Security expert warns Facebook’s new password feature may not be safe

13 Oct 2010

Facebook’s new one-time password feature could result in further security concerns for users, according to security firm Sophos.

Earlier, Facebook unveiled a new feature that allows users to protect their accounts when they log into public computers with one-time passwords.

The user can get a different password sent to their phone, which expires within 20 minutes, to access their profile.

Graham Cluley, senior technology consultant at Sophos, said users shouldn’t see this as a safe way to browse Facebook on untrusted computers.

“If you believe a computer might not be secure in the first place, why would you use it to access personal accounts, such as Facebook?” said Cluley.

“A temporary password may stop keylogging spyware giving cyber criminals a permanent back door into your account, but it doesn’t stop malware from spying on your activities online, and seeing what’s happening on your screen.”

Need to be wary of passwords sent to mobile

He also noted that sending passwords to a mobile phone may not be that safe as a security measure.

“If you’re anything like me, it’s likely that you’ve mislaid your mobile phone from time to time.

“If someone else can gain access to your phone and send a text message, your Facebook account will be unlocked,” he said.

Cluley urges users not to visit sites with sensitive information on PCs they don’t trust, regardless of having a one-time password.

“Never visit websites like Facebook from computers that may not be running adequate anti-virus software or security patches,” Cluley said

“Instead, wait until you have access to a trusted PC, rather than risking sharing your personal information with unknown others.

“There’s a real danger that the one-time-password system will be viewed as a green light by Facebook users to access their accounts from unsafe PCs,” he said.