Sophos Cloud Optix
Over the last few weeks we have been contacted by a number of members of the Sophos Facebook page, concerned by a message they saw on Facebook, warning them that their account protection was “very low”.
Your account protection status: Very low
Increase protection
With fake anti-virus (also known as scareware) attacks becoming an ever-growing problem (they attempt to trick you into believing your computer has a security problem when it doesn’t), some security-conscious Facebook users might worry that this is a similarly-styled assault, designed to scare you into taking perhaps unwise actions.
Certainly the warning message gives you the impression that there’s something seriously wrong with how you have defended your Facebook account. I must admit I was surprised to see the message appear on my own Facebook account as I have been quite fastidious in my security settings on the social network, following Sophos’s guidelines for better privacy on Facebook.
So, I was curious to find out just why Facebook believed that my account protection status was “very low”, and what they thought I should do to fix that.
If you do click on the link, the first thing you are asked to do is enter an additional email address. Facebook’s thinking is that if you lose control of the, say, Hotmail or Gmail account that you normally log into the site with, you’ll be able to regain access to your Facebook account by giving them an alternative email address. They could then use this, for instance, to communicate with you.
That’s reasonable enough, of course, if you feel comfortable giving Facebook another email address for yourself. And there is a genuine problem of users having the same password on their Facebook and email accounts – meaning that you could potentially lose control of both at the same time, making comandeering back control of your Facebook presence tricky.
But, there’s no indication of what else Facebook might do with this alternative email address of yours. Not only would you be right to be concerned about whether you are increasing the potential for data loss by sharing alternative email addresses with online companies, but is it possible that Facebook might also use this secondary email address to further interconnect you with possible contacts? There is, after all, no indication on the page that they are not going to use your secondary email address in any other way.
I feel pretty comfortable that nobody else is going to be able to seize the primary email address I use on Facebook (which, by the way, I do not make visible to others) away from me, so I don’t agree that adding a second email address is going to improve my “account protection”.
It is quickly becoming apparent that what Facebook really means by “account protection status” is the methods by which it can give you back control of your account, should it be compromised. Maybe less people would have been scared by the warning if they had been upfront about that, rather than using scare tactics.
Pressing the small question mark on the dialog box reveals exactly what Facebook believes I have to do to improve my account protection.
No mention of using more secure, hard-to-crack, non-dictionary passwords. No mention of revoking access to rogue applications that may be able to post to my profile’s wall. No mention of reviewing my privacy settings to make sure I’m not sharing my personal information with strangers or search engines.
No, to improve how well my account is protected I need to give Facebook more of my personal information: an alternative email address, a mobile phone number, and answer a “secret” question.
You see, I’ve already chosen not to give Facebook my mobile phone number. And now they’re asking for it again.
One of the reasons that they want your mobile phone number is because of their “one-time password” feature. That feature, announced in October 2010, allows a temporary Facebook password to be texted to you should you lose access to your account.
All very fine and dandy – but what happens if you lose your mobile phone, or someone else briefly swipes it from your jacket pocket? Then an unauthorised individual (whether they be a potential identity thief or a jealous partner) could potentially access your account via the system.
There is a very real problem with Facebook users accessing their accounts from insecure computers, and having their credentials stolen as a result. And Facebook’s one-time password scheme does provide some protection against that.
But that doesn’t mean that the one-time password system guarantees 100% security, and indeed – under some circumstances – it could be exploited by people who want to hack into your account.
On balance, I’m nervous about giving my mobile phone number to Facebook. So, I’m not going to do that.
Finally, Facebook asks me to give the “secret” answer to a question. You may have seen something similar to this on your webmail accounts – meaning that if you are having difficulty logging into your account you can answer the question, and prove your identity.
Hmm.. but just how many of these questions are just the kind of thing that people often post to their Facebook profiles, or may be known to your close friends, family and acquaintances? Wouldn’t that make it easy for them to break into your account too?
Where’s the advice from Facebook that you shouldn’t answer these questions honestly? (“The name of my first pet was Boutrous Boutrous Artichoke Ghali”)
Where’s the option to write your own question? (“What important role did Boutrous Boutrous Artichoke Ghali play in my life?” “He was my pet hamster”).
At first glance, a fair proportion of people seem to be worried that Facebook’s push for more information looks suspicious and uses similar scaremongering tactics to the fake anti-virus and phishing attacks that we are all too familiar with.
There’s nothing necessarily wrong with Facebook giving its millions of users a way of verifying their identity should they lose access to their account, but clearly it should have been presented better and more thought should have gone into how this system was implemented. The suggestion that users’ accounts currently have a protection status of “very low” is entirely misleading and stinks of scare tactics.
As one of the members of the Sophos Facebook community put it, a better way to have phrased the message would have been: “We can help you recover your account if it gets hacked, want to know more?”
I’m not going to tell you not to give Facebook the information they’re requesting in this “account protection” push, but I would suggest that you think carefully before doing so.
If you’re a member of Facebook don’t forget to join the Sophos Facebook page to stay up-to-date with the latest security news.
I agree. I am not comfortable giving facebook any additional personal information. How do I keep the Facebook warning from popping up every time I sign on? Thanks.
Absolutely agree – I took one look at it & thought 'bugger that!' My security is as good as you can get.
Agreed. There's just no way I'm going to give Facebook or anyone else my cell number, etc. Simply not going to happen.
With their billions, I would have thought they'd have had a basic clue as to the best way to approach security.
Facebook doesn't need to care about security because it doesn't seem to hurt their bottom line when they have incidents. And they have had many.
Until people wise up and start leaving over it, or strong legislation is passed that begins to cost them, expect the same.
I got to the mobile number step, sent a text twice to 32665 but never received a reply
* Text the letter F to 32665 (FBOOK)
* When you receive a confirmation code, enter it here:
* Facebook does not charge for this service. Standard messaging rates apply.
Add this phone number to my profile
Facebook appears to remember the connection between an email address and an emailed friend request and generate a fresh FB friend request (as if it's a fresh request within FB) if the email address is added to an FB profile, regardless of whether the 2 people concerned have been friends in between… I blogged about it happening to me a couple of months ago.
http://alicejaneinnewcastle.blogspot.com/2010/10/…
Yep, that's one of my concerns about giving them an additional email address. More opportunities for Facebook to inter-connect users without my express permission to use the data for that purpose.
That's not to say that I know they will do that on this occasion, but past experience means that I wouldn't be surprised..
Yes, I had this. Somebody I knew slightly a couple of years ago and sent a friend request to when I was new to FB, but at the time wasn't a FB member. They subsequently joined earlier this year, and were immediately made my friend. In the intervening period, I had decided not to continue any friendship with them, so was most alarmed to get a notification email! Luckily I was online at the time and managed to delete them within a couple of minutes.
Surely such requests should be time-limited, or there should be a way to rescind them.
ya ya give them another email 😛
Hey i dont care who hacks into my FB account.. its under a false name.. heh heh…
But what about all your contacts? Are they using fake names also? A hacker could exploit your contacts just as easily as they could exploit you if you used your real name.
There's a bit more to this so-called "Account Protection". As I wrote in http://securitygarden.blogspot.com/2010/12/facebo…
— Any added e-mail address is given the default setting of "Friends Only".
— If you elect to add your mobile number, there is a pre-checked option to add the number to your Facebook profile.
Personally, I do not share my e-mail address with anyone on Facebook and have not provided my mobile number. I use the "only me" setting for e-mail, address, phone, etc. Anyone who would need my e-mail address or mobile number already has that information.
If you have forgotten how to check your Privacy Settings in Facebook, instructions are in the above article,
The only way to secure your information on Facebook is to not use Facebook, or to never provide any piece of information that you don't want to be fully public.
If you think otherwise, enjoy your KoolAid.
Thanks for this walkthrough. I was curious about this as well. Instead of clicking on that link, I personally just mentally prepared myself for the impending doom. I encourage people to ask themselves what bad things will really happen when their account is stolen. I am vaguely worried about an attacker using my account to gain the confidence of another user, but since I don't really use FB in that way I'm hoping that a random plea for help from me would draw red flags.
Marisa, sorry but your post read ambiguously to me the more
I look at it. The terms “what will really
happen…” and “vaguely worry…” seem
to imply that you feel that there is little to be truly concerned
about from a page hijack. I would not be so casual about
underplaying the risks, there are a whole host of identity theft
issues that could occur depending upon what information you put on
Facebook should your account be stolen as well as the general
problems associated with spam and phishing. In addition, should a
local burglar manage to gain access to both your phone number and
address, you may find that you have a considerable amount to lose.
Should a malicious intruder choose to make your information public
to everyone, then this might just be the start of many other issues
and problems. I would not underplay the potential hazards of openly
shared information myself – it only takes a few minutes to think of
a multitude of unwanted and potentially very serious consequences.
What amazes me is that people openly display all of their
information voluntarily, and sign up to a service that also informs
anyone who visits their page that they are currently away from home
at the time of posting.
This is so typical of Facebook, all it seeks to do is gain more and more user information for its benefit. I've quit Facebook in disgust at the lack of privacy and am currently trying out sites such as Diaspora which is said to be more secure and am also waiting for the release of Mycube which provides complete control over user content.
i lost my phone an the person who found it hacked my account an changed my password an is writing shit on my account how do i contact facebook to get my account back not happy
If your account has been compromised,
http://www.facebook.com/help/?page=1011
This is available under the Help Menu on Facebook.
Get a free Google Voice Number and you won’t have
to worry too much about loosing your actual mobile phone and it
works just like a mobile phone number (SMS). By that same token,
get a free Gmail account with no contacts and use that for
alternate contact email with the added bonus you can use it to sign
up for websites that require an email address and turn around and
spam you!
I keep getting a low protection on my account, add an
alternate.email address. I am not feeling safe to give that
information.I type my facebook password each time I want to enter
Facebook.
There was this survey on the facebook page asking how many friends I have, my sex, and age range then it said to pick a gift. Such as a $1000 gift card to Target and two other places. I did part of the survey but I didn’t click on the free prize. Then I went to www.facebook.com instead of just writing facebook and now when I log into my account on my mobile I don’t get the HOME PROFILE FRIENDS INBOX on top when I try leaving comments. Oh and I don’t have one of those smart phones.
so if you enter a second email, then it asks for a mobile number…what if you have a trac phone and there is no texting available. how do you answer the next question???
Well I feel dumb (can I use being older as an excuse? too trusting?) because I DID give my second email address (one that I never use) and my mobile phone number to call. The phone was on vibrate and I didn't hear it when they called to give me a PIN number that I have no idea what to do with. Then, as I returned to my Home page after posting albums on FB, there was that second email address!!! I was furious, attempted to call the number they called me from (no luck), and then x'd it out. I am hoping it doesn't appear again. How can I get in touch with FB?
all this makes sense, unless you DO get hacked, like i did on november 2…i hadn't given any alternate email addy's or my phone number and my FB account remained lost to me as did my gmail…the hackers had phished for $$$ with a "help, i am in Madrid and i was robbed" scheme…
i had no way to get back my FB or gmail accounts other than filing electronic forms and waiting and waiting and waiting for nothing…it took 8 days for gmail to respond and my account folders had been wiped clean of all emails…it took 9 days for FB to respond and by then, i had created a new account by texting contacts i had on my phone that i had been hacked…
damned if you do and damned if you don't, says a recently hacked FB'er
I have a major problem with any security question(s) that have answers which are a matter of public record. Of all the questions shown, only the name of your dog and first person you kissed are questions that can't be answered through a public records search.
I understand that web admins are wary of subjective questions, since it can change over time, but give your users some credit! If I answer that "slate gray" is my favorite color, and my favorite color changes, that doesn't mean I'm going to forget that "slate gray" was once my favorite.
Part two
I was pretty upset because, now they had all of my information and I was locked out.
Today, I got an email from someone at facebook who wanted to be "friends?"
When I clicked on her name in the email I was of course right back where I left off several days ago.
Only this time, I did not put in any spaces in the phone number.
It came back with a different choice this time, to get a call back, which I was happy to do.
But when Facebook called my house just now, they left no message at all.
No one was there.
I am just sick of the whole thing.
This is why I waited so long to join.
I did not trust them before, now I know why!
I signed up for my first facebook account several days ago and entered all of the information I thought to be reasonable.
I went back and forth into my account several times during the day, no problems.
Then later that same day, I wanted to put a link from facebook to my Google blog page and did all of the requested steps as found on several sites.
When I got all finished, I hit save, then got a page that said type in the letters in the box as a security step.
But there were no letters in the box.
Only another box that asked for my phone number as an alternative for the security check.
So, then with no other choice, I reluctantly put in my home phone number as requested.
Then a message came up saying that I would be sent a text and when I got it to come back and enter it into the box to get clearance.
Problem is, I have no cell phone, we live way out in the country, so no reception.
So there is no way I would ever get a text message.
I gave up and left, then I found out that this has happened to many other people lately.
After adding alternative numbers and emails, I have actually been locked out without any information from FB to even INFORM me that I’ve been ousted from my account, much less any explanations, proceedings and whatever. FB never means what it says and this is all the more reason to distrust it
Wow what is it with old men and guns. This happened in Simsbury a couple of years ago when an old man shot and killed a mother bear as she was going back into the woods to her cubs. He was upset that she ate some of his bird seed. Poor bears. Stupid people.