When logging into Facebook from either a different location, a security check will come up with an alert asking you to identify yourself. I tend to travel around a lot, and so this is very annoying. I use Facebook quite infrequently, I can only imagine how annoying it would be for those that travel and use the site daily. What’s worse here is that a different location is not necessarily a different city or even country, but can just be a different computer. For example, if you login at an internet café 10 minutes from your house for whatever reason, the warning will come up. This also adds to Facebook’s poor history of privacy, as for this check to work they must be maintaining a record of all the locations you use Facebook from. Logfiles are one thing, but actively maintaining a record of your location history for commercial gain is something else.
The fact that an account is signing on from a different location is in no way an indication of malicious activity. I don’t really understand the moronic reasoning that could have thought this was a good idea. Perhaps if the account was active in two different locales within a reasonable time difference, but simply from a different location? As stupid as the security check may be in the first place, it is made worse in that it is not effective in any way. The only information it asks you to enter to authenticate yourself is your birthday. Information that most people on Facebook make publically available without a second thought. Even if they don’t, it’s not exactly the hardest info to find out. Why not ask for the user to reenter their password, which would help protect against many type of session stealing attacks, or to confirm the location they last logged in from. At least something that wasn’t entirely security theater because at present it accomplishes nothing and is just a frustration.
What about if the attacker doesn’t know your birthday, or you used a fake birthday to signup and don’t remember what it was? In this case Facebook will send out a security code to one of your registered email addresses. This also allows for a breach of privacy, in that all email addresses will be exposed here, regardless of if they are marked as private or not. If the attacker does not have access to one of these email accounts then this might work OK. However even this security check is flawed, as it never changes. I.E. Every time that you fail to correctly enter your birthday, the exact same security code will be emailed out! This only means you need one million attempts to successfully brute force this code. This would take several days, but for someone who doesn’t use their Facebook account that often it would allow for it to be cracked. I have not investigated too deeply, but Facebook does not seem to have any preventative measures against bruteforcing this security check.
I find it hard to believe the Facebook developers could be this stupid. It seems much more likely that this “Security Check” is actually a measure to make sure their location information for users is accurate, disguised as security theater. Then again, Never attribute to malice that which can be adequately explained by stupidity.