Feeds

Facebook user locked out of account even with ID

Your name's not down, you're not coming back in

Beginner's guide to SSL certificates

A Facebook user shut out of the service due to a glitch last Tuesday was locked out for a further two days even after she proved her identity.

The case of Christine C, a US-based marketing executive who asked us to withhold details of the organisation she worked for, raises wider questions about Facebook's handling of the problem.

The issue was triggered when the social network's system for detecting fake accounts went awry. The bug resulted in a sizeable but unconfirmed numbers of (seemingly all female) Facebook users being locked out of their accounts.

Exiled users were told that they were using an "inauthentic" name, and asked to send in an image from a government-issued ID card1 in order to unfreeze their account.

Christine duly submitted her picture, but was given the cold shoulder and informed that the account had been permanently suspended, via the following terse communique in a email entailed Disabled Account Appeal-ID Request and sent in the early hours of Wednesday morning.

Hi,

Fake accounts are a violation of our Statement of Rights and Responsibilities. Facebook requires users to provide their real first and last names. Impersonating anyone or anything is prohibited, as is maintaining multiple profiles on the site. Unfortunately, we will not be able to reactivate this account for any reason. This decision is final.

Thanks for your understanding,

The Facebook Team

Christine was understandably nonplussed by this response and got in touch with us after reading our article on the mix-up. "My Facebook account is legit and I only have one, so I am not managing multiple identities," she told El Reg. Christine uses the account for work reasons, using it to manage two groups, and the permanent exile of her account would have meant handing over the reins for this to a colleague.

After periodically checking whether her account had been reinstated, Christine was confronted by a different message2 suggesting she may have been the victim of a phishing attack.

Suspicious activity has been detected on your Facebook account and it has been temporarily suspended as a security precaution. It is likely that your account was compromised as a result of entering your password on a website designed to look like Facebook. This type of attack is known as phishing.

Christine told the Reg that her account was reinstated shortly after we first exchanged emails with her last week, with apologies from Facebook for the cock-up.

We apologize for the inconvenience you have experienced. Your account was disabled in error. Your account has been reactivated and you will now be able to log in.

We are yet to hear back from Facebook.

It's unclear if Christine's account was reinstated due to our intervention or as part of the wider reactivation process, which seems likely. Quite why Facebook didn't rescind account disactivations as soon as it was sure its control systems had gone awry remains unclear.

Its requests for the upload of confidential ID documents also seems like overkill; all the more so if the case of Christine is more than just an isolated case of someone getting locked out of the social network even after meeting its demands.

The experience has left Christine with a negative view of the social network.

"Facebook doesn't seem to be very good for security and I'd be reluctant to sign for any other services it offers," she said. ®

Bootnote

1Security firms, such as Sophos, have expressed reservations about uploading images of sensitive government-issued ID documents to Facebook. "Even if other data is obscured, there's still a risk [from] electronic copies of these sensitive identification documents lurking on users' hard drives for months if not years after this incident is long forgotten," it said.

2Cybercrooks unsurprisingly took advantage of the confusion caused by the suspension of multiple legitimate accounts to launch a campaign designed to trick users into open a booby-trapped message that posed as an email from Facebook support. The Asprox spam campaign was designed to spread a Trojan, as explained in a blog post by M86 Security here.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.