Facebook Beefs Up Security, Makes Captchas More Annoying

One of the Internet's necessary evils is about to get worse in the name of Facebook security.

Facebook to Make Captchas More Annoying
I'm talking about Captchas, those little forms you've got to fill out when a website thinks you're a nefarious bot. We've all seen the most basic type of Captcha -- a set of scribbled words, usually nonsensical, that you must type out to prove your humanity -- but now Facebook has cooked up a different method that makes you identify friends based on their profile pictures.

The so-called "social authentication" kicks in when Facebook suspects malicious activity -- for instance, if you try to sign in from different parts of the world in the span of a couple hours. You'll then have to identify a few friends through multiple-choice questions to access your account.

Click to Zoom
"Hackers halfway across the world might know your password, but they don't know who your friends are," Alex Rice, a Facebook security engineer, writes in a blog post.

Not true. In Facebook's push to make users share more personal information, friends lists are now one of the things Facebook makes public by default. So unless you've told Facebook not to share your basic profile information with the world, a hacker could easily pull up your profile, scroll through your entire friends list and match pictures to names.

Meanwhile, this little friendship pop quiz could backfire if you're ever confronted with it. What if Captcha asks you to identify someone you met at during a college bar crawl and never purged from your friends list? And could you confidently pick all your distant relatives and elementary school pals out of a line-up? (The upside: Now you've got a reason to clean your profile of unwanted associations.)

I know I'm being alarmist here. Chances are, most users will never see one of these social Captchas, and if they do, they probably won't run into the aforementioned scenarios. But Captchas are one of the Web's biggest annoyances, and supposed advancements like these are just an acknowledgment that the current Captcha system is broken. Inevitably, this system will also fail, and we'll need even more inconveniences to prove who we are.

Subscribe to the Security Watch Newsletter

Comments