Friday, June 3, 2011
Facebook Security 1 - Account Settings
FB accounts are being steadily hijacked this year. At this rate soon FB will be like MySpace; hijacked or false accounts run by computer programs ("bots") sending crap ("spam") to each other with no human users left on board. For years Facebook was the cleaner, safer alternative but now it is going downhill too. The main line of defense for your account is your password, but clearly that is no longer nearly good enough. A friend whose account I helped recover this week had a Hebrew password and some bot either guessed or stole it. The bots are either stealing our passwords from somewhere, guessing them somehow, or forcing entry by some back door.
To save itself, and especially to encourage people to trust it as a marketplace (do not do this - never ever ever give Facebook your credit card) Facebook should immediately make several changes to the way it handles your account. Instead, FB has chosen to leave accounts vulnerable by default and allow you to choose ("opt-into") more secure settings.
In the upper-righthand corner, go to Account, then Account Settings.
Scroll down to Account Security and click it.
Here we will activate three security protocols that will make it much harder to hijack our accounts or steal our information.
1. Secure Browsing (https)
Activate this to tell FB to use HTTPS rather than HTTP whenever possible. This encrypts data being transferred between your computer and Facebook's server and will make it harder to hack. The core FB experience of pictures and statuses and wall posts and messages will not be affected but will be much more secure. Certain FB Apps (all those games and third-party features) won't work on HTTPS and will ask you to switch to unsecured HTTP to use them. I recommend you stop using those (tomorrow we will talk about disabling them completely), but if you do switch at least you'll be protected some of the time.
This is especially important if you go online on public wifi networks, for example at a coffee shop, library or school.
2. Login Notifications
Selecting either "Send me an email" or "Send me a text message" will cause Facebook to notify you when a new computer logs into your account. If you've done the logging in of course you will ignore the message. If you haven't, you'll know your account has been violated. Once you've signed into every computer you use Facebook on once you should stop getting notifications. If you're a student who frequently logs in from public computers this might get annoying.
3. Login Approvals
This is part of the new "Two Factor Authorization" trend that is taking hold now that passwords provide insufficient security. You'll need to give FB your cellphone number, which I did not like doing, and from now on when a new computer is logged into your account the person logging in (hopefully you) will have to use a code that FB will send to your phone via text message as well as the password. Just as the password requirement is no longer a sufficient lock on your account, knowing it will no longer be a sufficient key. This sounds more complicated than it is in practice because you only have to set it up once per computer. I've been using it for weeks and it doesn't change my daily experience at all.
I really don't like giving FB my phone number and I hope they'll give an option to use email instead soon. But Two Factor Authorization is absolutely key to make sure that some guy in Russia or some kid in Ontario can't get into your account even if they steal your password (which sooner or later they will).