Over the last few weeks we have been contacted by a number of members of the Sophos Facebook page, concerned by a message they saw on Facebook, warning them that their account protection was “very low”.
Your account protection status: Very low
With fake anti-virus (also known as scareware) attacks becoming an ever-growing problem (they attempt to trick you into believing your computer has a security problem when it doesn’t), some security-conscious Facebook users might worry that this is a similarly-styled assault, designed to scare you into taking perhaps unwise actions.
Certainly the warning message gives you the impression that there’s something seriously wrong with how you have defended your Facebook account. I must admit I was surprised to see the message appear on my own Facebook account as I have been quite fastidious in my security settings on the social network, following Sophos’s guidelines for better privacy on Facebook.
So, I was curious to find out just why Facebook believed that my account protection status was “very low”, and what they thought I should do to fix that.
If you do click on the link, the first thing you are asked to do is enter an additional email address. Facebook’s thinking is that if you lose control of the, say, Hotmail or Gmail account that you normally log into the site with, you’ll be able to regain access to your Facebook account by giving them an alternative email address. They could then use this, for instance, to communicate with you.
That’s reasonable enough, of course, if you feel comfortable giving Facebook another email address for yourself. And there is a genuine problem of users having the same password on their Facebook and email accounts – meaning that you could potentially lose control of both at the same time, making comandeering back control of your Facebook presence tricky.
But, there’s no indication of what else Facebook might do with this alternative email address of yours. Not only would you be right to be concerned about whether you are increasing the potential for data loss by sharing alternative email addresses with online companies, but is it possible that Facebook might also use this secondary email address to further interconnect you with possible contacts? There is, after all, no indication on the page that they are not going to use your secondary email address in any other way.
I feel pretty comfortable that nobody else is going to be able to seize the primary email address I use on Facebook (which, by the way, I do not make visible to others) away from me, so I don’t agree that adding a second email address is going to improve my “account protection”.
It is quickly becoming apparent that what Facebook really means by “account protection status” is the methods by which it can give you back control of your account, should it be compromised. Maybe less people would have been scared by the warning if they had been upfront about that, rather than using scare tactics.
Pressing the small question mark on the dialog box reveals exactly what Facebook believes I have to do to improve my account protection.
No mention of using more secure, hard-to-crack, non-dictionary passwords. No mention of revoking access to rogue applications that may be able to post to my profile’s wall. No mention of reviewing my privacy settings to make sure I’m not sharing my personal information with strangers or search engines.
No, to improve how well my account is protected I need to give Facebook more of my personal information: an alternative email address, a mobile phone number, and answer a “secret” question.
You see, I’ve already chosen not to give Facebook my mobile phone number. And now they’re asking for it again.
One of the reasons that they want your mobile phone number is because of their “one-time password” feature. That feature, announced in October 2010, allows a temporary Facebook password to be texted to you should you lose access to your account.
All very fine and dandy – but what happens if you lose your mobile phone, or someone else briefly swipes it from your jacket pocket? Then an unauthorised individual (whether they be a potential identity thief or a jealous partner) could potentially access your account via the system.
There is a very real problem with Facebook users accessing their accounts from insecure computers, and having their credentials stolen as a result. And Facebook’s one-time password scheme does provide some protection against that.
But that doesn’t mean that the one-time password system guarantees 100% security, and indeed – under some circumstances – it could be exploited by people who want to hack into your account.
On balance, I’m nervous about giving my mobile phone number to Facebook. So, I’m not going to do that.
Finally, Facebook asks me to give the “secret” answer to a question. You may have seen something similar to this on your webmail accounts – meaning that if you are having difficulty logging into your account you can answer the question, and prove your identity.
Hmm.. but just how many of these questions are just the kind of thing that people often post to their Facebook profiles, or may be known to your close friends, family and acquaintances? Wouldn’t that make it easy for them to break into your account too?
Where’s the advice from Facebook that you shouldn’t answer these questions honestly? (“The name of my first pet was Boutrous Boutrous Artichoke Ghali”)
Where’s the option to write your own question? (“What important role did Boutrous Boutrous Artichoke Ghali play in my life?” “He was my pet hamster”).
At first glance, a fair proportion of people seem to be worried that Facebook’s push for more information looks suspicious and uses similar scaremongering tactics to the fake anti-virus and phishing attacks that we are all too familiar with.
There’s nothing necessarily wrong with Facebook giving its millions of users a way of verifying their identity should they lose access to their account, but clearly it should have been presented better and more thought should have gone into how this system was implemented. The suggestion that users’ accounts currently have a protection status of “very low” is entirely misleading and stinks of scare tactics.
As one of the members of the Sophos Facebook community put it, a better way to have phrased the message would have been: “We can help you recover your account if it gets hacked, want to know more?”
I’m not going to tell you not to give Facebook the information they’re requesting in this “account protection” push, but I would suggest that you think carefully before doing so.
If you’re a member of Facebook don’t forget to join the Sophos Facebook page to stay up-to-date with the latest security news.