Facebook Tightens Security with New Tools

In the wake of rising scam reports, the company has launched new protective measures and released statistics on attacks.

Oct 27, 2011

Facebook is countering reports about scams affecting its users—and a rising user perception of insecurity—with new security tweaks and the release of statistics suggesting that most of its 800 million active users experience few problems.

Click here to launch Facebook’s security infographic.

The company is also announcing two new features. One generates passwords for your Facebook apps to protect your main account; another deals with a side effect of security—the lockdown of compromised accounts—by enabling your Facebook friends to help you recover an account.

While Facebook employs some of the highest-tech tools in the business, it is also one of the Web’s most attractive targets by dint of its size. 

“I feel pretty strongly that Facebook is the safest place for users to have their information on the Internet, without question,” Tao Stein, Facebook’s software engineer for site integrity, said in an interview.

The first feature the social network is announcing today is app passwords, which provides a separate layer of password security for Facebook apps. In part this is meant to improve an existing login security feature called two-factor authentication, which sends a text message to your mobile phone bearing a unique code that must be entered to complete the login.

While this can effectively block hackers who’ve gotten hold of your password, it also has a downside: if you use the feature, you have to repeat the process each time you want to use an app.

The second feature, called “trusted friends,” will make it easier to recover your account if it is shut down or if you lose your password.  If you can’t access your e-mail account to retrieve a new password, Facebook will send codes to a preselected group of friends so that they can pass the codes to you.

“Facebook seems to be introducing some sensible new controls; time will tell whether they are effective and strike the right balance,” says Maxim Weinstein, director of Stopbadware, a nonprofit antimalware organization in Cambridge, Massachusetts, that helps legitimate websites rid themselves of malware infections, among other things.

Facebook also released a detailed graphic with statistics on security problems. The company said 4 percent of links shared on Facebook are spam; only one in 200 users experience spam on any given day; and .06 percent of a billion daily logins each day are compromised. “We wanted to show the immense scale at which we operate and the immense challenge to secure three quarters of a billion users and to be smart about how we do it,” says Jake Brill, product manager for site integrity at Facebook.

However, all this comes amid a drumbeat of reports about scams on the network. And Facebook’s own data suggest that large numbers of people are exposed to some scams over time—and that the site does experience 600,000 compromised logins daily. Each compromised login can mean a hacker or criminal might be sending attacks to a user’s contacts under his or her name.

These messages could be phishing schemes that try to trick people into revealing passwords for bank accounts or other services. Others could contain links that try to defraud users by flashing phony warnings of infection and prompting them to pay for phony antivirus software. These messages may include links to malicious sites that make attempts to download viruses to steal data or hijack the computer for cyber-attacks.

In the past year or two, Facebook and other websites have seen a rising number of malicious Web addresses that lead to attacks like these. So over the past year Facebook has enlisted two outside firms—Web of Trust and Websense—to help the site block known malicious links. The targets are gathered from security companies, law enforcement, and even actual users who report suspicious links.

The problem with this method is that there’s a time lag before many such links are detected. Often, they are further hidden by link-shortening services such as Bit.ly. Earlier this year, the Web security firm Symantec reported that in 2010, malicious links made up two-thirds of all such short links on social networks. The company added that almost 90 percent of them had been clicked by users at least once.

Users are perceiving rising problems. In July, for example, the security firm Sophos reported that 81 percent of survey respondents saw Facebook as the “biggest risk” online—up from 60 percent in 2010.

In addition to the tweaks announced today, a remarkable real-time fight is escalating. Facebook actively looks for patterns of viral propagation and other behavior that seems malicious. Machine-learning algorithms update every 30 minutes to find and squelch the source of such attacks, says Stein.

“One of the most important things that Facebook can be doing is looking for new threats in real time,” Weinstein says. “You can stay ahead of that by detecting new patterns of malicious activity and stopping them before you’ve determined malware is present.”

A crucial security feature that Facebook has not yet fully implemented, Weinstein points out, is default encryption (as denoted by Web addresses starting with “https” rather than “http”). The latter, older system leaves someone logging in via Wi-Fi at a Starbucks, for example, at much greater risk of having his or her unencrypted information intercepted.

Last year Gmail moved to https as the default setting.  But Facebook currently offers it only as an option. This is problematic, says Weinstein, because “the people who are most likely to need the feature are the least likely to know they need to turn it on.”

In an e-mail statement, Facebook said it is “making progress daily” toward default encryption. “We continue to work towards making this setting a default feature as soon as possible,” the statement said, but it noted that this requires ironing out site stability and speed issues. Facebook is also working with app developers so that encryption works across the site.

But Bruce Schneier, a cryptologist and security expert with BT Counterpane, points out that Facebook’s ultimate product is your data, which it uses to sell advertisements. “I think the biggest danger of putting things on Facebook is Facebook,” he says. “Facebook knows all of your stuff, and they sell it. It’s like handing your money to a thief who says ‘Nobody else will get your money.’ If you want Facebook security, don’t be on Facebook.”