Hacker News new | ask | show | jobs
by DominikR 4616 days ago
I am going to get a lot of downvotes for this but I am still curious to hear what solutions the HN community could come up with for the problem Facebook is facing:

Some of the accounts have been hacked.

You locked the accounts as a security measure.

Now you need to validate that some person is the actual owner of the account.

How would you solve this problem? (Sending a code via text message to the owners mobile device wont work in every case since old accounts didn't have to validate via phone number on registration)
10 comments
darklajid 4616 days ago
You cannot. You can only use the facts that the original account creator provided (mail address? postal address?) and nothing else.

You never had a government id to begin with. Maybe my government id doesn't match my account name (I know.. I violated the rules in that case.. Oh I am sooo bad). Maybe there are people with similar/the same name.

How would you make sure that 'government id' presenting person A is really the person that created any specific account?

If you cannot recover the account with the means you were provided during registration/normal usage, bad luck. Government ids won't help here. Ignoring the problems of 'faking' those (how can you judge that these documents are valid if you just get a crappy picture/a xerox or whatever, in lots of languages?) to do more harm than good.

link
DominikR 4615 days ago
I agree with you, in some cases the account would be absolutely unrecoverable and I am sure this happened to some users.

Still, in some cases it could be a quick solution to unlock an account. (account name matches id, no telephone number available, email validation unsafe for some reason)

link
dlss 4616 days ago
I'll take a stab at this.

Before I get in to it, we need to correct a misconception on your part: using a government ID doesn't work in every case. It turns out hackers know how to forge government ID images, and some of FB's users don't have government IDs (for instance, before I turned 16 all I had was a private school id).

With that out of the way, I think they should do what you suggested: sms verification. Email verification also works. As does postal mail. As does credit card charge. As does ACH charge. As does paypal charge. As does "send in a photo of you with a shoe on your head". As does having a user's friends vouch for them (they call their friends and ask). As do a lot of things.

Facebook should look closely at whatever attacker they are trying to lock out, and make several methods of ownership verification available. Maybe require two?

Requiring IDs just isn't a particularly good way to do it, and has bad PR effects these days.

link
DominikR 4615 days ago
I do not think that every mechanism you proposed is viable, but generally I think you nailed it with this:

> Facebook should look closely at whatever attacker they are trying to lock out, and make several methods of ownership verification available. Maybe require two?

We might already see that, at least I have been prompted to validate once via email and once via text message before.

And then there are those questions Facebook asked me about some of my friends (do you know this person, is he/she real) which are obviously related to account verification in some way.

I also agree that it isn't smart to ask for IDs after all those NSA revelations.

link
kalleboo 4615 days ago
> As does having a user's friends vouch for them (they call their friends and ask).

This is probably the most "Facebook" of the options. They already do something similar for some account lockout situations ("identify 5 photos of your friends to gain access").

link
Macha 4615 days ago
This will be made difficult by people in your friends list using photos of cartoon characters, possessions, family members, significant others etc. as their profile photos.

If they go further and use photos that people are tagged in, then it also has problems of people being tagged in photos they are not present in to get their attention.

For example, in my friends list only around 70% of people have photos of themselves as their profile picture. Boy/Girlfriends and babies are the next most common picture.

Even if you recognise the specific picture, it might not be helpful. For example, two of my friends are dating, and use the same picture with both of them in it for their Facebook profile pictures.

link
VLM 4615 days ago
"identify 5 photos of your friends to gain access"

Really? I don't use FB so I can't verify, but that sounds like an epic security hole for prankers, stalkers, ex's, and abusive spouses.

link
singold 4615 days ago
I can confirm that this happened to a friend when accesin facebook from another country.

Also I remember reading an article (from HN) where some guy hacked a facebook account (if I recall correctly) and that was one of the steps (he and the hacked one where friends and coworkers so they had lots of friends in commmon)

link
VLM 4615 days ago
Hmm, well hopefully just one of many steps and not "that's all it takes".

I'm no FB fan, but if they are using friends pictures as a CAPTCHA to verify the authenticator is a human not a automated computer, I grudgingly tip my hat in respect toward them. That would be much more elegant than the usual lame CAPTCHA.

This strikes me as it may become more of a problem as kids abandon FB and older people use it. The kid I sat next to in middle school lunchroom back when Reagan was president, and I clicked "yes" on his friend request out of guilt, well, I have no idea what the heck he looks like now. Ex-girlfriends? Well, I remember really well how she looked when she was 19, but that was a long time ago, and...

link
tempestn 4616 days ago
That shoe-on-head verification could've been an awesome PR win too. (Assuming it was presented as one option among many. Best would be to offer the choice of several of the options you suggested, as well as the government ID option.)
link
btbuildem 4615 days ago
It's not a bank account, or the controls of an ICBM.. What's the worst that will happen if you lose your FB account? You might blink a few times, snap out of the feedback look, and move on.

Of course FB wouldn't want that, but what they're doing doesn't seem to help user retention either.

link
Soarez 4616 days ago
Facebook already has a good mechanism for validating account owners which involves showing users random unlabeled photos of their friends and asking them to guess who's who.

I guess an excuse like "you got hacked" helps you get much more important information from your users.

No one is talking about how all of the sudden, a lot of accounts supposedly got "hacked".

link
DominikR 4615 days ago
How on earth could this "solution" to trick its users possibly scale to more than 1 billion active accounts?

Don't get me wrong, I absolutely believe that Facebook would like to link government IDs to each and every account if they could, but trying something like this would be the end of Facebook.

They can't be that stupid.

link
adhipg 4616 days ago
Some options:

* A video call with a Facebook agent who verifies you.

* Uploading a picture of yourself holding a card that says 'Facebook', their city and the current date or similar. The city is something that FB can verify with IP address and account profile.

Yes, these aren't 'web scale' methods but I surely hope that they aren't just using OCR to validate Government IDs.

link
DominikR 4615 days ago
I believe the picture solution could be entirely automated.

The text on the card could be read by OCR technology and Facebook already is capably of matching your face to your account.

Edit: After thinking some more about it I came to the conclusion that it would be too easy to fake such an image. Anyone with internet access and MS Paint could probably create a fake within 3 minutes.

Also - I'm not sure that it would be a good user experience.

link
tabookfaced 4615 days ago
First, I don't believe these accounts have been hacked. The most common hack is the owner left a computer with his account logged in. Eithet that or the owner tried to log from a different location than those facebook associated with the account.

Have a look at how websites which don't require real name and identities do it and there you have your answer. (Or just look at how facebook does it other than requiring ID).

link
kamjam 4615 days ago
I recently went abroad and due to a couple of issues I had to reinstall the OS on my phone (I did this during the flight). Since my Facebook app was not authorized on this phone I had to go through "extended verification" because Facebook had identified I was not logging in from my usual location. Verification involved looking at 10 or so photo's and verifying friends which they had identified. There was also the option of FB emailing a verification (I seem to recall).

The point is, they already have the means of verifying accounts without requiring mail in of government ID. If this was for a "business page" then uploading company documents etc to verify ownership, particularly in cases of dispute, makes sense but for personal accounts there really is no benefit (except to Facebook for some bizarre reason)

link
crististm 4616 days ago
Facebook's problems are their own. Why should HN community bother with their problems?

- What's wrong with secret questions?

link
DominikR 4615 days ago
> Facebook's problems are their own.

Of course.

> Why should HN community bother with their problems?

No one has to, I just like to learn something by solving problems, even when those problems are not mine.

> - What's wrong with secret questions?

Probably nothing, I just know that I have always entered garbage into secret question fields, because I knew that I'd never be able to remember the correct answer to the secret question once I needed it.

link
VLM 4615 days ago
"No one has to, I just like to learn something by solving problems, even when those problems are not mine."

I liked your answer, but its not a "facebook problem" its a problem for anyone on the internet who has users log into accounts. Probably a large fraction of HN is directly or tangentially involved with that problem.

link
jdbernard 4615 days ago
Regarding secret questions: they are basically a second set of weak passwords that tend to be impossible for a user to remember, but easier for an attacker to find out. They are often based on public information (e.g. mother's maiden name), information that is semi public (lots of people know where I went to school), or just not difficult to guess.
link
ncarroll 4616 days ago
FB has great face recognition software and multiple tagged photos of pretty much everyone who has an FB account. Show 20 photos (or 42 or however many you need to get the chances of a lucky guess small enough) and let me - click on me. Give me 2 chances and if I'm wrong both times give a link for a quick video chat with a FB rep for ID purposes.
link
kalleboo 4615 days ago
They already have an "identify 5 photos of my friends" system for some account lockout situations. But that may not be sufficient if the hacker has already had access to the account for a while (they'll have had time to scrape the user's friends list).
link
VLM 4615 days ago
Delete the accounts, obviously.

I'm not saying lock them out for all eternity or whatever, just set up new accounts.

Its not that big of a deal, and seems fairly obvious?

link
FridayWithJohn 4616 days ago
@DominikR, actually your question should not be downvoted at all as it looks like you genuinely want to know how you could solve this security problem.

First off, it is important to know that all IT systems have a scale from "weak" to "strong" in security terms. There is no 100% hacker IT proof system. Generally the more secure a system is the more of a hassle it is to use. Seeing as FB has just been accused by Snowden of handing over mass data it has on various users to the NSA, it would be very foolish for them to ask for this sort of very private data especially at this time (when a lot of people don't trust FB)

As for your question, here are some of the security workarounds FB could do instead of asking for a freaking ID (which by the way can easily be forged)

- Don't lock the account, rather suspend it for just a few days telling the user that he should reset his password

- Get a friend (that has been a friend on Facebook for ages, not just a few days) to authenticate the real user (for this to happen it is assumed he must actually contact his friend without using FB as his account is blocked.)

- A simple unique "reset your account password" URL sent to your e-mail address.

- OTP sent to your phone

Those are just some ideas I thought of in a few minutes. I'm sure there are a whole host more.

link