Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Facebook to warn you of targeted attacks – check this security setting anyway

20 Oct 2015 11 Facebook, Google, Malware, Privacy, Security threats, Social networks

Post navigation

Previous: Amazon sues over 1000 people for posting fake reviews
Next: Internet of Things – do you really need a kettle that can boil your security dry?
by John Zorabedian

Facebook Login Approval

Facebook has announced that it will notify users it suspects are being targeted by nation states and urge them to take extra security precautions.

Alex Stamos, Facebook’s chief security officer, explained the new notifications in a 16 October blog post, saying users will only receive the warnings if Facebook has strong evidence suggesting they are being targeted by nation-state sponsored attackers.

If the social network believes you are under attack from state-sponsored hackers, it will show a pop-up message in your feed explaining that you may have been targeted.

The message asks, but does not require, those users to turn on an extra layer of protection for their account called Login Approvals.

Stamos said Facebook “will have always taken steps to secure accounts that we believe to have been compromised,” but will show the warning to users because these attacks may be “more advanced and dangerous” than others.

This is how the message looks in the desktop version of Facebook:

Facebook notification

Jay, we believe your Facebook account and other online accounts may be the target of attacks from state-sponsored actors. Turning on Login Approvals will help keep others from logging into your Facebook account. Whenever your account is accessed from a new device or browser, we'll send a security code to your phone so that only you can log in. We recommend you also take steps to secure the accounts you use on other services.

Because of the persistence of state-sponsored attackers, anyone whose Facebook account is under attack by a nation state is probably also being targeted on other services, so Facebook encourages securing those accounts as well.

Google began sending similar warnings to Gmail users back in 2012.

Just like Google, Facebook says it can’t reveal how or why it suspects state-sponsored attacks, for fear of giving away useful information to attackers about security methods.

Nation states may target individuals for political or national security reasons, but also attack individuals to gain access to their employers’ intellectual property or customer data, for example.

Countries like North Korea and China have been suspected of sponsoring attacks on private companies.

Hackers affiliated with the Chinese military were indicted by the US two years ago for allegedly hacking into several US steel companies.

The US claims the Chinese hackers used phishing emails and malware to gain access to email accounts of company officials, in order to steal information that would benefit Chinese state-run steel companies in trade disputes.

Targeted or not, extra security is always a good idea

Even if nation states aren’t likely to target you personally, it would be a shame to fall into the trap of thinking “no one’s interested in little old me.”

As Naked Security expert Paul Ducklin pointed out in a post describing all the bad excuses we make for neglecting our security, we are all on cybercriminals’ radars:

We're all in the sights of cybercrooks somewhere, and we owe it to ourselves and to everyone else to do the best we can to thwart them.

Today’s cybercriminals are typically in the business of making money, and to do that they want to compromise as many users and devices as possible.

One method for attackers to gain access to your accounts is to implant malware on your computer that can steal passwords.

Malware of this sort can get on your computer in various ways, such as through boobytrapped email attachments, or by visiting a malicious website harboring malware that downloads automatically (called a drive-by download).

Malware can also spread via Facebook.

We recently learned of a hacker using a type of malware called a “Facebook Spreader” to compromise Facebook accounts via malicious links in Facebook chat messages.

In August, a US-based hacker named Eric Crocker pleaded guilty to spreading Facebook malware to hijack thousands of accounts in order to send spam.

Just like Facebook recommends, we think it’s a good idea to add extra layers of security to your accounts, such as login verification or two-factor authentication.

Even if you’re not likely to be a target of a nation state, that’s no reason to become easy prey for common cybercriminals.

How to turn on Facebook Login Approvals

When you turn on Facebook Login Approvals, you’ll need to enter a special one-time code whenever you log into Facebook from an unrecognized device or browser.

You’ll receive the codes on your phone as a text message, so Facebook needs your mobile phone number to send Login Approval alerts.

Login Approvals are similar but more secure than Login Notification, which alerts you when your account is accessed from a new device or browser, but without requiring a code.

To turn on Login Approvals:

  1. Click the down arrow at the top right of any Facebook page
  2. Go to Settings > Security
  3. Click on Login Approvals
  4. Check the box and click Save Changes

Finally, once you’ve set that up, make sure you change this setting so you can’t be searched for by phone number.


Image of man logging into Facebook courtesy of Twin Design / Shutterstock.com.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Amazon sues over 1000 people for posting fake reviews
Next: Internet of Things – do you really need a kettle that can boil your security dry?

11 comments on “Facebook to warn you of targeted attacks – check this security setting anyway”

  1. Anonymous says:
    October 20, 2015 at 2:05 pm

    If a nation state is really interested in getting into your Facebook account, I don’t think a code sent to your phone is going to keep them out.

    Reply
  2. KEN says:
    October 20, 2015 at 2:21 pm

    Seemed like an OK idea until I got to the part about text messages. Believe it or not, everybody in the world does not have texting…..it is an option you know.

    Reply
    • Anonymous says:
      October 20, 2015 at 5:48 pm

      Right, and not everyone has a cell phone either. (I for one)

      Reply
    • Melvin says:
      October 20, 2015 at 6:10 pm

      Contrary to the implication in the article, I’m not certain that text message is the only way to get the one-time code. I believe that I’ve seen the code pop up in the facebook application in my phone, and you have the option to print out a list of one-time-use codes that you can use without a smart phone.

      Reply
    • Anonymous says:
      October 20, 2015 at 7:51 pm

      Good point. I’ve got a landline phone and a desktop and *no* form of mobile communication (I’m retired and rarely away from home), and I feel the biggest failing of 2FA these days is its reliance on the assumption that everyone in the universe has access to SMS or equivalent texting.

      Reply
    • Myles says:
      October 21, 2015 at 10:31 am

      It’s annoying to say the least that you can’t use an external authentication like Google’s Authentication app, and that you have to hand over credentials like a telephone number for “security”. Same with Twitter.
      I trust the authenticator app a lot more than I trust receiving a text message, and don’t trust the companies enough not to abuse the fact they have my contact number.

      Reply
  3. Anonymous says:
    October 20, 2015 at 5:43 pm

    Seems to me that if they can get your passwords and such they can also get your phone number and send you a login code that they have set up themselves.

    Reply
  4. Anonymous says:
    October 20, 2015 at 11:03 pm

    Just another way to get my phone number, I would rather delete my account.

    Reply
  5. Mf says:
    October 21, 2015 at 12:08 pm

    Eh no way I’m giving Facebook my mobile number…they have enough of my personal info I think…

    Reply
  6. Anonymous says:
    October 21, 2015 at 1:34 pm

    Just another con to get your mobile number, which will be passed on to a third party.

    Reply
  7. H4CK3R says:
    October 22, 2015 at 7:35 am

    just make a fake facebook account. you are safe, lol.

    Reply

Leave a Reply to Anonymous Cancel reply

Recommended reads

Jun01
by Paul Ducklin
2

Firefox 101 is out, this time with no 0-day scares (but update anyway!)

Jun24
by Paul Ducklin
2

OpenSSL issues a bugfix for the previous bugfix

May20
by Paul Ducklin
2

US Government says: Patch VMware right now, or get off our network

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2022 Sophos Ltd. All rights reserved. Powered by WordPress VIP