Facebook's Security Screening

UPDATE: Facebook explains the security procedure here. Apparently they only use photos if you have not set up another verification means. Also, I have confirmation that the photo identification is not being done for a secondary purpose.

I recently tried to sign on to Facebook from a coffee shop. I was told that I had to pass a security screening because of the "strange location." Fair enough. The actual test, however, was surprising. It was comprised of a multiple choice exam where I had to identify who was in a given picture.

A couple of things. First, some of the pictures were embarrassing. I doubt the person who uploaded them thought they would be used to screen for improper access. Think about it. Facebook is showing random private photos to people because it suspects they may not be the account holder. The photos must be private because they form the basis of a security screening.

Second, there were something like seven questions. I cannot imagine why so many would be necessary. Is Facebook trying crowd-source the effectiveness of its tagging system a la reCAPTCHA? Who knows. [Author's note: Facebook assures me that they are not.]

I doubt anyone is hacking Facebook accounts from a coffee shop in order to sneak a peak at random photos. [Author's note: Several people have pointed out that the alternative is to simply let people in to the full account. That's true.] But recent events mean that Facebook must be like Caesar's wife: above suspicion.

Comments

The photos you see don't breach any privacy. They are photos you already have access to (and you provided your password, so showing the photos is fine).
Also there is no crowd sourcing going on, since the photos have all already been tagged in.
The reason for showing 5-7 photos is basic combinatorial. If a malicious person has your password, we want to make it nearly impossible to succeed the test. I'll let you do the math.

Thanks for your note.
So, I disagree with your logic. If the purpose of the screening is to confirm you have permission to access the page, showing you the page is not a very good method. It's a little like showing you your credit card number as a way to determine whether you should have access to your bank account.
I'm also not thrilled that the photo I uploaded is being used in this (surprising) way. I'd rather my photos were not used to screen out potential hackers; I certainly did not upload them for this purpose.
I agree that the harm is minimal, as I said. Best,
Ryan

I assume you're sure it *was* Facebook and not some elaborate phishing site...?
wg

I hope not, WG... But I don't think so---seems like their actual security strategy.

Add new comment