Facebook Adds Security Features to Stop Spam and Scams

Facebook added two factor authentications, anti-cross-site scripting detection, CAPTCHA prompts to stop clickjacking and safe Web link surfing to protect user accounts.

Facebook rolled out three new security measures to try to prove that it cares about user privacy.

The social networking site now features two-factor authentication to secure the login process, a secondary step to thwart clickjacking scams and a new surfing tool to rate the safety of links, Clement Genzmer, a Facebook security engineer, wrote on the Facebook Security blog that appeared May 12. Clickjacking refers to tricking users into clicking on links that post on the Wall to get more people to click and is one of the most common sources of spam on Facebook.

"Facebook is committed to bringing you a safe experience on the Internet," Genzmer wrote.

The latest announcement is a "welcome" sign, since the features prevent, or actively discourage, users from doing certain things while on Facebook, Paul Ducklin, head of security at Sophos, wrote on the Naked Security blog.

"In the past, Facebook has seemed curiously reluctant to do anything which might impede traffic. Let's hope that everyone at Facebook has accepted that reduced traffic from safer users will almost certainly give the company higher value in the long term," Ducklin wrote.

Login Approvals, the two-factor authentication feature, is an optional feature for all Facebook users, Andrew Song, an engineering intern, wrote on the Facebook Engineering blog. The company hinted at this feature back in April. Users who turn on Login Approvals will receive a numeric code via text message on their cell phones whenever they try to log in to the site from a new or unrecognized device, according to Facebook's Genzmer. The user would have to enter that code before gaining access to the account. The challenge will request the code sent to the phone for every login attempt made from a device the user hasn't designated as "safe."

"While someone may have known your login credentials, he or she was unable to access your account or cause any harm," said Genzmer.

If the user loses the mobile device, the user will have to log in from a saved device to reset the phone number and prevent account lockout, according to Song.

Developers had to balance security and usability when building Login Approvals, according to Song. Similar schemes on other Websites require you to download authentication apps or purchase physical tokens to act as the token-id generator.

While the approach works and Facebook is considering them for future implementation, the site wanted to have the "biggest impact" and decided to use SMS messages as the best option for the second factor in the authentication process, Song said.