All that is wrong with the world…

March 25, 2010

Facebook’s security check is anything but.

Filed under: Security, Tech — Tags: , , , , , — allthatiswrong @ 10:31 pm

When logging into Facebook from either a different location, a security check will come up with an alert asking you to identify yourself. I tend to travel around a lot, and so this is very annoying. I use Facebook quite infrequently, I can only imagine how annoying it would be for those that travel and use the site daily. What’s worse here is that a different location is not necessarily a different city or even country, but can just be a different computer. For example, if you login at an internet café 10 minutes from your house for whatever reason, the warning will come up. This also adds to Facebook’s poor history of privacy, as for this check to work they must be maintaining a record of all the locations you use Facebook from. Logfiles are one thing, but actively maintaining a record of your location history for commercial gain is something else.

The fact that an account is signing on from a different location is in no way an indication of malicious activity. I don’t really understand the moronic reasoning that could have thought this was a good idea. Perhaps if the account was active in two different locales within a reasonable time difference, but simply from a different location? As stupid as the security check may be in the first place, it is made worse in that it is not effective in any way. The only information it asks you to enter to authenticate yourself is your birthday. Information that most people on Facebook make publically available without a second thought. Even if they don’t, it’s not exactly the hardest info to find out. Why not ask for the user to reenter their password, which would help protect against many type of session stealing attacks, or to confirm the location they last logged in from. At least something that wasn’t entirely security theater because at present it accomplishes nothing and is just a frustration.

What about if the attacker doesn’t know your birthday, or you used a fake birthday to signup and don’t remember what it was? In this case Facebook will send out a security code to one of your registered email addresses. This also allows for a breach of privacy, in that all email addresses will be exposed here, regardless of if they are marked as private or not. If the attacker does not have access to one of these email accounts then this might work OK. However even this security check is flawed, as it never changes. I.E. Every time that you fail to correctly enter your birthday, the exact same security code will be emailed out! This only means you need one million attempts to successfully brute force this code. This would take several days, but for someone who doesn’t use their Facebook account that often it would allow for it to be cracked. I have not investigated too deeply, but Facebook does not seem to have any preventative measures against bruteforcing this security check.

I find it hard to believe the Facebook developers could be this stupid. It seems much more likely that this “Security Check” is actually a measure to make sure their location information for users is accurate, disguised as security theater. Then again, Never attribute to malice that which can be adequately explained by stupidity.

About these ads

42 Comments »

  1. Thats really annoying ,im on holidays and i wasnt able to log in ,it displays security check to enter two words in the box,but there is no words just says loading and never changes…

    Comment by laura — May 3, 2010 @ 3:11 pm

  2. I’m away for a week and am absolutely pissed off that FB wants to send me a confirmation text message. I wouldn’t mind, because maybe after agreeing it would be a sinch to get online, but it’s my old cell phone number that they have. Nice.

    Comment by cassie — June 28, 2010 @ 10:23 am

  3. [...] Facebook’s security check is anything but. « All that is wrong … [...]

    Pingback by phone check – YouTube – Paul sings Nessun Dorma high quality video/sound … — July 6, 2010 @ 6:46 pm

  4. im also facng d same prob as said by d person in d 1st coment…if FB doesnt hav a proper system 2carry on d process thn y do thy hav a automatic check lik that….for past a week it is in d sam step saying “loading”..i dont knw wn i wil be abl 2login into my FB a/c…….

    Comment by padma — October 19, 2010 @ 3:33 am

  5. my password is rignt but also my facebook page does not open

    Comment by asma — November 9, 2010 @ 7:08 am

  6. I got this notification this morning. Someone on the other side of the country tried to get into my account.
    I have no problem at all with this security check.

    Comment by Leah — November 26, 2010 @ 12:18 pm

  7. I agree Leah. Definitely better to do something than nothing. But…. if they could get into my FB account, then they would most likely have the access to the answers to the security questions. The picture identity is a little ridiculous but I don’t understand why others on other sites are so upset about it. You have many other options! My problem is remembering all these different passwords I have to change so often!

    Comment by Carolynn — December 1, 2010 @ 12:14 pm

    • hey, i’m having the same prob as u lot, it just say’s LOADING and will not change ………. Some1 help plez as me and my m8 need an acoount…..
      Thanx love ay all coco xxoxoxoxoxo

      Comment by coco — May 12, 2011 @ 10:29 am

  8. hi, i am struggling with trying to put a security number in the text box to sign up on facebook because the number is still loading and been waiting for 10minz…

    Comment by Jessie — December 26, 2010 @ 11:21 pm

  9. It tells me to enter both words below when it’s just saying loading and never changes….

    Comment by Quinton — February 10, 2011 @ 5:21 pm

  10. how long does it last until facebook is letting me get on my page again?

    Comment by Josh- — April 18, 2011 @ 3:51 pm

    • I run a page too. I have over 16k likes and even though I’m not the main or only admin,I still have a lot of fans and I don’t want to let them down.

      Comment by sarah — January 28, 2013 @ 12:46 pm

  11. When I went to FB I got a confirmation page. So I closed it and then went back to FB. No confirmation page. It makes me mighty suspicious.

    Comment by SteveInMontana — May 15, 2011 @ 12:21 pm

  12. it wont let me take the test

    Comment by tristin whitehead — July 17, 2011 @ 9:19 am

  13. Ugh. Cleared cookies now am waiting for a security code to be sent to my phone… locked out of Facebook on my own computer, in the exact same location.

    Comment by Tanya — July 28, 2011 @ 12:37 am

  14. Me too! Sux! I have no mobile phone, so I used my home phone number and received a confirmation code on the message phone. Tried to get back to use the confirmation code and reentered the same phone number to get the box to type in confirmation code and now that code doesn’t work because facebook redialed the home line with a different code. Friggin catch-22. The alternative is to scan in an ID… I don thin so.

    Comment by david hiller — August 2, 2011 @ 2:10 pm

  15. what should i do? der is a security check on my account. the number i enter was wrong how do i know if wat is the code???????? please help me

    Comment by mikael — September 14, 2011 @ 10:48 am

  16. [...] Facebook’s security check is anything but. [...]

    Pingback by Facebook Security Check – the facebook captcha – does it make sense? « Short observations about what's going on — September 19, 2011 @ 6:31 am

  17. I couldn’t login to facebook, they wanted me to prove who I was by entering my phone number, so I did. They were to send me a tex with a security code, but never did. The next day I tried again to login, a pop up appeared stating the a tex was sent to a number that was closes to mine but not mine. Now when I try to login it say’s i am attemping to recieve code too often in a short time!! I think you have to wait 24 hours, not sure. Also how do i get tem to acknoweledge my correct number? Someone help me because pissy facebook won’t. UNLIKE!! :(

    Comment by kathy french — November 14, 2011 @ 12:45 pm

  18. facbook wont let me log in without entering a code that was sent to my phone but they are sending the code to my old number and i cant go in and change it to my new number bacause i cant get on facebook. anyone know how to get around this

    Comment by Holly Halbisen — December 1, 2011 @ 10:03 am

  19. Wht da f**k it doesnt wrk

    Comment by Jeremy — December 5, 2011 @ 3:00 pm

  20. Hey guys go here and check they allow u to upload a photo of some government issued ID for verification.
    http://www.facebook.com/help/contact.php?show_form=login_password_bug

    Comment by pks — December 14, 2011 @ 5:24 am

  21. Sent me a code

    Comment by Gaurav bindra — December 29, 2011 @ 12:54 pm

  22. FUCK YOU FACEBOOK SECURITY, YOUR NOTHING BUT A BUNCH OF LIBERAL COMMUNIST COCKSUCKERS AND I’M YOUR WORST FUCKIN MNIGHTMARE, CONSIDER THAT A DIRECT THREAT!

    Comment by DUKE NUKEM — January 10, 2012 @ 9:13 pm

  23. Why would facebook need your cell phone number anyway? Are they profiling people for international security or something. I think it’s stupid to give them your number. If you order online, of course they need to know who you are, but facebook LOL! I think they are doing something shady with your information. Don’t give them the satisfaction. If you feel like you have no life without signing onto facebook, you need therapy. I’ve banned the site. I suggest others do likewise.

    Comment by lala — March 16, 2012 @ 5:29 pm

  24. OK SO GET THIS. I have been experimenting with Facebook posting today and I have been posting all day but when I tried to post an article about Obama and THEN it made me perform a security check! I went ahead and did the security check BUT it got me thinking as to WHY it would do that all of a sudden. So, then I tried to post a regular, non political link about solar flares and it went through with no security check. I posted random words and sentences and all of them posted just fine with no security check. So again I tried to post an article about Obama and it made me do the security check!!!! I tested this over and over again and every time it was partial to anything that had to do with Obama. THAT IS BULLCRAP!!! I think that the new privacy law says that if a security check is done on a website that uses that method that the government can legally access the “nature” of what subject it was. Will someone else try it to see if you get the same result?? Does anyone know the legal jargon about this??

    Comment by Yhera — March 16, 2012 @ 6:33 pm

  25. While in the middle of entering a legit promotional freebie, the login page loaded. The page asked me to complete a security check by entering my phone number. I REFUSE to do this. Since I don’t want to do this, why isn’t there an option to permanently close my account. I tried linking directly to the delete my account page but can’t access it until I login and then enter my phone number. WTH?!

    Comment by Confused — March 28, 2012 @ 4:12 pm

  26. Hello! I got the security Notification Checked on facebook. It turned out to be different from what I expect. Eventually, I got the whole of it messed up and have changed my password too many times. Now, am confused and frustrated because I can’t Long In any more and. I don’t know what to do. I don’t want the notification anymore (for now). But I need to Log In. HELP

    Comment by rachel — April 4, 2012 @ 1:45 pm

  27. I have a problem, I use 2 accounts, one personal and the other one is just for games and stuff. thing is when I tried to add someone it automatically signed me out saying that I first need to sign in to add that certain person. Well, of course I tried to log back in again, it said that I need to perform a security check and that I ad to fill in my mobile phone #. I fill in my # but I don’t get any message to confirm to whatever step I have to face next. I already checked my number several times and tied this for several days but I can’t seem what the effing problem is and it really starting to piss me off. I hope u got a sollution or any advise what I should do to acces my account. Thanks

    Comment by O. — June 19, 2012 @ 5:25 am

  28. I cant loging to my facebook pag

    Comment by kim nguyen — September 21, 2012 @ 1:30 am

  29. I cannot log into my Facebook account

    Comment by kim nguyen — September 21, 2012 @ 1:34 am

  30. My fb account suddenly gon to temporarily lock. And I am in photo security check procedure. What d hell is this.!
    It is impossible to identify some photo of my lot of frnds. It means facebook team will never open my account because here no any other option to cross the security check. Go to hell fb.

    Comment by sanjay — November 5, 2012 @ 6:31 am

    • That’s what it wanted me to do! Over half my friends I don’t even talk to,much less know what they look like!

      Comment by sarah — January 28, 2013 @ 12:51 pm

  31. My facebook is telling me to verify with a mobile device, so I typed in my number and it said it will send me a code – which I never even got. I tried that a couple times and it gave me one other option to show them my photo i.d. (passport, licence, etc.) What if you don’t have one? I don’t, so what do I do? I don’t want to re-make my account.. Someone help please!

    Comment by Ashley — November 26, 2012 @ 11:47 am

  32. I have no phone number while you require phone number to security check and blocked my account so what I do?You could not check through E-mail address?

    Comment by Musharaf Hussain Qumi — December 20, 2012 @ 5:36 am

  33. It showed me 3 pictures and let me choose from 6 names of my friends of who it was. I don’t even talk to over half of my friends list! I collect Breyer horses and I have like 600 friends who are mostly horse people who I randomly added and I don’t even know what they look like! So I just guessed all the answers and now I can’t go on facebook at all.

    Comment by sarah — January 28, 2013 @ 12:43 pm

  34. Security

    Comment by M.l. gameti — January 30, 2013 @ 12:32 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 72 other followers

%d bloggers like this: