Is Facebook Security an Oxymoron?

Tuesday Oct 19th 2010 by Mike Elgan
Share:

It's time for Facebook and Facebook users to finally get serious about security –- or risk the consequences.

Facebook announced recently a new list of security features. One of these features makes a lot of sense and is likely to generally improve security.

The new feature shows a list of all the computers that have logged in to your account recently and that remain logged in. The idea is that if someone else is accessing your account, you can identify that breach and shut them down. This feature is already enabled for all users.

To use the feature, choose Account Settings from the Account menu in the upper right corner. On the Settings tab find Account Security and click change. The page shows you recently active connections and specifies the location of the person logging in the time and date and even the web browser used.

You can log out of the sessions by clicking "end activity." Nice!

Another feature may do more harm than good. By texting 32665 on your cell phone, you get a temporary Facebook password that can be used only within the next 20 minutes. It doesn't change your regular password. It just creates a second password. This feature will gradually become available to users over the coming weeks.

The purpose is to enable you to use an insecure PC, say in an airport terminal or cyber café, and be given a temporary password that even if retained on the insecure system will be unusable later.

Unfortunately, the feature also enables anyone with access to your phone to also gain access to your Facebook account and lock you out. Once they log in as you with the new password, they can change the permanent password. They can then harvest information about you and your friends.

Another way to exploit this feature is that if someone with ill intent ever gains access to your Facebook account, he can add his own phone number to the obscure list of numbers (which most users never check). One this is accomplished, he can always log into your account using a temporary password no matter how often you change your real password.

And because the intruder never changes the main password, you'll never know when he logs in.

The other problem with this feature is that it only works if your cell phone number is registered on Facebook. Anyone who wants to use the feature must post a working phone number on Facebook. Once posted, the default is that this phone number is now available to all of your friends.

Don't believe me? Click on this link and you'll see the phone numbers of your friends on Facebook.

If someone looking for your private phone number can't hack your Facebook account, all they have to do is gain access to the account of any of your friends. (You can prevent friends from being able to see your phone number in the Privacy Settings area.)

The problem with Facebook's new security measures is that they're hidden, buried and optional. As such, they're likely to be used only by a tiny minority of already security-conscious users. The vast majority will ignore these and other common sense security measures.

Of course, the evil doers will know all about them.

For example, I would guess that the temporary password feature will be used by more people for unauthorized access than for securely logging in to public terminals.

As always, the gullible trust and naïveté of users is the weakest link.

A recent survey by a company called Webroot found that nearly half of all Facebook users use their Facebook password as the password on other sites, and 62% of Facebook users never change their password.

Also: most Facebook users probably don't know that after you delete a photo, it's still available to anyone on Facebook for up to 30 months. All they need is the URL of the photo, which never changes.

The biggest threat to privacy and security and Facebook remains the oldest: falsifying accounts. Anyone can set up a Facebook account using a false name. That name can be somebody else's real name, or they could just make one up. Strangers can pretend to be your real friends on Facebook.

Once that friendship connection is made, they have access to all the information they need for first-rate identity theft. It's also great for real theft because if you post that you're going on vacation, they can burglarize your house.

If you think the solution is to simply not have a Facebook account, think again. Anyone who signs up for a new account on Facebook can demonstrate this. When you first sign up, Facebook presents a list of people who are probably your friends — this happens before you even invite others to become friends on Facebook. And the list is usually pretty accurate.

Stated another way, by not having a Facebook account, you leave yourself open for this particular scam. I hear my fellow tech pundits and columnists brag in writing online that they don't have Facebook accounts. Once a crook knows this, he can establish an account in your name. Facebook will provide him with a list of many of your real friends.

He can establish those Facebook friendships, then reap a harvest of personal data about you that enables all kinds of mischief.

The bottom line of all of this disturbing security news is that if anyone wants to steal your information, pretend to be you, burglarize your house, stalk you, well – if you’re account is not properly protected – Facebook is one-stop shopping for all of that.

Facebook's security measures fail to impress. They don't solve the real problems and, in some cases, even create new risks.

Users don't care enough about security. And Facebook doesn't care enough about security.

It's time for Facebook -- and Facebook users -- to finally get serious.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved