me how to get past this? Now three weeks since returning from holiday when i first encountered this security feature and I still cannot access my account despite emailing Facebook on several occasions. I admit I added a large number of friends only to play MobWars on line so it is impossible for me to identify many of the photos. Has anyone actually ever received any replies to help requests from Facebook?

    Also if it comes to it how would I delete my account so I can set up a new one. Thanks!

    ReplyDelete
  16. Every game on facebook requires friends that i have encountered. A lot of my friends i dont even know because of the fact you get a requst from them so they can get the neighbors they need and i never go into anyones pictures, not actually interested in pictures, or i would be into photography. This is not security it is very Annoying and very unfair practice that Facebook is doing. It is not right. I have 7 family members on here and 4 friends that i know really well. PUT THEM ON HERE. Between Clinton,Dubuque and Maquoketa Iowa. Facebook should wake up and realize this is highly unfair what they have going. You can email them but they never answer you back. We figured out where i got my computer fixed last week did the hacking, had to of, cause i never had this problem before that. It is not right, FACEBOOK WAKE UP, LET ME HAVE MY SITE BACK!!!!!!!!!!!!!!!!!! The only thing Facebook is doing is helping HACKERS.

    ReplyDelete
  17. I have the same problem. Is anyone has a solutions on this?
    If yes, please email to me. thanks.

    ReplyDelete
  18. may be free users can not use facebook

    ReplyDelete
  19. Worst thing about it for me is that many of my friends like to post tags for people on random pictures of blank areas of colour or on the wrong people just for a laugh so I really have no chance.

    ReplyDelete
  20. I have multiple accounts ONLY for games, all accounts have hundreds of friends of which I don't know. I'd be lucky to regonize a couple let alone 7 random photos from thousands. I was lucky to guess 3 of my accounts so why cant a hacker do the same thing.
    Completely useless security feature. My advice, don't access your account from any other computer unless you only have 1 or 2 friends or FB will &@*$ you.
    VERY PISSED as I still don't have access to other accounts!!!

    ReplyDelete
  21. None of this works here.

    I tried login from my new blackberry phone and the facebook login said it did not recognize where I was accessing from. Then when I tried to login to facebook from computer, it took me through some security questions to identify pics tagged by friends, but I cannot as I have over 2,500 friends whom joined for Mafia Wars game. Some of the pics are, like a basket of flowers. That’s just stupid, and I cannot answer the 7 questions correctly. I have searched high and low and even clicked on Change my password, which sent a new password to my e-mail, but now I can’t even access facebook from blackberry because it says invalid login/password. I am frustrated beyond belief, and cannot possibly start over building a new account. I sent an e-mail to what appears to be some kind of support desk, but reply back to my e-mail stated they cannot look at all questions and would try and solve user problems that are common. Basically, an automated non-response e-mail.
    Please help me get the security questions prompts removed from my login so I can access my account. Please help!!!

    Facebook does everything in their power to encourage and reward users for adding more friends in games within the site, but puts this impossible step in place, with absolutely no way around the problem. I guess this is the end for my Facebook.com experience. Unless they can remove this ridiculous bullcrap.

    ReplyDelete
  22. By some bit of luck I managed to guess the five photos they gave me the other day and finally got back in!

    Here is the kicker, a few hours after getting back in I received a reply from Facebook privacy to my five emails regarding this problem. This stated that their records showed that my account was unlocked and there should be no problem!

    Unbelievable

    ReplyDelete
  23. I still don't know how I got in...after 10 days. This calls for class action lawsuit from those who pay for apps and for our time/effort for service denial. This can be considered random discrimination...or intentional. What about the visually impared?

    ReplyDelete
  24. 1. only using Google chrome
    2. check ur internet provider
    3. Check ur IP, coz ONLY with "Suspected Network device", you can login successfully from anywhere in the world....cheers...

    ReplyDelete
  25. I didn't have this problem. I barely use facebook. BUT an easy solution would be:
    1. take the cookie of facebook on a disk on key and put it in the other browser when you are away with other laptop.

    2. Besides, their "security crap", who they are kidding? Login is done via HTTP and not HTTPS. so what is this crap?

    3. How they know it's from a different location? By hostname or geoip location? If the latest try this:
    http://www.broll.at/2010/01/disable_geo_ip_in_firefox/

    Unfortunately, geoip is enabled by default.

    ReplyDelete
  26. my facebook has road blocks can you help me to open my facebook

    ReplyDelete
  27. shiela encinas28 April, 2011 19:03

    my facebook has road blocks can you help me to open my facebook

    ReplyDelete
  28. You should never the same password for multiple sites. Reusing a password repeatedly increases the likelihood that someone else will be able to steal your password. faceckear.com

    ReplyDelete
  29. YouTube TV channel activation guide
    You can select the compatible device, add the channel, and then proceed with the settings to collect the activation code. This code must be provided on the page, tv.youtube.com/activate. Sign in with the channel account, if necessary. For help and support to execute YouTube TV channel activation, please visit our site tv.youtube.com/activate

    ReplyDelete
  30. How to connect Roku to TV without HDMI ?
    Roku devices can do wonders when it comes to streaming high quality TV entertainment. Occasionally, some might encounter certain kinds of issues with their Roku streaming devices occasionally. From TV playback to connectivity issues, it may vary from one Roku device to other based on various factors. IF you’re facing the roku tv hdmi no signal , you can try the following. Connecting your Roku other than HDMI might be a little tricky but you can do it via HDMI converters. Try other HDMI port on your TV or try on other TV. You can also use Roku HDMI to DVI converter.
    If you have problem in Roku connecting without HDMI please refer our site roku tv hdmi no signal And you can also call our expert team by dialing number +1-805-980-1700

    ReplyDelete
  31. What is the Roku Activation code?
    Roku activation code is one that is mandatory to activate the Roku device. To get the code, you need to complete the initial steps on the Roku device. Only after this, you can get the code on the Roku device. For the activation, you can surf to the Roku activation page and enter the code on the site to activate the device. After the device activation to launch the channels on the Roku device, you need to sign in the Roku account to the Roku device And if you want more information about Roku activation you may visit our site Roku.com/link

    ReplyDelete
  32. The travel industry contributes 15.8%; and fabricating, 8.1% and mining, 1.7%. The educational system is a 2-7-4-2-3+ comprising of pre-essential, grade school, normal level auxiliary instruction, Advanced level optional, Technical and Higher Education. write my assignment for me Elementary School Education is necessary whereby guardians should take their kids to class for enlistment. The mechanism of guidance in essential is Kiswahili.

    ReplyDelete
  33. Thank you so much for sharing such a superb information’s with us. Your website is very cool. we are impressed by the details that you have on your site. we Bookmarked this website. keep it up and again thanks. for More Information Click Here: HP Driver Install Error 1603

    ReplyDelete
  34. Thanks for sharing this amazing post. I am a Writer at Assignments Planet that provides law assignment writing service uk for law students in the UK.

    ReplyDelete
  35. With the right paperwork and initial outlay, it is possible for a foreign citizen to open a bank account in Romania. This opportunity for international accounts and investments offers several advantages based on economic regulations and tax structures. Interest rates, tax laws, and fees vary depending on the specific country in which you are investing; careful research and strategic financial moves could result in significant portfolio growth. http://www.confiduss.com/en/jurisdictions/romania/business/bank-account-opening/

    ReplyDelete
  36. Keep up the excellent piece of work, I read few blog posts on this web site and I conceive that your site is rattling interesting and contains circles of great info.출장안마

    ReplyDelete
  37. Thanks for share your information. Your blog has been really great. I learned a lot from here. I hope you will give us such more awesome blogs.
    Moviesda

    ReplyDelete
  38. Thanks for sharing such great information with us. Very nice and well-explained article. If you want to know how to purchase a Microsoft 365 subscription, then visit microsoft365.com/setup

    ReplyDelete
  39. Thanks to my father who shared with me regarding this web site, this weblog
    is actually amazing.바카라사이트
    (mm)

    ReplyDelete
  40. Hello blog community. I want to find a writer who can write my discussion post It's not a bad idea to join professional.

    ReplyDelete
  41. This comment has been removed by the author.

    ReplyDelete
  42. Once you’ve found your perfect freelancer crm, most of the hard work is over. The next step is to familiarize yourself with this new business software tool, and set it up in a way that will help you accomplish important business objectives.A good CRM will help you automatically log and act on email conversations with clients and prospective clients.

    ReplyDelete
  43. I love home decor, It refers to the aesthetic components used to make a home more attractive and visually appealing. wall clock designs with price in pakistan

    ReplyDelete
  44. speedfan usage is a system monitor for Microsoft Windows that can read temperatures, voltages and fan speeds of computer components. It can change computer fan speeds depending on the temperature of various components. The program can display system variables as charts and as an indicator in the system tray.

    ReplyDelete
  45. 최근 많은 업체들은 마틴이나 양방에 대한 핑계로 당첨이 되었음에도 보유금액을 몰수하는 비양심적인 곳들이 많습니다. 하지만 저희가 추천하는 파워볼사이트 는 어떠한 제재도 없으며 안전합니다.

    ReplyDelete
  46. Our expert writers make sure that your assignment doesn't have any sort of plagiarism. Paid Assignment Writing takes care of all plagiarism nitty-gritties and makes sure that we do not commit any unintentional plagiarism.

    ReplyDelete
  47. 스웨디시 마사지는 여러 아시아 국가, 특히 한국에서 사용되는 고전적인 마사지 기술입니다. 앞서 언급한 많은 이론들은 마사지 부위에 더 많은 압력이 가해질수록 마사지가 더 효과적이라는 생각에 근거합니다. 또한 스웨디시 마사지에는 신체 이완, 통증 감소, 통증 감소, 혈류 개선, 순환 개선, 이완 개선, 근육 긴장 감소 등 여러 이점이 있습니다.

    ReplyDelete
  48. Thank you for your sharing. Thanks to this blog I can learn more things. Expand your knowledge and abilities. Actually the article is very practical. Thank you. For instant support related to Recover Forgot AOL Mail Password please contact our team for instant help.

    ReplyDelete
  49. Vita Pro Introduce When. WHEN hangover cure drink is a full spectrum of vitamins and herbs that support mental health, digestion, cardiovascular, immune, hormonal and respiratory systems.

    ReplyDelete
  50. By far the most popular version of poker พีจีสล็อต played in America, Texas Hold 'em is the version of poker played in the World Series of Poker. The game starts with each player receiving two cards to keep to themselves, and then progresses as five community cards are laid onto the table.

    ReplyDelete
  51. Several factors matter when you choose the Microsoft 365 subscription. Depending on your requirements on the respective productivity platforms, these products are different in price. MS 365 is a cloud-based subscription productivity suite best suitable for individuals, businesses, and homes as users don’t have to worry about updates or any custom-related features
    microsoft365.com/setup
    Microsoft365.com/setup

    ReplyDelete
  52. These printers are best to use in industries due to precise print, speed, and economical features. Instead of ink, these models use toner powder to print. Though, LaserJet printers are costly than inkjet printers for home users but affordable and best for businesses, industries, and large organizations.
    123.hp.com/laserjet,
    https //ij.start.cannon,
    http //ij.start.canon

    ReplyDelete
  53. Canon printers are ideal for every situation wherever you need a document, paper, or photo print or even if you wish to scan, fax, and do more i Ij.start canon
    ij.start.canon
    canon.com/ijsetup

    ReplyDelete
  54. Microsoft365.com/setup
    is an official portal to activate and start your Microsoft 365 product including office apps, cloud services and other collaboration services. You’ll need to Sign In and enter the Microsoft 365 product key.

    ReplyDelete
  55. Canon Pixma MG 2522 is an all-in-one inkjet printer equipped with multifunctional features like printer, scanner, and copier.
    Canon.com/ijsetup/mg2522 |
    Canon.com/ijsetup mg2522

    ReplyDelete
  56. Can you think of a single at your work when you do not receive or send an email? Well, I guess no. this is because emailing has become an essential part of our work and personal spaces. Whether it is sending a document, requesting leave, or completing the email verification, email is used to solve different purposes. So, in the upcoming sections, we shall have a look at one of the prominent emailing service providers that are standing strong despite so many downfalls. Yes, we are talking about AOL which is also known as America Online. aol mail login | metamask login | coinbase login | bittrex login | coinspot login | binance.com login

    ReplyDelete
  57. Coinbase pro login is a trading platform for individual traders and crypto enthusiasts. It offers a secure and easy way to buy, sell, and trade digital assets online instantly across various trading pairs. Coinbase pro login is a product serviced by Coinbase. It was started in 2012 regarding 4 real after Bitcoin was actually created it is based in San Francisco, CA, along with workplaces throughout the planet and Coinbase pro login is an exchange system for those that trade often.

    Coinbase pro login |

    Coinbase pro login |

    Wells fargo login |

    Wells fargo login |

    Capital one login

    ReplyDelete
  58. Crypto.com is on a mission to accelerate the world’s transition to cryptocurrency. Through the Crypto.com Mobile App and Exchange, you can buy 150+ cryptocurrencies and stablecoins, such as Bitcoin (BTC), Ethereum (ETH), Cardano (ADA), Solana (SOL) and etc.
    crypto.com login | crypto.com login | crypto.com exchange | crypto.com exchange

    ReplyDelete
  59. MetaMask is a Crypto Wallet to Web3 Buy, store and send tokens globally, explore blockchain applications at lightening speed choose what to share and what to keep private.
    metamask login | metamask login | metamask login | metamask login | metamask wallet |
    metamask wallet | metamask login | metamask login |

    ReplyDelete
  60. Uniswap is a cryptocurrency exchange which is decentralized and run with an open-source software as opposed to a centralized intermediary.
    uniswap exchange | uniswap exchange |

    ReplyDelete