Facebook Adds Security Features to Stop Spam and Scams

By Fahmida Y. Rashid  |  Posted 2011-05-13

Facebook Adds Security Features to Stop Spam and Scams

Facebook rolled out three new security measures to try to prove that it cares about user privacy.

The social networking site now features two-factor authentication to secure the login process, a secondary step to thwart clickjacking scams and a new surfing tool to rate the safety of links, Clement Genzmer, a Facebook security engineer, wrote on the Facebook Security blog that appeared May 12. Clickjacking refers to tricking users into clicking on links that post on the Wall to get more people to click and is one of the most common sources of spam on Facebook.

"Facebook is committed to bringing you a safe experience on the Internet," Genzmer wrote.

The latest announcement is a "welcome" sign, since the features prevent, or actively discourage, users from doing certain things while on Facebook, Paul Ducklin, head of security at Sophos, wrote on the Naked Security blog.

"In the past, Facebook has seemed curiously reluctant to do anything which might impede traffic. Let's hope that everyone at Facebook has accepted that reduced traffic from safer users will almost certainly give the company higher value in the long term," Ducklin wrote.

Login Approvals, the two-factor authentication feature, is an optional feature for all Facebook users, Andrew Song, an engineering intern, wrote on the Facebook Engineering blog. The company hinted at this feature back in April. Users who turn on Login Approvals will receive a numeric code via text message on their cell phones whenever they try to log in to the site from a new or unrecognized device, according to Facebook's Genzmer. The user would have to enter that code before gaining access to the account. The challenge will request the code sent to the phone for every login attempt made from a device the user hasn't designated as "safe."

"While someone may have known your login credentials, he or she was unable to access your account or cause any harm," said Genzmer.

If the user loses the mobile device, the user will have to log in from a saved device to reset the phone number and prevent account lockout, according to Song.

Developers had to balance security and usability when building Login Approvals, according to Song. Similar schemes on other Websites require you to download authentication apps or purchase physical tokens to act as the token-id generator.

While the approach works and Facebook is considering them for future implementation, the site wanted to have the "biggest impact" and decided to use SMS messages as the best option for the second factor in the authentication process, Song said.

New Defenses Aim to Block Clickjacking


The Login Approvals feature can be turned on by going to the Account Security section of the Facebook account settings page, the company said.

It's a "pity" Facebook won't let the security-conscious user require two-factor authentication on every login, Ducklin said. It would be "even nicer" if Facebook added a token-based option, and Ducklin said it would be reasonable to charge for it, as well. The token would allow users to enjoy the benefits of two-factor authentication without sharing their mobile phone number.

Many users remain leery of giving up their numbers after Facebook said it will let app developers get user addresses and phone numbers in February. After an uproar, the site "temporarily" suspended the program.

As for the spam links spreading virally, Facebook said it had "built defenses" in the Facebook Like button to detect clickjacking and block links to known malicious sites. When users are posting a suspicious link to their profiles or friends' News Feeds, they will be prompted with a CAPTCHA window. The additional prompt ensures that the user really wants to post that link.

The new "Self-XSS Protection" feature also prevents users from inadvertently being part of a cross-site scripting attack. Spammers ask people to copy and paste malicious code into their Web browser's address bar, which results in the browser doing some user tasks, such as posting phony links or spamming friends, Genzmer said. When the site detects that the user has pasted malicious code into the address bar, it will display a challenge window with information as to why it's a bad idea and to ask the user to confirm the user meant to do this, according to the blog post.

"We are also working with the major browser companies to fix the underlying issue that allows spammers to do this," said Genzmer. Internet Explorer 9 has already put some protections in place, according to the blog post.

And finally, the company has partnered with Web of Trust to analyze links posted on Facebook. Web of Trust relies on ratings supplied by other community members. While Facebook already has a system that automatically scans the millions of links posted on the site to determine whether they are "spammy or contain malware," Web of Trust will provide Facebook with a larger list of known malicious sites, Genzmer said.

Facebook users will be able to help categorize links by using the Web of Trust add-on to leave their own rankings.

Rocket Fuel