Hijacking Someone's Facebook Account with a Fake Passport Copy

BBC has the story. The confusion is that a scan of a passport is much easier to forge than an actual passport. This is a truly hard problem: how do you give people the ability to get back into their accounts after they've lost their credentials, while at the same time prohibiting hackers from using the same mechanism to hijack accounts? Demanding an easy-to-forge copy of a hard-to-forge document isn't a good solution.

Posted on July 7, 2016 at 1:27 PM • 49 Comments

Comments

LevJuly 7, 2016 1:39 PM

This brings in mind the pdf of the Obama "birth certificate" that was released.

Joshua BowmanJuly 7, 2016 2:08 PM

Heh, 15 years ago I shopped my scanned birth certificate and driver's license to fool some people, when I was young and dumb, and no one ever questioned it. I had no way of printing out embossed paper, let alone plastic cards with reflective ink and a hologram, but anything digital is infinitely malleable.

Of course, for any sufficiently motivated attacker, all those real-life countermeasures are easily emulated. Banks really need to get a handle on this before it becomes widespread, not after. Only verifying against the central authority's database can truly prevent this.

Joshua BowmanJuly 7, 2016 2:13 PM

I just realized that you don't even need a forgery at all: Simply stealing an image of someone's passport or driver's license is more than enough to steal an account, and a number of people have them on their phone or PC for one reason or another; I know I have both, and if I did somehow get breached, they would be ripe pickings. As long as Facebook doesn't demand a Skype chat session to attempt to visually verify, can there even be a countermeasure against this?

Joe RandomJuly 7, 2016 2:25 PM

There ought to be "identity verification" centers across the US to solve exactly this problem. They could even have a method of proof that involves bringing in other already-verified people to vouch for your identity, which could help restore the identity of people who have lost all of their paperwork, e.g. in a fire.

TatütataJuly 7, 2016 2:42 PM

Reminds me of those counter-spammers with a lot of time on their hands who spend efforts in crafting vaguely authentic-looking but definitely phony IDs. These are fed to 419-scammers. Sometimes the hucksters write back to complain after they took that "ID" to a bank or some other authority.

I once got a request from a merchant to email him a scan of my credit card. It didn't sound like a very good idea on several levels. Immediately took my trade elsewhere.

Electronic ID documents, with or without biometric data, don't seem to be a solution, according at least to the criticism expressed by the German CCC (Computer Chaos Club).

The German Post service offers a paper-based authentication service. The individual whose identity must be checked presents himself at the local post office with the required credentials.

Oh, wait, I get it: Facebook will begin issuing ID cards themselves. You will become a Facebook at birth in order to become a citizen.

ChelloveckJuly 7, 2016 2:43 PM

I'm really of the opinion that losing your credentials is identical to losing your account. So sorry, take better care of your things next time.

If you need to offer some form of account recovery, Andrew Smith nails it. Identification verification is the job of a notary public. Get this form notarized and we'll reset your password. What's that, you opened your account under an alias? See the previous paragraph. Anonymity or recoverability, pick one.

David LeppikJuly 7, 2016 3:21 PM

The issue is that Silicon Valley doesn't want to have to involve human beings; they aren't "scalable." A notary public is a perfect* solution. So is an Apple Store employee, if you're dealing with Apple.

Notaries are cheap (between free and $5) and reliable.

*Perfect = not foolproof, but at least as good as the pre-Internet way of doing things.

TedJuly 7, 2016 3:27 PM

The IRS utilizes an identity verification service:

How It Works: You will be asked for contact information we will use to verify your identity. You will also be asked multiple-choice questions generated by an independent, secure identity assurance service. This service uses non-governmental information to create the questions that only you are likely to know. The information you give us will be checked against your records to protect you from identity theft.

TatütataJuly 7, 2016 3:46 PM

All I need to do is a rubber stamp saying "Notary Public, State of West Dakota, registered until 12/31/2016" and invent a nice squiggle to go with it.

Who's gonna check that?

If you can forge the paperwork on thousands of mortgages, and foreclose, then who will give a damn about Fess'book account?

I personally saw some pretty dodgy papers emanating from notaries public. E.g., one of these purported that some transaction between companies A and B had taken place. Excepted I knew for a fact that company A was long dissolved when the purported transaction took place.

There's got to be a better system.

JacobJuly 7, 2016 3:56 PM

A supposedly good and scalable solution:

When you register for a service, you are directed to a web page where you are provided with a password to be used only for credentials reset.
That PW is to be written on a piece of paper by you, never to be stored on your computer.

Recommendation: keep this piece of paper at a family member's house.

AnuraJuly 7, 2016 4:38 PM

The answer to this, like every question ever asked, is post offices. They have facilities all over the country, they know where you live (so you better not mess with them!), and could be contracted out to verify your identity in-person.

Marek ZakrzewskiJuly 7, 2016 5:09 PM

Simple solution: Facebook might just request a photo of a person and the passport together, maybe in different positions & angles to ensure enough that the document is real, not a scan. Some minimal quality of the photo might be required. Video also can be good.

CheckoutJuly 7, 2016 5:53 PM

Or just stop using Facebook.

It has long being determined Facebook is poisonous to the idea of privacy and comes with lots of dangers, including those 'facebook only' malware kits, the only reason people keep on using it is because they have nothing better to do.

Richard de BoerJuly 7, 2016 6:20 PM

How about a waiting period to reset credentials, logging in with existing credentials during that time invalidates the request? (with bonus points for trying to notify the user about the request)

ianfJuly 7, 2016 6:24 PM


@ Marek Zakrzewski is dying for a job at Zuck's.

“Simple solution: Facebook might just request a photo of a person and the passport together, maybe in different positions & angles to ensure enough that the document is real, not a scan. Some minimal quality of the photo might be required. Video also can be good.”

When you get in, and have been tasked with developing that double photo ID verification software, just make sure that it be capable of distinguishing between clean-shaven faces and buttocks, both in "different positions and angles." Use own visage of the cheeks, and such of your dearest, during the in-house beta-testing for speedier development phase – Zuck will love that.

Slime Mold with MustardJuly 7, 2016 6:26 PM


@ John Peterson
Actually, the Examiners of Questioned Documents that I deal with will not accept scans or copies of any sort. If you send originals to a government agency in the mail, you should have burned them to save postage. The only hope if is to hand deliver them with either a box of chocolates or tickets to the game and keeping biblical patience for yourself.

@ Tatütata

Much agreed. Anything more easily forged I could not imagine and I've seen many forged stamps and seals.

ianfJuly 7, 2016 6:59 PM


@ Jacob's “supposedly good and scalable "credentials reset" solution.”

Supposedly is the key here. Until proven unworkable in the next sentence.

    Remember where those PLURAL (I take it) written down services recovery passwords are stored "at a family member's house;" make sure they won't be cleared out during spring cleaning as the pieces of unintelligible gibberish that they are; ensure never ever to fall out with that family member; acquire a family in the first place and then within reasonable recovery-walking distance and a standing welcome to deposit ever newer cryptic pieces of paper.

Next better password mousetrap idea please.

VaughnJuly 7, 2016 7:08 PM

FB is a social network. How about utilizing that network to verify the account owner is in fact attempting to regain access, probably giving more credibility to frequent contacts and close family members?

This might take some time and require some out of band communication with people in your network, but that's the point. We aren't talking about a simple password reset, we're talking about when all other methods of regaining control fail (or weren't setup to begin with).

BOB!!July 7, 2016 8:34 PM

I think Vaughn is spot on with the idea of using social contacts to verify identity.

But if they don't want to have you talk to your friends, they have a large database of most people's photos, and can request a new one - preferably one that someone else can't just find on the internet - "Email us a picture of yourself with your left thumb in your left ear." Facebook account verifier compares submitted photo to all of the rest of the self-portraits and if it looks like the same person, *then* asks for a video of you holding your ID that pans to you displaying both sides and the edges of your ID.

ianfJuly 7, 2016 8:45 PM


Is there no limit to which Fuckfacebookies like Vaughn will NOT stoop down to in their complicity to make others Zuck's bitches for sale, just as they themselves willingly are rhetorical q.

    Vaughn rephrased for clarity: how about making those attempting to regain access wholly dependent on goodwill, whimsy, and say-so of the network-effect others among his/her "FFB friends" (not to be confused with IRL friends or, for that matter, even IRL frenemies). Because our beloved Fuckfacebook already is one giant cesspit of unobtrusive stalking, so what does it matter if we make this overt IN ONE GOOD CAUSE.

Vomit is on the menu of the day.

TedJuly 7, 2016 8:58 PM

Identity Verification Services. This is a Wikipedia article.

Trulioo anyone? from Trulioo:

Q: What are the common types of data sources used for eIDV?
A: The following data sources are commonly used for eIDV:


  • Citizen: Data sourced from either a utility or government issued database that is enhanced and updated with other source files such as public data, change of address, postal data, property data, and data pooling with other organizations.

  • Consumer: Data sourced from direct marketing campaigns.

  • Credit: The data is derived from a registered credit agency, or bureau, which manages consumer credit information on individuals with consumer credit history in that country.

  • Etc.

65535July 7, 2016 10:05 PM

@ Joshua Bowman

“I just realized that you don't even need a forgery at all: Simply stealing an image of someone's passport or driver's license is more than enough to steal an account… “

Yes, that is a real problem that will be difficult to solve.

@ Joe Random

“There ought to be "identity verification" centers across the US to solve exactly this problem.”

Try visiting Arizona, Texas and California and check out the number of people who have over-stayed their visas. The problem is huge – in the millions or tens of millions of people. All of these people need documents for banking, social services, and drivers’ licenses and so on.

@ Lev

“This brings in mind the pdf of the Obama "birth certificate" that was released.”

Yes, you could peel back the 4 to 8 layers and clearly see it was a reproduction. But, the problem is much more wide spread [not that I believe he was not born on USA soil].

The vast majority of “business records” including tax returns and the like are mostly in pdf format. The possibilities of theft and misuse of said pdf records is huge [they are files stored on regular PCs and the like which are not locked down]. This may explain a lot of current fraud – including voter fraud.

Worse, the UK MP’s are using Microsoft 365 with pdf optional formats – and stored over the “cloud”.

Then there is Windows 10 with theoretical back-doors built in as “telemetry”. This point in history will may be the "golden age" of data theft and misuse.

Julien CouvreurJuly 7, 2016 10:09 PM

I wonder why physical stores and institutions (such as Apple Stores, USPS, Fedex, DMV, city hall,...) don't offer such service.
Present yourself with proper supporting evidence, and they issue a digital certificate which you can use with FB or some other online-only service.

ArclightJuly 7, 2016 10:29 PM

A notary public seems like a good solution, although you could also forge the notary stamp.

I think that charging a few dollars for a complete recovery would largely solve this, as most social media accounts are only worth money in aggregate.

Marek ZakrzewskiJuly 8, 2016 1:17 AM

Well, if the method I proposed, fails because the person does not look like on the pictures/videos snd ids, then probably other solution would be to use some backup auth channels, like sending e-mail message or sms with a verification code, a serie of question/answers about profile recent activities that only legitimate user can answer... But the ultimate method, if all fail, must be confirmation from some independent authority (notary public, police, etc). But using simpler methods can make it easier in majority of cases.

Marek ZakrzewskiJuly 8, 2016 1:20 AM

Video-chat with Facebook representative can also be an option. That method works for example during Microsoft certification online proctored exams.

Marek ZakrzewskiJuly 8, 2016 1:46 AM

Send paper letter with code to post address (not really reliable)?
Send little bank transfer to user's bank account that validates personal information (name and address), with a code in payment title? Or ask to make a little payment with credit card?

ianfJuly 8, 2016 4:32 AM


@ Comrade Major

gt; “Physical token.

    How about Swiss gold bar-shaped deep-frozen stool sample? Alternatively such encased in a slab of clear Plexiglas®, then Zuck could extract any applicant's identifying DNA from it just as easily as it was done with the dinosaurs' blood inside the mosquitos encased in amber in the “Jurassic Park.”


@ Marek Zakrzewski

Why not simply outsource the task of ID verification of new recruits by having them apply in person for a F2B visa at a nearest American Embassy, be it with the usual application fee waived (borne by Zuck); then subject them to the same kind of invasive interview, complete with a lie-detector test where deemed appropriate, that other applicants undergo. The one beginning with the solemn extraction of an answer to this non-trick question: “Have you ever tried, planned, or thought of assassinating the President of the United States?”

BTW. this is the wrong place for you to be spilling your v. much exploitable ID-verification ideas out in the open. Try the Ass Kissing Dept. at Fuckfacebook, personal delivery by hand to Chairman Zuck instead.

blakeJuly 8, 2016 4:50 AM

If Facebook - a for profit corporation - is regarded an authority on our identity in a comparable manner to the government agency responsible for issuing visas, then we are already in a Shadowrun-esque future of corporate social dominance. The existence of "Facebook official" as a relationship status further reinforces this.

If there's something so important to me that I can't handle being locked out of it, am I happy that this is provided by a entity that has such a distinction between users (who volunteer their personal data) and customers (who pay for advertising access to that data)?

BubboJuly 8, 2016 6:10 AM

Facebook already have the solution.
All mail correspondence from facebook to me are PGP encrypted, including password recovery emails.

Just enable it in 'security settings' and upload your public key.

Edit: (Checked the setting) At least they used to state that it included password recovery emails. Now I can only find that encryption covers notification emails.
I will have to test it with a password recovery request. Shame if they changed it without notifying.


Dave MJuly 8, 2016 7:03 AM

The US Postal Service already provides and trains passport examiners who examine your documents and communicate with the US Dept of State Passport Office.

Most US citizens have ID from the state Dept of Motor Vehicles (or whatever it is called where you live). These people are already trained to examine and evaluate identity from the presented documents (although some cheating or fraud probably slips through).

Other than chipping citizens upon birth or naturalization what more can really be done?

ChrisJuly 8, 2016 7:22 AM

Of course this threat can be somewhat mitigated, just not cheaply, so Facebook won't fix it. Facebook just needs a presence in every major city, a shopfront where the victim can talk to an actual representative and the representative can visual check that the passport isn't just a photocopy at least. Just doing that raises the bar for abuse significantly.

TedJuly 8, 2016 7:45 AM

@Chris

"Of course this threat can be somewhat mitigated, just not cheaply, so Facebook won't fix it."

Is is a matter of cost? CNN Article, January 2016:

http://money.cnn.com/2016/01/27/technology/facebook-earnings/

"Facebook's startup days may be long gone, but no one can accuse the company of resting on its laurels.
Facebook impressed Wall Street with its latest earnings report on Wednesday, sending shares up more than 8% after hours.
The company handily beat expectations on several key metrics, including growth of new users, sales and profit.
During the last three months of 2015, Facebook brought in $5.8 billion -- growth of 52%. But it made $1.6 billion in profit -- a whopping 123% increase from a year earlier. Mobile ad revenue also saw a big jump -- it now makes up 80% of total advertising revenue, up from 69% a year earlier.
For the year, Facebook (FB, Tech30) reported sales of $17.9 billion, a 44% increase, and $3.7 billion in total profits.
Where did the growth come from? Well, not only has Facebook managed to keep adding new people to its network (there are now 1.59 billion people who use the site each month), it's actually making more money off each user at the same time..."

ianfJuly 8, 2016 8:12 AM


@ Chris […] “Fuckfacebook just needs a presence in every major city, a shopfront where the victim can talk to an actual representative” […]

Yes, pleeeeeeze, bring it on. Ever since the USIA Library (CIAs favourite place for initial talent spotting) disappeared from the capital 25 or so years ago, we've been missing a clear target to deface its storefront windows, and a gathering point to canvass would-be visitors on their way in. Just like the near-perpetual strikers on the sidewalk in front of MOMA in New York trying to talk artsy tourists out from entering the legendary premises. But a Fuckfacebook STOREFRONT with a live faux-hipster representative inside?

Willkommen, Bienvenue, Welcome—and have we got some IRL distractions coming down your way to spice up your day.

ianfJuly 8, 2016 8:45 AM


@ Dave M […] “Other than chipping citizens upon birth or naturalization what more can really be done?

Well, there's this hitherto unexplored possibility of mass-tattooing a square inch QR (or other high redundancy) code on everybody's foreheads, to be scanned from a distance by strategically placed networked mesh cameras. People seem more tolerant of tattoos, than of being chipped, as were they the dogs that they are.

TatütataJuly 8, 2016 9:23 AM

@Dave M:

The US Postal Service already provides and trains passport examiners who examine your documents and communicate with the US Dept of State Passport Office.

Trained like, you mean, East German border control?

They had an extremely methodical way of verifying your identity by going through a predefined check list, glancing back and forth between your ID document for comparing each individual feature of your face. Eyes, hair, ears, mouth, nose, or something of the sort. I was impressed as it was obvious to me that this was the result of deliberate training.

On trains, the overall procedure was quite standardised. They entered the sleeper compartment at night, turned on the light, and started controlling from top to bottom, right to left IIRC. They had a little suitcase-office strapped around their shoulders opening outwardly from their chests, containing rubber stamps, visas, etc. . They also flipped through their wanted list for each and every individual passenger, no matter how unlikely it was that the individual was on it.

I never saw anything close to that again after 1990. US border controls may be rude and suspicious, but nowhere as systematic as the GDR ones.

Dave MJuly 8, 2016 9:53 AM

@ianf:

I was assuming that tattoos (QR, bar code, etc) are too static to be considered secure, especially if they are scanned without supervision. A chip could be made to authenticate with a challenge/response protocol, for example, so it seems more useful for scanning wherever and whenever needed.

FYI - tattoos were, and still are, used for identification of dogs. I don't know when the present practice of tattooing in the right ear started, but von Stephanitz mentions tattooing on the inner thigh in his 1921 book, Der deutsche Schäferhund in Wort und Bild.

@Tatütata:

No. The USPS examiners review documents in person at post offices (not border checkpoints) and complete passport application paperwork to be sent to the US Dept of State.

Z.LozinskiJuly 8, 2016 9:59 AM

@Tatütata
> All I need to do is a rubber stamp saying "Notary Public, State of West Dakota, registered until 12/31/2016" and invent a nice squiggle to go with it.

> Who's gonna check that?

There is an international (printed) register of the seals of Notaries Public. You only get to add your seal to the register if you a legally recognised as a notary in the country in which you practice. Those bodies that care about notarised document check the seal against the register.

Source: I once had to use the service of a Notary Public as part of the procedure for probate in another country. I asked a similar question to yours, and the Notary explained that they have had several hundred years to think about that one.

http://www.thenotariessociety.org.uk/what-is-a-notary

albertJuly 8, 2016 4:22 PM

Thanks to all who have provided their wack-a-mole FB Security Crisis solutions. I don't give a RSA about FB and others of their ilk. They started as a narcissistic fad, and (due to the ignorance of the general public) started to be taken seriously.

They are the very last places to look for security solutions. These 'issues' trivialize the very real problems associated with online identification and ID theft.

The Internet has become a Vast Wasteland, undoubtedly surpassing even television. Computer security is a roll of the dice. Ya gotta weight 'em as much as possible by reducing your exposure, starting with 'social media' sites.

What ever happened to -real life-?

There's e-this and e-that, but e-everything just ain't where it's at.

. .. . .. --- ....

Green SquirrelJuly 11, 2016 7:13 AM

Its interesting how many people here have suggested an off-line verification check (such as a notary) which doesnt actually solve the problem.

Seems to me that Bruce is 100% correct when he says "this is a truly hard problem".

Even the Notaries register isnt a solution - as you still have to have access to the register to check the notary is real, you have to verify that the comms have really come from the notary and you have to rely on whatever information the person has provided the notary is legitimate. A quick check on the TWO notaries within 20 miles of my post code indicate both will accept scanned copies of a birth certificate as proving I am who I say I am. This hardly solves the scan problem, does it?

Trust is really hard.

Marcos MaloJuly 11, 2016 8:14 AM

@ianf

Next better password mousetrap idea please.

Your ID is based on the DNA signature of a chipped and tattooed pet mouse (3-factor verification FTW!!!!1). If you lose your password (your mouse literally gets loose), you would then literally employee a mousetrap. A better mousetrap you mention would presumably be a non-lethal one so you wouldn't have to go to a government certified pet store and apply for a new mouse.

The vulnerability here is if someone clones your ID mouse. Mitigation might involve keeping the mouse securely locked up in a cage only openable with the DNA signature of a chipped and tattooed pet cat. And so on.

Chase JohnsonJuly 11, 2016 3:04 PM

Facebook is just a communication system. It has many flaws, of which heavy users are often acutely aware, but its advantages presently outweigh those flaws for said users. For people who need or want to communicate with large gropus of people easily in a collaborative setting with some degree of control over who can and who cannot participate or see the communication, there's really no other solution. The reduction in IT budget necessary to create and run such a forum (to $0 including the sum-total value of IT experience and education of all participants) makes Facebook very powerful for organizers of all kinds.

If you have no need or desire of organizing or communicating with large groups of other people, then Facebook may seem pointless. Not everyone shares your needs, however, and so it is quite unnecessary to cast Facebook users as narcissistic ignoramuses. In point of fact, the people I interact with on Facebook are unusually well-educated and empathetic.

OlliJuly 13, 2016 8:23 AM

In Finland the job of securely identifying people online has fallen to the banks and it works really well (except of course that you have to pay the banks to be able to identify users). If you want to log in to a service that needs to really know who you are (e.g. to file your taxes online), they redirect you to your online bank, you log in there and the bank sends your information (name and social security number) to the service.

The bank credentials are secure enough to handle your money, so they should be secure enough to log in somewhere or reset the password if it was forgotten.

Freezing_in_BrazilJuly 13, 2016 9:49 AM

@Chase Johnson

For people who need or want to communicate with large gropus of people easily in a collaborative setting with some degree of control over who can and who cannot participate or see the communication, there's really no other solution.

Of course there is. It is open source and ships with many features that are better than Facebook [the wysiwyg text editor for starters].

Meet Elgg, a Facebook to call your own. My costumers are not complaining.

Comrade MajorJuly 15, 2016 2:30 AM

@ianf
USB hasp key with some authentication protocol. Maybe implemented as federal program.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.