Mark Raddatz

Why Facebook is logging your IP address

I use facebook from quit different places. Mostly when I stay at home, or sitting at the company and waiting for another compiler run. Today I sign in as usual to see my friends recent activities, but at this time I was stopped by a page I haven't seen before. A "You are signing in from an unfamiliar location. For your security, please verify your account." screen appears after I entered my username and password.

At first I was confused about this page but realized soon that this is a great idea. Today I logged in from a different location where I haven't used facebook before. They noticed this as well and showed me this warning, because it will more likely prevent others from accessing my account. Others could have caught my password with a phishing website and this is a good way to raise the hurdles one more time for stealing my identity or getting a glance into my private data. But even if somebody have access to your account, you should never offer to much private information on any social network or website you use.

In order to successfully login I have to confirm my birthday. But this would be a problem if you use a fake one during the registration process which afterwards is easily to forget. Fortunately I know when I was born but I am curious about what would happen if I enter a wrong birthday intentionally.

Facebook shows me another page which looks similary to that one you can see above and asking me to confirm your email address by entering a security code. I was starting to ask myself how facebooks implementation would look like and how I could build this security check into a future web project. But now I realized something interesting.

The statement "You are signing in from an unfamiliar location." can only be said if they know some history about me. In this case they need to store the ip address and the date of the last login. But not just the last one. They need a reasonable amount of logins because they have to find out the most recently used places from where I was using facebook before. To save my IP address on each login maybe would be too much. Consider if you stay at home it's quite possibly that you use a dynamic IP from a pool of IP addresses which are issued by your local internet service provider and is shared with other people from the same ISP as well. In this case facebook needs to ask me to confirm my birthday every day, because every day I will get a new address. In my implementation I would just log the last part of a users hostname to find the location. I can imagine that facebook will do something similar. If your neighbor try to get access to your account and if he is also using the same ISP, this protection will not work for you.

IMHO asking for a birthday is better then nothing but still a weak confirmation. You just need to do some social engineering by asking friends or make a short phone call. And even if the caller is a completely stranger, it's most likely that an unwary person will easily offer her or his birthday.

If I fail to enter a correct birthday, facebook will on the next step ask for a security code. This solves a problem if someone has forget there birthday. But it will introduce new problems too. In my case the security code that facebook sent to my email account is 6 digits long. I tried it several times and they always send me the same confirmation code. This is also slightly problematic. With only 6 digits you need 1 million attempts to guess the correct code. This could take around 12 days if you try it every second. To prevent a relentless cracker from this brute force attack, there should be a security check on this security check. Simply done by changing the security code after several failed approaches.

The reason I think why they can not change the security code immediately after a failed try is because they have to wait long enough until the confirmation email has arrived in the users mailbox, has been read by the user and entered correctly on the facebook website. Otherwise it would be possible that someone can anger me by trying to confirm false security codes or request new ones, and with that at the same time invalidates the old codes. If I don't have enough time to answer this security question, I would be out of luck for a long time.

After entering the correct security code I can login as usual. Facebook needs to put my current IP address into a whitelist. I don't want to be asked for my birthday again, on the next time when I use the same location again.

I have to state that I really appreciate this efforts to increasing users privacy. Other websites should undertake similar improvements. It's a step in the right direction and should do its job very well. But I also have doubts. This security check requires the collection of many IP addresses. This data can go into wrong hands if someone is able to get access to the facebooks database. I don't like it very much if someone keeps track of all my virtual identifications. The question is how much data they really need for this security gain. I would appreciate at least to have an optout option on my privacy settings for disabling this kind of IP tracking.