Facebook has announced new security features, but in so doing has created a stir by releasing a statistic that up to 600 000 user logins per day are potentially compromised.
In an infographic accompanying the blog post announcing the security updates, it is stated: “Facebook will roadblock 250 000 to 600 000 Facebook accounts per day.”
It is further explained that accounts are roadblocked if they are “temporarily compromised” by malicious software. While blocked, Facebook says it runs its own security software on the profile until it is certified clean.
Security firm Sophos, says the statistic translates to 0.06% of the more than a billion logins per day being compromised - which is also one every 140 milliseconds.
After some confusion emerged following the release of the infographic and numbers, Facebook has moved to clarify that although about 600 000 logins are blocked per day, not all of them are compromised or “hacked”.
ZDNet quotes a Facebook spokesperson as saying: “There may be compromised accounts that appear on Facebook, but more often than not they are compromised off of Facebook - they use the same password for e-mail as Facebook, they get phished, etc.”
Facebook goes on to explain that accounts are “compromised” in the sense that the site is not confident that the account's true owner is accessing the account, and as a result access is either pre-emptively or retroactively blocked. Accounts are also blocked if the owner is accessing the account from a computer infected with malware.
“We are being preventative and helping make sure people secure their account even if they aren't actually compromised on Facebook.”
Facebook could not provide a breakdown of pre- and post-blocks or the number of accounts that are actually compromised when roadblocked.
New measures
For those users whose accounts do get hijacked, however, Facebook has released a “Trusted Friends” feature, which allows users to pre-emptively nominate three to five friends to help them regain access to their account.
Hijackers on social networking sites usually reset the users' passwords. The legitimate user then has to go through a process of verifying their identity and account ownership in order to regain access. The new feature from Facebook now allows one's “trusted friends” to assist.
“It's sort of similar to giving a house key to your friends when you go on vacation - pick the friends you most trust in case you need their help,” says Facebook.
Each friend alone will not have enough information to access an account, but will be sent a special code that, when entered together with the other codes sent to the other trusted friends, will give a user access to their account again.
“If you forgot your password and need to login, but can't access your e-mail account, you can rely on your friends to help you get back in,” says Facebook. “We will send codes to the friends you have selected and they can pass along that information to you.”
App Passwords
Another new feature due to be tested in the coming weeks is App Passwords. According to Facebook, while there are many applications that can be used by logging in with one's Facebook credentials, in some cases one may want a unique password.
“This is especially helpful if you have opted into Login Approvals, for which security codes don't always work when using third party applications.”
App passwords can be set by going to account settings, the security tab and then to the “App Passwords” section.
“It's certainly a good idea not to use your Facebook password with anybody other than Facebook - so it's good to hear that Facebook will be offering this new privacy option,” said Sophos senior technology consultant Graham Cluley.
“However, it's not hard to predict that the only people who might use such a feature might be those who are already very aware of privacy issues, rather than the great unwashed majority on Facebook.”
User control
Other security updates from Facebook this year have included a two-factor authentication called Login Approvals for when users login from an unrecognised device. The site also moved to reduce the proliferation of malicious links, generating warnings when a link looks suspicious.
The recent Facebook updates, such as Timeline and frictionless sharing through the new social apps, have raised some privacy concerns.
Senior security analyst at Sense Post Junaid Loonat says from past events, it's clear that most changes to Facebook have attempted to push more personal information into the public realm.
“Regardless, it is still possible for users to control the extent to which their lives are recorded online.
“Users should regard all information provided to social media Web sites as information that may (eventually) be exposed to the public,” says Loonat.
User naivety
A recent security study by a team at the University of British Columbia found that by preying on user naivety, Facebook's security measures could be bypassed to harvest information.
They reportedly created a number of fake Facebook profiles or Socialbots and added unsuspecting users as friends. One in five users, who received friend requests from these unknown profiles, accepted them as friends. This figure rose to 60% when the Socialbots befriended “friends of friends” already on the network.
The 102 Socialbots made 3 000 friends in a matter of weeks and the researchers were able to harvest tens of thousands of e-mail addresses and private information, without human input.
The New Scientist quotes lead researcher, Yazan Boshmaf, warning: “Such basic information is often sufficient to launch an identity theft attack or launch a 'phishing' attack to pilfer somebody's bank details.”
Click here to view Facebook security infographic.
Related story:
Facebook: rethought
Share