Facebook ramps up security to beat Tunisian government hacking

Although most Facebook users rarely get to see a CAPTCHA security screen once their account details have been verified, usually by adding a mobile phone number to their account, Infosecurity notes that casual users of the service can often see a CAPTCHA challenge screen if the system detects users carrying out unusual or repetitive actions.

According to security forum reports, it seems that Facebook has triggered CAPTCHA screens for all actions on Tunisian accounts, in order to help prevent the government there from annexing accounts it has reportedly hijacked.

Reporting on this interesting turn of events, Softpedia says that, after YouTube and other video-sharing sites were blocked by the Tunisian internet agency – which controls the country's externally facing connections – activists moved to Facebook.

The social networking site, says Lucian Constantine of the IT security wire, "quickly became the primary place for sharing videos of the protests, posting calls to action and relaying the latest news from the streets."

But the Tunisian government, he says, launched a massive Facebook hijacking exercise.

"People were systematically redirected to phishing sites, HTTPS connections were blocked, and password stealing code was injected into the login pages of major websites", he said.

Then, he added, after Tunisian bloggers began being arrested, the Electronic Frontier Foundation requested that Facebook, Google and Yahoo should help to keep Tunisian accounts secure.

Softpedia quotes Joe Sullivan, Facebook's CSO, as saying: "In this case, we were confronted by ISPs that were doing something unprecedented in that they were being very active in their attempts to intercept user information."

To counter the problem, Facebook's security team then started rerouting all requests from Tunisian IP addresses to the HTTPS version of the site, forcing users to use encrypted connections.

"In addition, all Tunisian users were asked to verify their account when logging back in after a known attack. The process involved solving so-called social CAPTCHAs, where people have to identify their friends in photographs," noted Constantin.

What’s hot on Infosecurity Magazine?