If you were wary of a message from Facebook about your profile
security levels being low, you’re not alone.
Considering the recent rash of profile hack-ins and password breaches, many Facebook users are thinking before clicking these days.
And with good reason: hackers have been able to access thousands of profiles this year either due to user error or other sites’ negligence (see: Gawker’s massive password snafu from two weeks ago).
But this message, appearing on profiles everywhere, despite looking similar to fake anti-virus and phishing virus pop-ups, is actually from Facebook.
According to the social networking site, many (if not all) profiles have low or “very low” account protection statuses -- even the profiles run by very tech-savvy users.
Facebook’s apparent solution to this problem is what
leaves some Internet security experts scratching their heads. Is it
making your password harder to guess? Or disabling rogue
Nope. It’s giving Facebook more of your personal information.
Once the note’s “increase protection” link is clicked, Facebook asks for an additional email address; a different one than was used to create the profile.
“Facebook's thinking is that if you lose control of the, say, Hotmail or Gmail account that you normally log into the site with, you'll be able to regain access to your Facebook account by giving them an alternative email address. They could then use this, for instance, to communicate with you,” said Graham Cluely, senior technology consultant at Sophos.com.
Which is all well and good, but Cluely wonders if Facebook’s intentions are not purely security-related.
Where does it go?
Along with the obvious issue of people who use the same password for their email accounts and their Facebook profile (don’t, by the way), Cluely points out Facebook makes no mention of what else, exactly, they possibly plan to do with users’ alternate email addresses.
“Not only would you be right to be concerned about whether you are increasing the potential for data loss by sharing alternative email addresses with online companies, but is it possible that Facebook might also use this secondary email address to further interconnect you with possible contacts?” said Cluely.
While Cluely points out Facebook has good intentions, attempting to cull data from users to help them regain control of compromised profiles, the company is going about it in a curious way. They also want your phone number.
Along with another email address, Facebook claims your profile security will be beefed up if you provide your cell phone number (for those users who haven’t already).
Facebook is possibly asking for this so users will be able to utilize the new “one-time password” feature they announced plans for in October 2010.
For users whose profiles have been compromised, they can receive a one-time temporary password to access their account via text -- only if Facebook has the mobile phone number on file, of course.
Again, all well and good, but Cluely brings up some interesting,
real life problems with this “security fix.”
“What happens if you lose your mobile phone, or someone else briefly swipes it from your jacket pocket? Then an unauthorized individual -- whether they be a potential identity thief or a jealous partner -- could potentially access your account via the system,” he said.
Plus, if Facebook has your cell phone number on hand, what else are they planning to do with it?
Lastly, Facebook wants you to pick one of their “security questions” and provide an answer only you would know. This would also act like a password in a pinch. But again, Cluely points out the flaw in Facebook’s plan.
The questions, including “In what city or town was your mother born?” and “What was the first name of the first boy or girl you ever kissed?” are ones whose answers could, relatively easily, be guessed based on… wait for it… information culled from people’s profiles.
“Where's the advice from Facebook that you shouldn't answer these questions honestly? Where's the option to write your own question?” wonders Cluely.
While Facebook appears concerned about profile security, many users are unhappy with the way, intentional or not, they‘re presenting the issue.
“The suggestion that users' accounts currently have a protection status of ‘very low’ is entirely misleading and stinks of scare tactics,” said Cluely.
For users who don’t want to provide additional information to Facebook, but are still concerned about keeping their profiles safe, there are some simple fixes:
- Choose a Facebook password that is completely different from all your other passwords. Mixing upper-and lower-case letters along with a few numbers is always a safe bet. If you’re scared about forgetting it, write it down and keep it in a safe place.
- Log out of your account every time you’re finished with it. Even if you think you’re the only one using that computer or handheld device.
- Don’t use the word “password.” Seriously.