When it comes to Facebook and data protection people like to think of the wolf in sheep’s clothing. Facebook comes across as cute and innocent, telling us how important our data is, that they will take good care of it just to find out that our data has ended up with a third party.
Best example of this is the scandal in 2018, in which data from about 87 million users was illegally shared with the British data analysis company Cambridge Analytica. The fact that this data was potentially used to influence the Brexit campaign and the Trump election campaign is a whole other issue.
The Basic Data Protection Regulation, which came into force in May 2018 and on which we already reported in relation to security gaps, compelled Facebook to prepare accordingly, as announced on Facebook Business.
They promised transparency, control and accountability. But what does this actually mean for private users? We stumbled across the topic because we tried to create a new fake account for our hacking scenarios. The first thing we noticed was:
Facebook security should now be better
To verify that the new user is a real person, we had to upload a photo of the new user. Said and done! Since we didn’t want to use our own faces for it, we simply generated one for ourselves. In the past, this would not have been a problem. Today this has become more complicated, because Facebook requires that you upload a second high-quality photo.
So we had another photo generated in the hope that it would look similar enough to the first one. Then we had to be patient, because Facebook checked the photos – apparently not by AI, but by real employees. Of course, a few days later we were denied a registration.
And what if I want to separate Facebook for private and business purposes?
We also tested that and I volunteered as a guinea pig. Our plan: I, who already has a private Facebook account, would try to create a second one for business purposes, of course using a different email address my full name.
The first hurdle was my last name, which was considered “fake”. Three words that equal one last name? Apparently that is too much for Facebook AI. The solution: I was asked to upload a valid ID and send it to Facebook to verify my identity.
Facebook also indicated that they wished to keep my ID uploaded to its system for a year to better recognize fake IDs. Of course you can not allow this and delete the ID from the system by going to the identity settings (this is only possible after you log in, so nobody really knows what happens to the ID if you are rejected…).
Or so I thought. Of course, when I first tried to log in, I was asked to upload two photos of myself to check that I really exist. After several days, I still hadn’t received an email from Facebook on the subject, so I tried to log in.
As expected, they promptly pointed out to me that my account was disabled. The Help Center explained what the reasons for this might be, such as the fact that it is not allowed to have multiple Facebook accounts… I can’t say if this was actually the reason why I was ultimately denied my business Facebook account, but it’s seems obvious.
Does that mean Facebook is safe?
Nevertheless, the question remains: how much is allowed to verify that a user is a real person? We are critical about uploading IDs. To transmit sensitive data such as your full name, date of birth and place of birth to a scandalous giant like Facebook is and remains not only questionable, but also insecure.
But that’s not all! Just imagine the following: the maiden name of married women is often printed on IDs. And who doesn’t know the popular security question: “What is your mother’s maiden name?”… a perfect tidbit of information for cyber criminals.
What if I want to delete my Facebook account now?
This question is not only frequently asked during live hacking and awareness shows. Via e-mail and social networks we are also regularly confronted with platforms where it is not obvious at first glance whether a deletion is possible. And if it is possible, it does not mean that the function is easy to find. For this reason we at AWARE7 maintain a permanent list called cyberpflege.de with information on whether, and if so, how difficult it is to unsubscribe from various websites.
Sevencast – der IT-Security Podcast
Von unterwegs, im Büro oder zu Hause hören und auf dem aktuellen Stand bleiben!