Facebook is testing out two new security features to help users protect their accounts from being compromised by malicious third-party apps or hackers.
In an Oct. 26 blog post, the social networking giant unveiled the “trusted friends” feature to help users regain control of their account and application passwords to prevent malicious third-party apps from accessing account data. The features will be rolled out to users over the “coming weeks,” according to the Facebook security team.
Facebook has rolled out a number of security tools recently, including Login Approvals, Login Notifications and One-Time Passwords. It’s also developed back-end systems to block spam from user accounts, malicious links from being posted on the Wall and stop potential cross-site scripting attacks, according to an infographic the team posted on the blog. Even with the measures in place, over 600,000 accounts are compromised each day, according to the infographic.
In the grand scheme of things, that’s not a lot, as Facebook has more than 1 billion logins per day, and 600,000 is less than 1 percent, or .06 percent.
The first new feature, trusted friends, is for account logins. When a user is unable to log in to the account, for whatever reason, Facebook sends the unlock code to designated “trusted friends” that can be forwarded to the user to log back in. In Facebook’s words, if the user is locked out of the house, the user can now go to a friend who has the spare key. Users can designate three to five friends as trusted. The “Forgot your password?” process will continue to allow users who’ve lost their password to reset and log back in.
Facebook said the new system would help users when the account has been hijacked and they can’t get into email.
Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog that users would have to keep an eye on “trusted” friends to ensure they aren’t prone to playing practical jokes. While the system is set up so that each friend is sent only a single code, it was possible they could still band together to access the account, Cluley said. Users should also “be pretty confident” the friends take computer security seriously, as well.
Even if the friends are trustworthy, it seemed like a logical first step for an attacker to change the trusted friends setting as soon as the account has been hacked.
“If a bad guy has taken over your Facebook and email account, isn’t it likely that he will also change who your trusted friends are at the same time? Wouldn’t that make the whole security measure kinda pointless?” Cluley told eWEEK.
The other feature, App Passwords, provides a higher level of security for logging in to third-party applications. Many Web applications and services, such as Spotify music service and Skype messaging service, allow people to log in using Facebook credentials. With this option enabled, Facebook can generate unique passwords that can be used as part of the login process, as opposed to using the normal credentials. Since it’s “certainly a good idea” not to use Facebook credentials with anyone other than Facbook, this is a good privacy option for the site to offer, Cluley said.
If the user ever decides to stop using the app, it’s just a matter of deleting the password from within Facebook. Once the password has been deleted, the app can’t access account data.
The security benefits may be limited, as “it’s not hard to predict that the only people who might use such a feature might be those who are already very aware of privacy issues, rather than the great unwashed majority on Facebook,” Cluley said.