Friday, June 3, 2011

Facebook Security 1 - Account Settings

FB accounts are being steadily hijacked this year. At this rate soon FB will be like MySpace; hijacked or false accounts run by computer programs ("bots") sending crap ("spam") to each other with no human users left on board. For years Facebook was the cleaner, safer alternative but now it is going downhill too. The main line of defense for your account is your password, but clearly that is no longer nearly good enough. A friend whose account I helped recover this week had a Hebrew password and some bot either guessed or stole it. The bots are either stealing our passwords from somewhere, guessing them somehow, or forcing entry by some back door.

To save itself, and especially to encourage people to trust it as a marketplace (do not do this - never ever ever give Facebook your credit card) Facebook should immediately make several changes to the way it handles your account. Instead, FB has chosen to leave accounts vulnerable by default and allow you to choose ("opt-into") more secure settings.


In the upper-righthand corner, go to Account, then Account Settings.

Scroll down to Account Security and click it. 

Here we will activate three security protocols that will make it much harder to hijack our accounts or steal our information.

1. Secure Browsing (https)

Activate this to tell FB to use HTTPS rather than HTTP whenever possible. This encrypts data being transferred between your computer and Facebook's server and will make it harder to hack. The core FB experience of pictures and statuses and wall posts and messages will not be affected but will be much more secure. Certain FB Apps (all those games and third-party features) won't work on HTTPS and will ask you to switch to unsecured HTTP to use them. I recommend you stop using those (tomorrow we will talk about disabling them completely), but if you do switch at least you'll be protected some of the time. 

This is especially important if you go online on public wifi networks, for example at a coffee shop, library or school.

2. Login Notifications

Selecting either "Send me an email" or "Send me a text message" will cause Facebook to notify you when a new computer logs into your account. If you've done the logging in of course you will ignore the message. If you haven't, you'll know your account has been violated. Once you've signed into every computer you use Facebook on once you should stop getting notifications. If you're a student who frequently logs in from public computers this might get annoying.

3. Login Approvals

This is part of the new "Two Factor Authorization" trend that is taking hold now that passwords provide insufficient security. You'll need to give FB your cellphone number, which I did not like doing, and from now on when a new computer is logged into your account the person logging in (hopefully you) will have to use a code that FB will send to your phone via text message as well as the password. Just as the password requirement is no longer a sufficient lock on your account, knowing it will no longer be a sufficient key. This sounds more complicated than it is in practice because you only have to set it up once per computer. I've been using it for weeks and it doesn't change my daily experience at all.

I really don't like giving FB my phone number and I hope they'll give an option to use email instead soon. But Two Factor Authorization is absolutely key to make sure that some guy in Russia or some kid in Ontario can't get into your account even if they steal your password (which sooner or later they will). 


  1. Thanks! I had changed my settings to https a while ago and yet they had been changed back. I just followed the rest of your advice. Now what should I do? ;)

  2. Well I for one really like cookies.

    One of the ways in which FB shows its commitment to insecurity is by having Promiscuous as everyone's default setting, and then resetting us back there every time they change the setup, even if we've chosen Prude.

    My next post will be about disabling Platforms on FB which will make an account much much much more secure but will also disable all third-party apps including games. Many people will choose not to do this because the apps are useful or fun. But they leak like sieves and probably provide the weak points the nogoodniks are using to hijack accounts. This one, therefore, will be a trade-off. Security or Farmville? The stuff I covered today EVERYONE should do!

  3. I don't necessarily see how a Hebrew password is more secure as any other password (Assuming that your italics is implying such). So many passwords are stolen via phishing that I don't think you can talk about password security without going even more basic than account settings. Since it's your blog, I'll just recommend that you talk about what happens when you click on a link with the status "OMG look at this!! Your gonna freak!!1?"

  4. That's the point. A non-English (or other strong password with numbers and capitals and unique spellings) password will only protect you from someone trying to guess your password; important, and in the past mainly sufficient, but no longer nearly enough due to phishing and interception of data over unsecured transfers (http, etc) and insecure third-party apps.

    Nowadays passwords aren't safe and coming up with an unguessable password only helps to a very limited degree. If you rely on a password, any password, as your only line of defense then sooner or later it will be compromised.

    And yes, don't click on links that are obviously fraudulent. Also, have an antivirus program (but only one) and keep your computer updated, don't talk to strangers, watch your parking meters and don't stroll through bad parts of town at night flashing your iPhones and diamond rings. I was dealing with a specific topic in this post and trying to keep it simple and direct.

  5. Ok! I didn't know you were one of those snippy bloggers! I have been shocked at the number of people who fall for phishing, that's all. And especially after reading the articles about the gmail phishing scams aimed at US gov't officials, I suppose it's just on my mind. But since the point is that passwords are not good enough no matter what, then I suppose it is rather irrelevant. Look forward to your next posts!

  6. I'm always snippy about everything. I guess I probably should do a post about general safe surfing habits. I'll actually have to research that one. But this was meant to be a very focused and clear post about a specific problem and remedy.