February 22nd, 2012 at 17:10 UTC by Ross Anderson
Facebook has a social authentication mechanism where you may be asked to recognise some of your friends from photos as part of the login process. We analysed this and found it to be vulnerable to guessing by your friends, and also to modern face-recognition systems. Most people want privacy only from those close to them; if you’re having an affair then you want your partner to not find out but you don’t care if someone in Mongolia learns about it. And if your partner finds out and becomes your ex, then you don’t want them to be able to cause havoc on your account. Celebrities are similar, except that everyone is their friend (and potentially their enemy).
Second, if someone outside your circle of friends is doing a targeted attack on you, then by friending your friends they can get some access to your social circle to collect photos, which they might use in image-recognition software or even manually to pass the test.
Once this paper had been accepted to FC, we had an interesting discussion with Facebook’s security team. They told us that the social captcha mechanism was used to solve the problem of large-scale phishing attacks. They knew it was not very effective against friends, and especially not against a jilted former lover. For that, they maintain that the local police and courts are an effective solution. They also claim that although small-scale face recognition is doable, their scraping protection prevents it being used at large scales.
This is all fair comment, but points to a deeper issue. Users thinking about Facebook security see it in terms of their own protection, and think of their ex or their rivals; Facebook also sees it in terms of its own protection, and thinks of Indonesian gangs doing industrial-scale phishing for spam. As large-scale businesses come to dominate online, the difference between “security for me” and “security for them” may get ever larger.