Progressive identity identification technology. Vkontakte-style

About how and why the attackers kidnap Vkontakte user accounts, each of Habr's readers can guess, hear or come across. June 10 in the evening for the first time I had a chance to face this. The attacker gets access to the mailbox of my second half, seizes the account of Vkontakte and, apparently, changes the mailbox attached to this record. Recover the password in the simplest way possible. Letters with a new password do not go to us. But…
It is good that the prudent administration of Vkontakte created the Security group in the technical support section, where a quite convenient and competent Assistant was created, which allowed us to find out about the existence of a form of restoring access to the page and to make sure that we need to use it. Now fill the mold and help us quickly. But here we can not do without a small "but."
Dear administration does not miss the opportunity to bind your mobile phone number to your account and here.
There is a sin for us, we did not tie our numbers to accounts. And the name specified in the profile does not match 100% with the name that is indicated in the passport. And you have everything written correctly? Is the number tied?
Okay, but there are a lot of other parameters by which you can identify the owner of the page, right?
So, what do we have in the application?
* Link to the stolen page
* Login
* Available e-mail
* e-mail, which will be used as a login in the future
* A commentary in which we amply tell our sad story
* Telephone number
Further - more interesting.
* Specify the country and city where you actually were when you registered on the site, as well as the year and month when it happened. (Each of us celebrated this date in a special black book, which is stored in a safe, right?)

And still need photos. Thank you for wearing clothes and without a sign in your hands.
')
We fill in the questionnaire, attach a photo of a girl next to the monitor and a photo of a pass to the university.
We receive by mail a link to the left application and start to wait.

On June 15, I still can’t stand it and write a personal message to a tech support employee, whose name is listed first in the Security section.
Good evening!
I apologize for writing a personal message, but I never managed to find the “ask a question” button in the technical support section.
Last week my friend’s account became unavailable because the attacker took a vulnerable password from the mailbox, took possession of the mailbox, and then the account of my friend Vkontakte. We managed to quickly stop the villains from accessing the box, but failed to recover the password from the VK account, because letters from the VC do not come to the mailbox. We completed all the actions proposed by the Assistant and came up with the Access Recovery form. Back on Thursday, everything was filled in and sent, but still has not received a reply.
Tell me please, how much time does the administrator usually review the application? Is there hope that access will be restored?
Thanks in advance for your reply.

PS Permalink to the request: vkontakte.ru/restore.php?act=view&id=itd Thanks again.

The next morning I see that my message has been read, and my girlfriend receives the answer in her mailbox.
Hello,

Unfortunately, your request to restore access to your page on VKontakte.ru website was rejected.
The reason for this is the inability to identify you as its owner based on the available data.

Good luck!
Respectfully,
Administration VKontakte.ru

Can be respected employees and really not enough data?
Well, what else is missing data?

We are writing a new personal message to the technical support employee Vkontakte
Good day! Thank you for your attention. Application considered ... rejected. The reason is vague - “the inability to identify you as its owner based on the available data.” The applicant has issued all the fields requested in the form of recovery. If you need additional information, please also inform them.
I draw your attention - in the field of contact information you can find the mobile phone number with which you can identify the user. Also, you can see the photos of Xenia, in which it is perfectly visible.
If the photo for you does not play any role, then why request it?
Please re-consider the application.

The message has been read, but there is no answer.

What do we have to do? Create another application.
We start all over again, but this time, in the comment field, we expand to tell a respected technical support employee that the phone is not tied to an account, but its number is indicated in the information field. We draw attention to the fact that on one of the attached photos you can see the student card of the university, which is indicated in the information on the user’s page. This time we take a photo of the girl next to a large LCD TV, which shows the completed application page even better.

After a couple of days, we again see the letter:

Hello,

Unfortunately, your request to restore access to your page on VKontakte.ru website was rejected.
The reason for this is the inability to identify you as its owner based on the available data.

Good luck!
Respectfully,
Administration VKontakte.ru


After that, I again go to the page of a tech support employee.
On that day, the god of technical support showed off a very pleasant status "They say that if you write to me several times, I will definitely answer." (Text is approximate, status has already been deleted)
Oh my God! I was not wrong page? For a moment there is a feeling that I am on the page of the President of the Russian Federation. But it passes quickly.
A small tete-a-tete with another (apparently) colleague happens on the wall:

one:
They also say that if instead of a single application, you issue three, they will be considered faster.
2:
Brad, agree. Especially considering that applications are considered mainly on the principle of "first input first output".
one:
Of course nonsense. Here today assorted the technical support typed in a week. So there the same almost every day they wrote.
All sent to the camps.


An unpleasant picture for the eyes of the user who sincerely hopes for support.

My last email to a tech support employee:

Good day! Our repeated application is rejected.
vkontakte.ru/restore.php?act=view&id=itd
I ask you again to tell us which data is not enough for you to identify. If you continue to ignore us, further communication will be forced to move to a popular blog (Habrahabr), where all attempts to communicate with you will be published.

I would never have thought that such a large and progressive company could have such disgusting support.
At the moment, a stolen account sends invitations to a group advertising a paid horoscope.
Thanks to tech support and Babichev personally.

UPD
A small summary of the method of identification, which uses technical support Vkontakte.
We check whether the name in the document and on the page match, make a decision. Apparently, everything happens exactly
So.

UPD2
Of course, many of my words were caused by an emotional outburst and did not correspond to reality.
I admit that the information on the page did not correspond to reality. Contrary to the rules of the service, a fictitious name was indicated.
An employee of the company told me that (quote):
“Recovery is possible when several parameters match. This name and photo, and other data. If at least one does not match, then the page is not restored. „
From the moment our problem was resolved and the page was repaired, I did not consider tech support disgusting. Technical support is not open to dialogue, but not disgusting.

After writing the latest update, I re-read the message of the company employee again. The algorithm is not clear. If the respected technical support staff agreed to talk with me on this topic, we could write together a true and accessible article about the identification algorithms. Thank you very much for your attention.

Thanks to tech support and Maxim Babichev personally (now sincerely)