FAQ: Security and Facebook's new messages system

Filed Under: Data loss, Facebook, Malware, Privacy, Social networks, Spam

Update 11 February, 2011: Facebook has announced that it is rolling out the new messages system to all users.

What follows is the article we wrote in November 2010, explaining the security implications of Facebook's new messages system - with particular regard to malware and spam.

Earlier today Facebook announced its new messages system. Although widely anticipated to be a Gmail-killer (some even dubbed it "FMail"), it turned out to be somewhat different.

Here's a quick FAQ of what we think you may want to know about it, and the implications for security.

What's changed?
Facebook is bringing together traditional email, Facebook messages, instant messaging chat and SMS messages all into one place. They say this solves the problem of remembering that your Grandma isn't on Facebook and prefers to receive an email, and that cousin Henry's computer is broken so he'd prefer to get text messages.

Rather than remember how each person likes to be communicated with, now you will just message them via the Facebook service, and it will work out how to get the communication to them.

Will I get an @facebook.com email address?
If you're on Facebook and you want one, then yes, you'll be able to get one. It will take a few months for Facebook to roll out the service for all its users, however.

So, it's just another form of email?
Not really. It's actually more like sending a text or an instant message. The messages won't have any subject lines, for instance. Furthermore, Facebook says it will store a complete history of all of your communications with one person in one place.

Can I choose my own email address?
You may be too late. If you already chose a public username on Facebook (for instance, facebook.com/publicusername) then that will be your email address too (publicusername@facebook.com).

Choosing a Facebook email address

But if my public username is public, doesn't that mean anyone can find out my Facebook email address too?
Yes. Anyone will be able to work out your Facebook email address and send you a message. You will need to change your default privacy settings to block messages from unknown addresses.

Choose the "Friends Only" setting to ensure that only your Facebook friends can message you.

The 'Other' folder
How will Facebook sort through the messages?
Email from friends and their friends goes directly to your main messages folder, and everything else goes to the "Other" folder. Facebook says that spam and bulk email will automatically go to the "Other" folder, but it remains to be seen how effective that will be.

Also, they don't say how they will deal with spam and malware sent from accounts belonging to your Facebook friends - which has become a significant problem in the last year.

What if I'm Facebook friends with someone and they try to email me from a non-Facebook address?
Facebook says that if a message comes from an email address that they can't confirm as belonging to one of your friends they will block it - if you have selected the "Friends Only" setting.

Could I receive spam and malware via the new system?
Yes. The new features do increase the attack surface of the Facebook platform, and make the accounts of users all the more alluring for cybercriminals to break into.

Facebook accounts will now be linked with many more people in your social circle - opening up new opportunities for identity fraudsters to launch attacks. Furthermore, because Facebook will be storing a complete archive of all of your communications with one person - there will be concerns as to how such data could be misused if it fell into the wrong hands.

It will be critical for Facebook to implement more effective filtering mechanisms to prevent fraudsters from manipulating Facebook users into falling victim to new spams, scams and phishing attacks.

For instance, the new messaging system allows users to send not just links, photos, and videos to each other - but also external files such as documents and spreadsheets. These could be malware-infected or carry spam messages. It's unclear at the moment whether Facebook will put any restrictions on the types of files that can be attached to messages.

Attaching a file

Meanwhile, users will need to take greater care of the security of their Facebook account then ever before. Keeping security up-to-date on computers, policing which applications link with their Facebook profile, and choosing sensible, unique, hard-to-crack passwords will be essential.

Facebook users mustn't fool themselves into believing that they are safe as long as they only trust the messages sent to them by their Facebook friends, as those accounts can still be compromised by malicious hackers.

I don't have to use Facebook if I don't want to, right?
Right. But if you go around telling everyone your Facebook email address that's going to make it a whole lot more difficult to quit Facebook in the future. This, no doubt, is part of Facebook's strategy.

Next steps?
You can learn more about Facebook's new messages system in the FAQ they have published on their site.

If you want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.

, , , ,

You might like

8 Responses to FAQ: Security and Facebook's new messages system

  1. another way to get viruses via facebook. at least you get to choose if you want it or not. in the future, do you think they are going to force it on people?

  2. Ingrid S. · 1701 days ago

    Exactly how do I know for sure that my security is kept confidential? I have ALL my security & Privacy settings to "Friends Only" - Is that sufficient?

  3. Oh joyous, yet another spam point. Worse is that any cybercrook can farm likely addresses with nearly no effort. The crooks should all click the like button on this, their work just got easier it seems.

  4. Noah Longer FBbait · 1700 days ago

    Yo, Graham.

    Did not see an option under privacy settings for this. And, if this is not one giant back door for what we discussed for Ides of March, then I don't get it at all. The mobile implications of this are enormous.

  5. franklink · 1700 days ago

    Will FB store your communications from a FB account even if you don't use FB messaging yourself? In other words, if you receive a FB message at your regular email address?

  6. guigui · 1667 days ago

    et si nous ne voulons pas de sela, que nos discution instantaner ne soit enregistrer dans nos message, peut on annuler cette fonction, option?

  7. Aj1 · 1604 days ago

    Some of messages on facebook are coming up as being sent from me and another person even my profile picture is halved to show the other person who I am not even friends with. I have secured my account, changed my password and blocked the person
    nothing worked so I have deactivated my account can someone please advise.

  8. niharika anshu · 864 days ago

    hey some body tell me how to switch "who can send me messages" to friends in facebooks new form...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley