Facebook has unveiled new measures to keep members secure when they log into its site.
One is a temporary password; another is letting people sign out of Facebook remotely. Finally, it will also now regularly prompt members to update their security information.
“Our new features are aimed at protecting people who log in from devices they don’t own as well as helping people who lose access to an account get it back quickly,” Facebook spokesperson Simon Axten told TechNewsWorld.
How the Temp Password Works
Facebook members must have first listed a mobile phone number in their account information if they want to use the temporary password feature, wrote Jake Brill, a Facebook product manager.
Then, if they’re unsure about the security of the computer they’re using — at an airport, Internet cafe or hotel, for example — they just have to text the string “otp” to the number 32665 from their mobile phones.
Facebook will ping back a password that can be used only once. This password expires in 20 minutes. It can be used instead of the member’s regular password.
Facebook is rolling out this feature gradually, and it will be available to all its members in the next few weeks, Brill wrote.
Looking at Temp Password Protection
Students who use library computers or PCs in a computer room in school, and travelers who use PCs at cyber cafes and at hotels, are likely to need the temporary password protection, Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
The temporary password will protect users against key-logging malware that’s common on PCs that are for public use, Enderle pointed out. “Key-logging malware captures IDs and passwords, and using temporary passwords means the password captured won’t work for the thief,” he explained.
“The biggest risk when logging into Facebook, or any site for that matter, with a computer that isn’t yours, such as a hotel or Internet cafe computer, is that a key-logger or Trojan may have been pre-installed on that computer, and that will let someone steal your user name and password,” Patrik Runald, senior manager for security research at Websense, told TechNewsWorld.
Problems With Temp Passwords
“Facebook is hoping that by providing a temporary password, it doesn’t matter if the password gets stolen by spyware, but I have other problems with the approach,” said Graham Cluley, a senior technology consultant at Sophos. He pointed TechNewsWorld to his blog, where he outlined these issues.
One problem is that users who lose their mobile phones are still at risk. If someone else can get access to that lost phone and the owner hasn’t locked the device with a password to prevent SMS texts being sent, the finder might be able to access the phone owner’s Facebook account, Cluley wrote.
Another problem is that hackers may be able to change mobile phone numbers on their victims’ accounts to phone numbers they have access to, Cluley wrote. This will let them access to those accounts readily.
Further, temporary passwords only prevent cybercriminals using keylogging spyware from recording victims’ real passwords, Cluley wrote. However, it doesn’t prevent them from using malware to spy on their victims’ online activities and seeing what’s happening on their PC screens.
The temporary password won’t protect Facebook members from exposure to malicious links, Websense’s Runald pointed out.
Websense claims that about 40 percent of Facebook posts contain links, and about 10 percent of those posts are either spam or contain malware. The greatest danger comes from corporate and celebrity Facebook pages that are accessed by large numbers of users.
“The Websense data isn’t consistent with what we’ve seen, and likely only accounts for public comments made on large group sites and pages,” Facebook’s Axten pointed out. “There’s an important difference between these comments and the comments made through actual person-to-person communication channels such as the Facebook Inbox, Status Page and Wall. The latter have a higher signal and are where we focus many of our efforts,” Axten said.
Public comments made on large groups’ pages and sites are “more fleeting and have a lower signal since they often come from non-friends,” Axten said. “We provide group and Page admins with tools to delete any posts they don’t like.”
"The temporary password won’t protect Facebook members from exposure to malicious links, Websense’s Runald pointed out."
No, it won’t. But it may protect their information if those malicious links lead to phishing sites, if the temporary passwords are required anytime one signs in away from their home computer (which would be a great security step). Take it from VeriSign (where I work): Facebook still needs extended validation ssl to cut down on phishing in a bad way — there’s really no better solution to showing users the difference between Facebook and FAKEbooks. Good to know that they’re taking security more seriously, though.