Facebook Unveils New Security Measures

Facebook today has unveiled new measures in order to keep its members more secure when they log into its site.

A number of new features are being introduced as part of these new measures. Firstly members will be required to update their security details on a regular basis, this will be given as a reminder to users by means of a prompt when they log on. Secondly they will be able to remotely log themselves out of another location if they have forgotten to do so already. Finally and most importantly is the introduction of temporary passwords. Such passwords on request by the user will allow them to log on without using their normally registered password. This password is issued on a single use basis and will expire after a period of 20 minutes after which they can request another password. Their registered password will still continue to work during this time.

Spokesperson for Facebook Simon Axten said:

“Our new features are aimed at protecting people who log in from devices the don’t own as well as helping people who lose access to an account get it back quickly”

How does this Temp Password Work?

“Facebook members must have first listed a mobile phone number in their account information if they want to use the temporary password feature”, wrote Jake Brill, a Facebook product manager.

“Then, if they’re unsure about the security of the computer they’re using — at an airport, Internet cafe or hotel, for example — they just have to text the string “otp” to the number 32665 from their mobile phones.

Facebook will ping back a password that can be used only once. This password expires in 20 minutes. It can be used instead of the member’s regular password.

Facebook is rolling out this feature gradually, and it will be available to all its members in the next few weeks”, Brill wrote.

Looking at the password protection

“Students who use library computers or PCs in a computer room in school, and travelers who use PCs at cyber cafes and at hotels, are likely to need the temporary password protection, wrote Rob Enderle, principal analyst at the Enderle Group

The temporary password will protect users against key-logging malware that’s common on PCs that are for public use, Enderle pointed out. “Key-logging malware captures IDs and passwords, and using temporary passwords means the password captured won’t work for the thief,” he explained.”

“The biggest risk when logging into Facebook, or any site for that matter, with a computer that isn’t yours, such as a hotel or Internet cafe computer, is that a key-logger or Trojan may have been pre-installed on that computer, and that will let someone steal your user name and password,” Patrik Runald, senior manager for security research at Websense.”

Problems with temp passwords

“Facebook is hoping that by providing a temporary password, it doesn’t matter if the password gets stolen by spyware, but I have other problems with the approach,” said Graham Cluley, a senior technology consultant at Sophos.

“One problem is that users who lose their mobile phones are still at risk. If someone else can get access to that lost phone and the owner hasn’t locked the device with a password to prevent SMS texts being sent, the finder might be able to access the phone owner’s Facebook account”, Cluley wrote.

Another problem is that hackers may be able to change mobile phone numbers on their victims’ accounts to phone numbers they have access to, Cluley wrote. This will let them access to those accounts readily.

Further, temporary passwords only prevent cybercriminals using keylogging spyware from recording victims’ real passwords, Cluley wrote. However, it doesn’t prevent them from using malware to spy on their victims’ online activities and seeing what’s happening on their PC screens.

The temporary password won’t protect Facebook members from exposure to malicious links, Websense’s Runald pointed out.

Websense claims that about 40 percent of Facebook posts contain links, and about 10 percent of those posts are either spam or contain malware. The greatest danger comes from corporate and celebrity Facebook pages that are accessed by large numbers of users.

“The Websense data isn’t consistent with what we’ve seen, and likely only accounts for public comments made on large group sites and pages,” Facebook’s Axten pointed out. There’s an important difference between these comments and the comments made through actual person-to-person communication channels such as the Facebook Inbox, Status Page and Wall. The latter have a higher signal and are where we focus many of our efforts,” Axten said.

Public comments made on large groups’ pages and sites are “more fleeting and have a lower signal since they often come from non-friends,” Axten said. “We provide group and Page admins with tools to delete any posts they don’t like.”