QQ account stolen in 22 years, friends help verify but appeal is invalid: the confusion behind Tencent's authentication system

Recently, user Mr. Wang revealed to a reporter from Blue Whale TMT that his QQ account, which he had used for 22 years, was recently stolen. Even though several friends who had been friends with him for more than 15 years testified and helped in the appeal, the result given by Tencent QQ was still that it was unable to prove that he was the owner of the QQ account.

According to Mr. Wang, losing this QQ number not only means losing contact with some of his friends, but may even involve personal property safety issues, because his personal WeChat account is also bound to this QQ number, and there is still some balance in WeChat payment.

"Now all kinds of consumption are paid through WeChat. I have bound all my personal information to WeChat, but I can't prove that the QQ number used to open the account and bind the account is mine." Mr. Wang said that this shows that there are loopholes in Tencent's authentication system, and at present he has no choice but to continue to appeal.

A user's QQ account was stolen after 22 years of use, and the appeal was invalid after more than five friends helped verify it

According to Mr. Wang, his personal QQ number has been used for about 22 years. It is an old 7-digit QQ number. Several apps including WeChat are registered with this QQ number. Since QQ is bound to WeChat, which is used more frequently, Mr. Wang's number of logins to QQ has decreased, but this has unexpectedly planted a security risk.

"I often use QQ mailbox, which is logged in through QQ. There are a lot of important information on it. QQ mailbox is bound to WeChat. Usually, when I receive emails, I can directly view and reply through WeChat." Mr. Wang said, "This time there was an attachment that required me to log in to the PC version of the mailbox to view it, but I found that I could not log in."

Mr. Wang immediately chose to retrieve his password, but found that the mobile phone number bound to his QQ had been changed and his account was suspected to have been stolen.

In this case, Mr. Wang can only fill in the real and detailed account information to file an account appeal to prove that he is the owner of the account. The account information includes the real name, ID number, mobile phone number, bound email address, used password and friend information. The friend information includes the friend's name, QQ number and mobile phone number.

It is worth mentioning that the complaint webpage prompts "In order to prevent others from impersonating, identity verification can only be passed if the information you provide is complete and true enough." The completeness of the information is reflected by the number of used passwords filled in and the time when the friends invited for friend verification assistance were added.

To this end, Mr. Wang found five or six QQ friends he had known for more than 15 years to verify. After filling in all the information and verifying the friends, he received a text message from Tencent Technology saying that "the appeal was not approved due to insufficient evidence."

"After logging into QQ, my classmate found that on the day I filed my complaint, the QQ account that once belonged to me was frantically deleting friends and causing people to quit various student groups," said Mr. Wang.

There are two key elements in QQ account appeals. The first is the account password that has been used, and the second is friend verification. Mr. Wang believes that the hacker not only changed the mobile phone number bound to his account, but also deleted a large number of friends. These unconventional actions resulted in insufficient evidence for his account appeal.

It is understood that users only need to fill in as much early information as possible when applying for the QQ number when filing an appeal, such as the password used earlier, the earlier login location, etc., and invite friends added earlier to assist in friend verification. Tencent will use the most complete information provided by the user as the judgment standard.

In other words, the earlier the information submitted for the appeal corresponds to, and the earlier the friend who invited the friend verification is added, the greater the chance of a successful appeal. However, if these early contents are forgotten because they are too old, it will be difficult for the user to prove that "I am who I am".

"I linked a lot of information to Tencent through Tencent products, but unfortunately I still can't prove that I am who I am." Mr. Wang said helplessly, "The key is that a 20-year-old user like me who has a close relationship with QQ is actually invalid, which proves that Tencent's authentication system has loopholes."

QQ's complaint authentication system is accused of having loopholes, and WeChat's deep binding cannot prove the user's identity

Mr. Wang said that as a 22-year old user, he has been using his mobile phone number with QQ for 16 years. "I applied for WeChat directly through QQ, and WeChat is still bound to this QQ number. In recent years, I have also paid for various purchases through WeChat. How can it be said that this QQ number is not mine?"

Mr. Wang questioned, "The QQ complaint system is too fragile to rely solely on identity verification information. Given the current deep binding between WeChat and QQ, can it be proven by checking the credit (credibility, etc.) of the WeChat ID bound to QQ?"

QQ was launched in 1999 and has a history of 22 years. With the rise of WeChat, WeChat and QQ have established Tencent's position as the dominant social network. Tencent's 2020 third quarter report shows that the monthly active accounts of WeChat and Wechat are 1.2128 billion, a year-on-year increase of 5.4%, and the number of monthly active accounts of QQ smart terminals is 617 million, a year-on-year decrease of 5.5%.

Judging from Mr. Wang's experience, as one of the earliest users of QQ, once the account is stolen and the information is modified, the existing appeal process is unlikely to succeed, and the user experience will undoubtedly be greatly reduced. Mr. Wang feels very sorry that his QQ space still has photos of the football team's fourth anniversary party many years ago, "but these photos will probably be deleted in a few days."

The reporter searched online using the keyword "stolen QQ number" and found many similar cases. On public platforms such as Heimao Complaint, there are also many users whose QQ numbers have been stolen but have difficulty getting their appeals approved.

As a national application, QQ accounts are likely to be deeply associated with users, including rechargeable Q coins, various VIP diamond memberships, game equipment, and various other applications and personal information bound to the account. Once a QQ account is stolen, users may not only face information leakage and affected contacts with QQ friends, but may also face financial losses for themselves and their friends.

In fact, this has long been a case. On July 29, 2018, the first case of using Tencent QQ to appeal for theft of good numbers was sentenced. The court found that from March to April 2017, the suspects Gu and Liu obtained other people's QQ numbers' current passwords, bound ID numbers and other information by purchasing or hiring people to inquire, and then used QQ appeals to gain control of other people's numbers, and then sold other people's QQ numbers for profit.

In November 2018, Tencent QQ released the "Announcement on the Upgrade of Account Password Change, Password Retrieval, and Replacement of Security Phone Services and the Disconnection of Appeal Services", stating that due to the upgrade of security features, the current account retrieval/password change/change of security phone services have been fully upgraded to use the "Data Identity Verification" function. After successful verification, the QQ password can be changed and the security tool can be reset, so a separate "Account Appeal" entrance will no longer be provided.

Some analysts believe that the account complaint function of QQ was previously used by criminals to steal accounts, and Tencent's closure of the account complaint entrance is largely to raise the threshold for complaints and protect user accounts. But now it seems that for normal users, the problem of how to prove "I am myself" after a QQ account is stolen is still difficult to solve.

In this regard, Li Min, a senior partner at Shanghai Han Sheng Law Firm, believes that we cannot infer that Tencent has data compliance issues based solely on such cases. Because the Cybersecurity Law stipulates that users must undergo real-name authentication, institutions that provide instant messaging services such as Tencent QQ also need to conduct corresponding personal authentication of users. If an account is stolen due to objective reasons or factors, such as forgetting a password, the user needs to provide more relevant evidence.

"I personally think that this behavior is equivalent to verifying the authenticity of the user's personal identity. Compared with personal real-name authentication, such as binding a mobile phone number or ID number, there may be higher requirements. This is entirely based on some internal regulations of Tencent." He pointed out, "I personally suggest that users should submit relevant evidence according to Tencent's internal complaint process, because our country currently has no specific laws and regulations on personal authentication, no specific requirements or specific methods and processes. So far, each platform has been managing based on its own system construction."

Li Min added, "Unless it can be proved that Tencent has not fulfilled its obligation of personal real-name authentication, or has violated the user's personal privacy and network data. As for the details, further clarifying the specific methods and processes of personal verification may require different platforms to judge, some platforms have high requirements, and some platforms have low requirements."