Facebook reveals major security overhaul measures

13 May 2011

Facebook has unveiled a number of new initiatives to protect user security and privacy including a device authentication tool and a new ratings tool to protect users from spammers and clickjammers.

The company has introduced a new feature called Login Approvals that requires users to authenticate any new device before they are able log into Facebook from it.

Facebook will send you a one-time verification code as a text message to your mobile phone number. It is a step that in recent months began to manifest on Google’s network, especially for Gmail users.

The move is aimed at preventing hackers from stealing your password. The new Login Approval feature is optional and can be accessed via the Account Security section of users’ Facebook accounts.

“This is a two factor authentication system that we first announced last month,” Clement Genzmer, security engineer at Facebook said.

“If you choose to use it, whenever you log in to Facebook from a new or unrecognized device, we’ll require that you also enter a code we send to your mobile phone via text message.”

Web of Trust

Facebook has also formed a partnership with Web of Trust, a free web surfing tool that tells you which websites you can trust based on the ratings supplied by other Web of Trust community members.

Facebook already has a system that automatically scans links to determine whether the websites associated with those links are spammy or contain malware.

“This partnership will help us improve our system by providing additional bad links, and in the coming months, we expect to massively increase our coverage even more by working with other industry leaders,” Genzmer said.

“You can become a part of this community too by using the Web of Trust add-on, and leaving your own ratings.

“Spammers sometimes take advantage of a vulnerability in the web browser to try to trick people into clicking on links they might not want to click on. This is called clickjacking, and it’s done by overlaying the link with something more enticing, like a phony offer.

“We have built defenses to detect clickjacking of the Facebook Like button and to block links to known clickjacking pages. Recently, we improved our systems to also alert people if we think they’re being tricked. Now, when we detect something suspicious, we’ll ask you to confirm your like before posting a story to your profile and your friends’ News Feeds,” Genzmer said.

Self-XSS Protection

Facebook has also moved to protect users against hackers placing malicious code into their address bar.

“Spammers take advantage of another browser weakness by asking people to copy and paste malicious code into their address bar, which then causes the browser to take actions on those people’s behalf, including posting status updates with phony links and sending spam messages to all friends.

“We have been working hard to improve our systems that detect and block these types of attacks, as well as to educate people on what is causing their accounts to send spam. Now, when  our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it’s a bad idea,” Genzmer said.

Facebook approval

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com