Earlier today, a friend contacted me through Twitter because her Facebook account had been hacked and was spamming some of her friends. Apparently, the Two Free Southwest Airline Tickets scam is still making the rounds, and her account was among the causalities.
I’ve been through this process once before with a former coworker, so I was ready to go with the Facebook Help Center write-up on resetting your password, as well as the Identify Your Account link that let’s you reset your password with either your email account on file or with the help of a friend.
For anyone who hasn’t been through the process, it’s pretty straightforward:
- Enter your identifying information
- Enter the confirmation code they send to your email
- Enter a new password
Normally, this would do the trick, but Facebook also wants you to identify the people you tagged in recent photos as an extra security measure. Here’s where it gets ugly…
The Southwest scam posts images to your profile page and tags your friends without your knowledge. When the account recovery feature presents you with these images, it asks you to confirm who you tagged in these images. The only problem is, you have no idea since you didn’t tag anyone!
You can’t view your profile at this point, since Facebook hides your compromised profile from everyone until you’ve successfully recovered your account. That means there’s not way to see the images that the spam tagged on your behalf. If you don’t answer the tagging questions correctly, not only does Facebook prohibit you from logging into your account, but it prohibits you from even trying to recover your password for the next 24 hours.
Let’s put this in perspective here. According to the Unified Compliance Framework:
- Healthcare and Life Science Guidance recommends a 15 minute lockout
- Payment Card Guidance recommends a 30 minute lockout
- DISA (Defense Information Systems Agency) recommends a 60 minute lockout
So healthcare data, credit card data, and national defense data are protected if an account is locked out for 1 hour, but Facebook thinks that pictures of what you had for breakfast and comments about your new year’s resolutions need to be protected by a 24 hour lockout? Seriously, Facebook? SERIOUSLY?
The kicker of all this is that Facebook’s password reset function expects users to view recently posted photos to determine who the user tagged. If Facebook’s logic was to look as far back as, say, three days…. just THREE DAYS… wouldn’t that be a more reasonable control than to rely on information that was just posted to a recently compromised account?
I hate security controls that are so oppressive that they do more harm than good, and it looks like Facebook may be my new front-runner for the Unnecessarily Oppressive Security Controls award. If I was a Facebook shareholder, I’d be even more upset that Facebook’s security controls are keeping legitimate users locked out of their own accounts. No users = no ad revenue.