Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Facebook scares users with account protection status warning

28 Dec 2010 29 Data loss, Facebook, Privacy, Social networks

Post navigation

Previous: Mozilla accidentally publishes user IDs and password hashes
Next: Honda hack: Millions of customers’ email addresses stolen
by Graham Cluley

Over the last few weeks we have been contacted by a number of members of the Sophos Facebook page, concerned by a message they saw on Facebook, warning them that their account protection was “very low”.

Your account protection status: Very low

Your account protection status: Very low
Increase protection

With fake anti-virus (also known as scareware) attacks becoming an ever-growing problem (they attempt to trick you into believing your computer has a security problem when it doesn’t), some security-conscious Facebook users might worry that this is a similarly-styled assault, designed to scare you into taking perhaps unwise actions.

Certainly the warning message gives you the impression that there’s something seriously wrong with how you have defended your Facebook account. I must admit I was surprised to see the message appear on my own Facebook account as I have been quite fastidious in my security settings on the social network, following Sophos’s guidelines for better privacy on Facebook.

So, I was curious to find out just why Facebook believed that my account protection status was “very low”, and what they thought I should do to fix that.

If you do click on the link, the first thing you are asked to do is enter an additional email address. Facebook’s thinking is that if you lose control of the, say, Hotmail or Gmail account that you normally log into the site with, you’ll be able to regain access to your Facebook account by giving them an alternative email address. They could then use this, for instance, to communicate with you.

Facebook requests an alternative email address

That’s reasonable enough, of course, if you feel comfortable giving Facebook another email address for yourself. And there is a genuine problem of users having the same password on their Facebook and email accounts – meaning that you could potentially lose control of both at the same time, making comandeering back control of your Facebook presence tricky.

But, there’s no indication of what else Facebook might do with this alternative email address of yours. Not only would you be right to be concerned about whether you are increasing the potential for data loss by sharing alternative email addresses with online companies, but is it possible that Facebook might also use this secondary email address to further interconnect you with possible contacts? There is, after all, no indication on the page that they are not going to use your secondary email address in any other way.

I feel pretty comfortable that nobody else is going to be able to seize the primary email address I use on Facebook (which, by the way, I do not make visible to others) away from me, so I don’t agree that adding a second email address is going to improve my “account protection”.

It is quickly becoming apparent that what Facebook really means by “account protection status” is the methods by which it can give you back control of your account, should it be compromised. Maybe less people would have been scared by the warning if they had been upfront about that, rather than using scare tactics.

Pressing the small question mark on the dialog box reveals exactly what Facebook believes I have to do to improve my account protection.

Facebook account protection status

No mention of using more secure, hard-to-crack, non-dictionary passwords. No mention of revoking access to rogue applications that may be able to post to my profile’s wall. No mention of reviewing my privacy settings to make sure I’m not sharing my personal information with strangers or search engines.

No, to improve how well my account is protected I need to give Facebook more of my personal information: an alternative email address, a mobile phone number, and answer a “secret” question.

Facebook requests mobile phone number

You see, I’ve already chosen not to give Facebook my mobile phone number. And now they’re asking for it again.

One of the reasons that they want your mobile phone number is because of their “one-time password” feature. That feature, announced in October 2010, allows a temporary Facebook password to be texted to you should you lose access to your account.

All very fine and dandy – but what happens if you lose your mobile phone, or someone else briefly swipes it from your jacket pocket? Then an unauthorised individual (whether they be a potential identity thief or a jealous partner) could potentially access your account via the system.

There is a very real problem with Facebook users accessing their accounts from insecure computers, and having their credentials stolen as a result. And Facebook’s one-time password scheme does provide some protection against that.

But that doesn’t mean that the one-time password system guarantees 100% security, and indeed – under some circumstances – it could be exploited by people who want to hack into your account.

On balance, I’m nervous about giving my mobile phone number to Facebook. So, I’m not going to do that.

Finally, Facebook asks me to give the “secret” answer to a question. You may have seen something similar to this on your webmail accounts – meaning that if you are having difficulty logging into your account you can answer the question, and prove your identity.

Facebook security question

Hmm.. but just how many of these questions are just the kind of thing that people often post to their Facebook profiles, or may be known to your close friends, family and acquaintances? Wouldn’t that make it easy for them to break into your account too?

Where’s the advice from Facebook that you shouldn’t answer these questions honestly? (“The name of my first pet was Boutrous Boutrous Artichoke Ghali”)

Where’s the option to write your own question? (“What important role did Boutrous Boutrous Artichoke Ghali play in my life?” “He was my pet hamster”).

At first glance, a fair proportion of people seem to be worried that Facebook’s push for more information looks suspicious and uses similar scaremongering tactics to the fake anti-virus and phishing attacks that we are all too familiar with.

There’s nothing necessarily wrong with Facebook giving its millions of users a way of verifying their identity should they lose access to their account, but clearly it should have been presented better and more thought should have gone into how this system was implemented. The suggestion that users’ accounts currently have a protection status of “very low” is entirely misleading and stinks of scare tactics.

As one of the members of the Sophos Facebook community put it, a better way to have phrased the message would have been: “We can help you recover your account if it gets hacked, want to know more?”

I’m not going to tell you not to give Facebook the information they’re requesting in this “account protection” push, but I would suggest that you think carefully before doing so.

If you’re a member of Facebook don’t forget to join the Sophos Facebook page to stay up-to-date with the latest security news.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Mozilla accidentally publishes user IDs and password hashes
Next: Honda hack: Millions of customers’ email addresses stolen

29 comments on “Facebook scares users with account protection status warning”

  1. Dawn says:
    December 28, 2010 at 11:23 am

    I agree. I am not comfortable giving facebook any additional personal information. How do I keep the Facebook warning from popping up every time I sign on? Thanks.

    Reply
  2. Tipi says:
    December 28, 2010 at 11:46 am

    Absolutely agree – I took one look at it & thought 'bugger that!' My security is as good as you can get.

    Reply
  3. Novella says:
    December 28, 2010 at 12:47 pm

    Agreed. There's just no way I'm going to give Facebook or anyone else my cell number, etc. Simply not going to happen.

    With their billions, I would have thought they'd have had a basic clue as to the best way to approach security.

    Reply
    • Mrs W. says:
      December 28, 2010 at 8:54 pm

      Facebook doesn't need to care about security because it doesn't seem to hurt their bottom line when they have incidents. And they have had many.

      Until people wise up and start leaving over it, or strong legislation is passed that begins to cost them, expect the same.

      Reply
  4. Robert Slinn says:
    December 28, 2010 at 12:54 pm

    I got to the mobile number step, sent a text twice to 32665 but never received a reply

    * Text the letter F to 32665 (FBOOK)
    * When you receive a confirmation code, enter it here:
    * Facebook does not charge for this service. Standard messaging rates apply.

    Add this phone number to my profile

    Reply
  5. Alice says:
    December 28, 2010 at 2:20 pm

    Facebook appears to remember the connection between an email address and an emailed friend request and generate a fresh FB friend request (as if it's a fresh request within FB) if the email address is added to an FB profile, regardless of whether the 2 people concerned have been friends in between… I blogged about it happening to me a couple of months ago.
    http://alicejaneinnewcastle.blogspot.com/2010/10/…

    Reply
    • Graham Cluley says:
      December 28, 2010 at 2:25 pm

      Yep, that's one of my concerns about giving them an additional email address. More opportunities for Facebook to inter-connect users without my express permission to use the data for that purpose.

      That's not to say that I know they will do that on this occasion, but past experience means that I wouldn't be surprised..

      Reply
    • Rob says:
      December 28, 2010 at 2:37 pm

      Yes, I had this. Somebody I knew slightly a couple of years ago and sent a friend request to when I was new to FB, but at the time wasn't a FB member. They subsequently joined earlier this year, and were immediately made my friend. In the intervening period, I had decided not to continue any friendship with them, so was most alarmed to get a notification email! Luckily I was online at the time and managed to delete them within a couple of minutes.

      Surely such requests should be time-limited, or there should be a way to rescind them.

      Reply
    • zein says:
      February 19, 2013 at 12:04 pm

      ya ya give them another email 😛

      Reply
  6. peter pan says:
    December 28, 2010 at 2:44 pm

    Hey i dont care who hacks into my FB account.. its under a false name.. heh heh…

    Reply
    • Banquo says:
      October 20, 2012 at 10:30 pm

      But what about all your contacts? Are they using fake names also? A hacker could exploit your contacts just as easily as they could exploit you if you used your real name.

      Reply
  7. Corrine says:
    December 28, 2010 at 2:46 pm

    There's a bit more to this so-called "Account Protection". As I wrote in http://securitygarden.blogspot.com/2010/12/facebo…

    — Any added e-mail address is given the default setting of "Friends Only".

    — If you elect to add your mobile number, there is a pre-checked option to add the number to your Facebook profile.

    Personally, I do not share my e-mail address with anyone on Facebook and have not provided my mobile number. I use the "only me" setting for e-mail, address, phone, etc. Anyone who would need my e-mail address or mobile number already has that information.

    If you have forgotten how to check your Privacy Settings in Facebook, instructions are in the above article,

    Reply
    • Only Way to Only Me says:
      December 28, 2010 at 9:03 pm

      The only way to secure your information on Facebook is to not use Facebook, or to never provide any piece of information that you don't want to be fully public.

      If you think otherwise, enjoy your KoolAid.

      Reply
  8. Marisa says:
    December 29, 2010 at 12:36 am

    Thanks for this walkthrough. I was curious about this as well. Instead of clicking on that link, I personally just mentally prepared myself for the impending doom. I encourage people to ask themselves what bad things will really happen when their account is stolen. I am vaguely worried about an attacker using my account to gain the confidence of another user, but since I don't really use FB in that way I'm hoping that a random plea for help from me would draw red flags.

    Reply
    • Richard says:
      January 12, 2011 at 12:34 pm

      Marisa, sorry but your post read ambiguously to me the more
      I look at it. The terms “what will really
      happen…” and “vaguely worry…” seem
      to imply that you feel that there is little to be truly concerned
      about from a page hijack. I would not be so casual about
      underplaying the risks, there are a whole host of identity theft
      issues that could occur depending upon what information you put on
      Facebook should your account be stolen as well as the general
      problems associated with spam and phishing. In addition, should a
      local burglar manage to gain access to both your phone number and
      address, you may find that you have a considerable amount to lose.
      Should a malicious intruder choose to make your information public
      to everyone, then this might just be the start of many other issues
      and problems. I would not underplay the potential hazards of openly
      shared information myself – it only takes a few minutes to think of
      a multitude of unwanted and potentially very serious consequences.
      What amazes me is that people openly display all of their
      information voluntarily, and sign up to a service that also informs
      anyone who visits their page that they are currently away from home
      at the time of posting.

      Reply
  9. andyjohnston says:
    December 29, 2010 at 1:38 am

    This is so typical of Facebook, all it seeks to do is gain more and more user information for its benefit. I've quit Facebook in disgust at the lack of privacy and am currently trying out sites such as Diaspora which is said to be more secure and am also waiting for the release of Mycube which provides complete control over user content.

    Reply
  10. broden slater says:
    December 29, 2010 at 11:49 am

    i lost my phone an the person who found it hacked my account an changed my password an is writing shit on my account how do i contact facebook to get my account back not happy

    Reply
    • Mrs. W says:
      December 29, 2010 at 10:05 pm

      If your account has been compromised,
      http://www.facebook.com/help/?page=1011

      This is available under the Help Menu on Facebook.

      Reply
  11. Shawn says:
    December 29, 2010 at 3:41 pm

    Get a free Google Voice Number and you won’t have
    to worry too much about loosing your actual mobile phone and it
    works just like a mobile phone number (SMS). By that same token,
    get a free Gmail account with no contacts and use that for
    alternate contact email with the added bonus you can use it to sign
    up for websites that require an email address and turn around and
    spam you!

    Reply
  12. shirley yoder says:
    January 2, 2011 at 12:18 am

    I keep getting a low protection on my account, add an
    alternate.email address. I am not feeling safe to give that
    information.I type my facebook password each time I want to enter
    Facebook.

    Reply
  13. Dez says:
    January 5, 2011 at 3:05 am

    There was this survey on the facebook page asking how many friends I have, my sex, and age range then it said to pick a gift. Such as a $1000 gift card to Target and two other places. I did part of the survey but I didn’t click on the free prize. Then I went to www.facebook.com instead of just writing facebook and now when I log into my account on my mobile I don’t get the HOME PROFILE FRIENDS INBOX on top when I try leaving comments. Oh and I don’t have one of those smart phones.

    Reply
  14. eve says:
    February 23, 2011 at 11:19 pm

    so if you enter a second email, then it asks for a mobile number…what if you have a trac phone and there is no texting available. how do you answer the next question???

    Reply
  15. Pat Wood says:
    March 29, 2011 at 10:46 pm

    Well I feel dumb (can I use being older as an excuse? too trusting?) because I DID give my second email address (one that I never use) and my mobile phone number to call. The phone was on vibrate and I didn't hear it when they called to give me a PIN number that I have no idea what to do with. Then, as I returned to my Home page after posting albums on FB, there was that second email address!!! I was furious, attempted to call the number they called me from (no luck), and then x'd it out. I am hoping it doesn't appear again. How can I get in touch with FB?

    Reply
  16. MelOnWheels says:
    November 23, 2011 at 9:54 pm

    all this makes sense, unless you DO get hacked, like i did on november 2…i hadn't given any alternate email addy's or my phone number and my FB account remained lost to me as did my gmail…the hackers had phished for $$$ with a "help, i am in Madrid and i was robbed" scheme…

    i had no way to get back my FB or gmail accounts other than filing electronic forms and waiting and waiting and waiting for nothing…it took 8 days for gmail to respond and my account folders had been wiped clean of all emails…it took 9 days for FB to respond and by then, i had created a new account by texting contacts i had on my phone that i had been hacked…

    damned if you do and damned if you don't, says a recently hacked FB'er

    Reply
  17. @pworlton says:
    April 3, 2012 at 5:31 pm

    I have a major problem with any security question(s) that have answers which are a matter of public record. Of all the questions shown, only the name of your dog and first person you kissed are questions that can't be answered through a public records search.

    I understand that web admins are wary of subjective questions, since it can change over time, but give your users some credit! If I answer that "slate gray" is my favorite color, and my favorite color changes, that doesn't mean I'm going to forget that "slate gray" was once my favorite.

    Reply
  18. Donna Jones says:
    April 15, 2012 at 8:51 pm

    Part two

    I was pretty upset because, now they had all of my information and I was locked out.
    Today, I got an email from someone at facebook who wanted to be "friends?"
    When I clicked on her name in the email I was of course right back where I left off several days ago.
    Only this time, I did not put in any spaces in the phone number.
    It came back with a different choice this time, to get a call back, which I was happy to do.
    But when Facebook called my house just now, they left no message at all.
    No one was there.
    I am just sick of the whole thing.
    This is why I waited so long to join.
    I did not trust them before, now I know why!

    Reply
  19. Donna Jones says:
    April 15, 2012 at 9:47 pm

    I signed up for my first facebook account several days ago and entered all of the information I thought to be reasonable.
    I went back and forth into my account several times during the day, no problems.
    Then later that same day, I wanted to put a link from facebook to my Google blog page and did all of the requested steps as found on several sites.
    When I got all finished, I hit save, then got a page that said type in the letters in the box as a security step.
    But there were no letters in the box.
    Only another box that asked for my phone number as an alternative for the security check.
    So, then with no other choice, I reluctantly put in my home phone number as requested.
    Then a message came up saying that I would be sent a text and when I got it to come back and enter it into the box to get clearance.
    Problem is, I have no cell phone, we live way out in the country, so no reception.
    So there is no way I would ever get a text message.
    I gave up and left, then I found out that this has happened to many other people lately.

    Reply
  20. Osho Sukhmani says:
    July 2, 2013 at 1:35 pm

    After adding alternative numbers and emails, I have actually been locked out without any information from FB to even INFORM me that I’ve been ousted from my account, much less any explanations, proceedings and whatever. FB never means what it says and this is all the more reason to distrust it

    Reply
  21. banana recipe says:
    July 15, 2013 at 10:10 am

    Wow what is it with old men and guns. This happened in Simsbury a couple of years ago when an old man shot and killed a mother bear as she was going back into the woods to her cubs. He was upset that she ate some of his bird seed. Poor bears. Stupid people.

    Reply

What do you think? Cancel reply

Recommended reads

Nov07
by Paul Ducklin
2

Public URL scanning tools – when security leads to insecurity

Dec29
by Paul Ducklin
14

The horror! The horror! NOTEPAD gets tabbed editing (very briefly)

Dec14
by Paul Ducklin
2

Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP