Is Facebook Security an Oxymoron?

It's time for Facebook and Facebook users to finally get serious about security –- or risk the consequences.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted October 19, 2010

Mike Elgan

Mike Elgan

(Page 1 of 2)

Facebook announced recently a new list of security features. One of these features makes a lot of sense and is likely to generally improve security.

The new feature shows a list of all the computers that have logged in to your account recently and that remain logged in. The idea is that if someone else is accessing your account, you can identify that breach and shut them down. This feature is already enabled for all users.

To use the feature, choose Account Settings from the Account menu in the upper right corner. On the Settings tab find Account Security and click change. The page shows you recently active connections and specifies the location of the person logging in the time and date and even the web browser used.

You can log out of the sessions by clicking "end activity." Nice!

Another feature may do more harm than good. By texting 32665 on your cell phone, you get a temporary Facebook password that can be used only within the next 20 minutes. It doesn't change your regular password. It just creates a second password. This feature will gradually become available to users over the coming weeks.

The purpose is to enable you to use an insecure PC, say in an airport terminal or cyber café, and be given a temporary password that even if retained on the insecure system will be unusable later.

Unfortunately, the feature also enables anyone with access to your phone to also gain access to your Facebook account and lock you out. Once they log in as you with the new password, they can change the permanent password. They can then harvest information about you and your friends.

Another way to exploit this feature is that if someone with ill intent ever gains access to your Facebook account, he can add his own phone number to the obscure list of numbers (which most users never check). One this is accomplished, he can always log into your account using a temporary password no matter how often you change your real password.

And because the intruder never changes the main password, you'll never know when he logs in.

The other problem with this feature is that it only works if your cell phone number is registered on Facebook. Anyone who wants to use the feature must post a working phone number on Facebook. Once posted, the default is that this phone number is now available to all of your friends.

Don't believe me? Click on this link and you'll see the phone numbers of your friends on Facebook.

If someone looking for your private phone number can't hack your Facebook account, all they have to do is gain access to the account of any of your friends. (You can prevent friends from being able to see your phone number in the Privacy Settings area.)

The problem with Facebook's new security measures is that they're hidden, buried and optional. As such, they're likely to be used only by a tiny minority of already security-conscious users. The vast majority will ignore these and other common sense security measures.

Of course, the evil doers will know all about them.

For example, I would guess that the temporary password feature will be used by more people for unauthorized access than for securely logging in to public terminals.

As always, the gullible trust and naïveté of users is the weakest link.

A recent survey by a company called Webroot found that nearly half of all Facebook users use their Facebook password as the password on other sites, and 62% of Facebook users never change their password.

Page 1 of 2

1 2
Next Page

Tags: Facebook, security, privacy, Security practices, Facebook marketing

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.