Facebook steps up security, but it's opt-in?

Filed Under: Facebook, Phishing, Privacy, Social networks

Facebook logo with padlockFacebook's Alex Rice, a security engineer, posted a message to their corporate blog today announcing several initiatives they are implementing to enhance user security.

This is a very welcome announcement which consists of two initiatives. The first, which Facebook says they are starting to roll out today, is the option to use HTTPS while using Facebook to protect your account and privacy.

In standard Facebook fashion this option is of course opt-out, ahem, opt-in? Yes. Facebook has decided that when it comes to protecting your privacy you must choose to opt-out of sharing, but when it comes to enhancing your privacy you must opt-in.

Aside from this minor quibble, it is great news for those who are concerned about tools like Firesheep stealing their online identities while using unencrypted WiFi. Firesheep is a Firefox extension that was released in October 2010 to enable people to steal authentication cookies from other users on unencrypted WiFi.

Facebook is just one of the services that could be compromised through the use of the tool, and by enabling HTTPS in your profile you are protected against this type of attack.

In Alex's post he only suggests enabling this feature if you frequently access Facebook from insecure locations. While to a degree this is true, I wouldn't want to count on having to remember to fiddle with my settings when I am out and about on my iPad/netbook/laptop/smart phone.

The safe thing to do is to turn this on. Hopefully after Facebook enables this feature for all of their users they will consider making it a default option like Google did for the Gmail service.

The second announcement talks about a new form of reverse-Turing test, known more commonly as a CAPTCHA. Facebook is calling this "Social Authentication".

If they believe your account may have been compromised or is exhibiting suspicious activity they may prompt you for additional information after successfully receiving your correct username and password. The new system when deployed will show you photos of your friends and ask you to identify who they are in the pictures.
Facebook screenshot of Social Authentication
This is a clever approach to a difficult problem and will hopefully be a significant speed bump for all of the phishers and scammers who have been targeting Facebook users. Until Facebook begins using this technique it is difficult to say how well it will work, but it is easier and more intuitive than traditional CAPTCHA solutions.

It would appear Social Authentication is there only to thwart bots though, not your angry girlfriend (or birds for that matter). It is another good reason not to expose your photos, friends, and relationship status on your Facebook public profile as well.

If you're a Facebook user who wants to stay on top of the latest security threats, why not join our Facebook page?

, , , , ,

You might like

28 Responses to Facebook steps up security, but it's opt-in?

  1. I like that photo authentication, sounds like a good alternative for people trying to get back into their accounts. As the hacker is probably someone that doesn't know you very well so couldn't identify those people.

    The HTTPS thing should be given to everyone like the new profile pages, most people don't understand the importance of it and will choose not to opt in.

    • Jay in Green Bay · 1618 days ago

      I understand it, but I opt out anyway. It's too much of a pain, because IE keeps asking if i want to see everything on the page, or only what is secure. I know I can use other browsers, and I've used Firefox and Opera in the past. But I tend to stick with IE because i do some simple website development and that's what all my clients use.

  2. dclaar · 1681 days ago

    If Facebook presents photos to you, will they all be previously labeled, or will they throw in one that isn't to increase the number of photos where they have verification of who's in them? :-)

  3. I got to use the photo authentication a week or so ago when I had trouble logging into Facebook on my phone, It works well and as it required me to identify 5 friends random guessing was not going to work, actually a really good idea.
    I was however surprised when it came up, seeing as they hadn't announced it's implementation back then.
    I too am disappointed that the HTTP option is hidden away behind several layers of menu's, I've suggested to the Facebook security page that they should have a SECURE button alongside the HOME, PROFILE & ACCOUNT buttons at the top of the page, that would show they took security seriously, not holding my breath however.

  4. Thu Win · 1681 days ago

    But problem is that https on a mobile browser keeps redirecting to the non secure site after log in. Plus, problem is that the friend verification is a hinderance for even the users themselves, especially gamerr! That is because the games urge you to befriend unknown people in order to unlock specific stuffs.

  5. Thu Win · 1681 days ago

    Plus many of us leave our childhood facebook friends connected but as everone knows feature change and who knows what they would look like in 10 years when Facebook decided to lock my account for any reason.

    Plus heavy makeup can obscene pictures. Also some people post game screenshots or animation pictures and tag themselves. Then when my account got locked due to me moving places and thus a different IP address, I was close to ripping my head out as facebook ask me to identify who's tagged in that pic/screenshot/animation! Grrr!

  6. Eric · 1680 days ago

    The identify-the-person-in-the-photo form of authentication has been around for a while. I've run into it twice over the past six months, probably because the network at my office identifies its location as a city about 1,000 kilometers from where I live and work. The problem with it is that about half of my Facebook "friends" are people I have never met, so it took me several failures (after which I had to wait several hours before trying again) before I could get into my account. And if I, a person with only about 60 Facebook "friends," found it a pain, what about those with hundreds?

  7. Blockader · 1680 days ago

    Great, now I have to delete all the photos I have with people I don't know in them? Those tagged by friends and friends of friends? Is this how I am rewarded for allowing my pictures to be shared in the first place.

  8. accessibility · 1680 days ago

    The facial recognition security feature is a very bad idea.

    I've had to use this new feature twice and had to make wild guesses. Most of my FB friends are people I've never met in person and whose photo albums I almost never access. Some of the photos were them as children - or one woman's rear end way at the back of the photo as she was cleaning out her garage. I guess my profile is going to be VERY secure because even I will have trouble getting into it.

    I have no idea what someone with poor or no eyesight is going to do.

  9. It would be helpful if you told us WHERE to turn on HTTPS!!

  10. John · 1680 days ago

    Couple of quick points:

    The photo CAPTCHA thing has been live for at least six months.

    There are very good reasons for the HTTPS being opt-in - firstly it slows down the user experience, and secondly (and more problematically) it currently breaks lots of third party apps.

    Obviously, it's better to omit that last fact to allow room for Sophos's WILL FACEBOOK "INSECURITY" GIVE YOU CANCER? house style than it is to be sensible about it.

    • WithRespect · 1680 days ago

      If you find https too slow, you could always turn it off later. Or Facebook could read up on Google's site how they turned it on in gmail without users finding it too slow. Or Facebook could invest in some new servers to do security properly.

      As for breaking third party apps, you could always turn off https later if you want to keep using third party apps which don't care about security. Oh, you say it breaks lots of apps. Name them so people know which apps to avoid.

      As for putting insecurity in "quote marks", why?

      As for SHOUTING, kindly don't.

      As for bringing getting cancer into a discussion on social networks, kindly don't.

      Being sensible about security means doing it, not finding excuses why not to do it.

    • Mrs. W · 1680 days ago

      I think an important question your comment raises is this: which master does Facebook serve -- the users, or the app developers?

      I think we all know the unfortunate answer to that one. . .

    • spookie · 1678 days ago

      Considering it's importance, opt-out makes more sense. I use https: for everything it's available for and have not noticed significant slowing, but I admit YMMV. If you DO observe problematic slowing or it breaks apps you consider important you can opt-out, but expecting something this important to be opt-in is stupid.

  11. tina · 1680 days ago

    Agree, why do people bother to post so called important security info without providing the complete info to protect oneself???? HTTPS????

    • Chester Wisniewski · 1679 days ago

      Facebook has not enabled it for any of our research accounts yet. There are instructions in Facebook's blog entry which is the first link in my post. Once it is available to my account I will post more details.


    • spookie · 1678 days ago

      Maybe they think you can Google for yourself--using encrypted Google, of course! A huge part of security is being responsible for oneself.

  12. Problem is that chat DOES NOT WORK in https! Plus, if you visit ANY OTHER links in facebook, not restricted to "profile" etc you are redirected to the http link again.

  13. Agreed – what is the benefit of not opting in? I work for Symantec, and we commend Facebook for making this huge move for online security. SSL encryption is important and it will help everyone, but only if we turn it on.

  14. فرشاد · 1679 days ago

    به نظر من فیس بوک از لحاظ حریم خصوصی به کاربران اهمیت نمیگذارد
    عدم فعال سازی https باعث شده حساب کاربری همیشه در خطر باشد

  15. spookie · 1678 days ago

    I'd like to see https: as the default for virtually everything. I use it for everything I can, in addition to avoiding all unencrypted wifi. I carry a 3G hotspot so I can use it rather than public wifi.

  16. jane · 1675 days ago

    When will we know we can select HTTPS? Or, do we have to keep checking ourselves...don't mind but it would be nice to know.

  17. James M. Keane · 1120 days ago

    Facebook keeps demanding a cell phone number when I sign in, and it says it will send the phone a text - IMPOSSIBLE ON MY PHONE - with a key code. I put down my daughter's number, it sent her the code but it is the wrong code. This happens over and over. is there a way to opt out of that cell phone nonsense? Or can I get the system to work so it will give me a code that is good? Of can I make them stop going around in circles that every time I try to put in the phone number the system resets and Ihave to lob back in? If FB is going to demand a cell phone number, the least it should do is WORK!

    AND I AM LOGED IN! Post the damned message!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.