Today I will write about Facebook's Platform for third party apps (applications made for Facebook but not by Facebook), why they're a major vulnerability for your account, and how and why to turn the Platform off and secure your account. While the Account Settings adjustments I recommended yesterday should all be easy calls (and I think FB should make them mandatory instead of opt-in), this involves a genuine trade-off: massively improved security and reduced risk of hijacking, but also the loss of those third party apps.
The Problem
Third party apps are dangerous for three main reasons that I am aware of:
1. You're trusting your account's safety to more people. FB is already unreliable, and now you're depending on FB and who knows who else to protect access to your account.
2. Yesterday I begged you to enable Secure Browsing (HTTPS) for Facebook, and you did it! But most apps don't permit Secure Browsing and force you to revert to HTTP. This is like using a condom with your partner but sleeping around without protection.
3. With Platform enabled (as it is by default) you can pile up applications without realizing it. A couple of people I've helped regain control of their accounts have had piles of Apps enabled that they didn't recognize and never used. Every one of those is a vulnerability, I'd wager especially those that are sneaky about getting themselves attached to your account.
The Solution (if you can live without Mafia Wars)
1. In the upper right-hand corner select Account
2. From the drop-down menu select Privacy Settings
3. In the lower left-hand corner pic Apps and Websites: Edit your settings
4. Apps you use will list the applications that have permission to access your account and therefore potentially provide access to hijackers and identity thieves. Any there you don't recognize? That's what I'm talking about.
5. Deactivate them individually. (Even if you want to keep some, deactivate the ones you don't use.)
6. Click "Turn off all platform apps."
Ta-da! Your FB profile is now much more secure, and the inability to access Farmville might also make more productive citizen of you. I've had the Plaform turned off for a couple days now and since I didn't really use the apps nothing has changed. The core FB experience (statuses, pictures, wall postings, groups) remains the same.
Tomorrow I'll write about securing Gmail. If you use a different email service, I strongly suggest looking up security protocols because they're all under attack.
Problem
FB accounts are being steadily hijacked this year. At this rate soon FB will be like MySpace; hijacked or false accounts run by computer programs ("bots") sending crap ("spam") to each other with no human users left on board. For years Facebook was the cleaner, safer alternative but now it is going downhill too. The main line of defense for your account is your password, but clearly that is no longer nearly good enough. A friend whose account I helped recover this week had a Hebrew password and some bot either guessed or stole it. The bots are either stealing our passwords from somewhere, guessing them somehow, or forcing entry by some back door.
To save itself, and especially to encourage people to trust it as a marketplace (do not do this - never ever ever give Facebook your credit card) Facebook should immediately make several changes to the way it handles your account. Instead, FB has chosen to leave accounts vulnerable by default and allow you to choose ("opt-into") more secure settings.
Solution
In the upper-righthand corner, go to Account, then Account Settings.
Scroll down to Account Security and click it.
Here we will activate three security protocols that will make it much harder to hijack our accounts or steal our information.
1. Secure Browsing (https)
Activate this to tell FB to use HTTPS rather than HTTP whenever possible. This encrypts data being transferred between your computer and Facebook's server and will make it harder to hack. The core FB experience of pictures and statuses and wall posts and messages will not be affected but will be much more secure. Certain FB Apps (all those games and third-party features) won't work on HTTPS and will ask you to switch to unsecured HTTP to use them. I recommend you stop using those (tomorrow we will talk about disabling them completely), but if you do switch at least you'll be protected some of the time.
This is especially important if you go online on public wifi networks, for example at a coffee shop, library or school.
2. Login Notifications
Selecting either "Send me an email" or "Send me a text message" will cause Facebook to notify you when a new computer logs into your account. If you've done the logging in of course you will ignore the message. If you haven't, you'll know your account has been violated. Once you've signed into every computer you use Facebook on once you should stop getting notifications. If you're a student who frequently logs in from public computers this might get annoying.
3. Login Approvals
This is part of the new "Two Factor Authorization" trend that is taking hold now that passwords provide insufficient security. You'll need to give FB your cellphone number, which I did not like doing, and from now on when a new computer is logged into your account the person logging in (hopefully you) will have to use a code that FB will send to your phone via text message as well as the password. Just as the password requirement is no longer a sufficient lock on your account, knowing it will no longer be a sufficient key. This sounds more complicated than it is in practice because you only have to set it up once per computer. I've been using it for weeks and it doesn't change my daily experience at all.
I really don't like giving FB my phone number and I hope they'll give an option to use email instead soon. But Two Factor Authorization is absolutely key to make sure that some guy in Russia or some kid in Ontario can't get into your account even if they steal your password (which sooner or later they will).
