"Secure" and "Facebook" in the same headline. Please allow me to regain my composure. To elaborate, I measure security by three metrics: Confidentiality, Integrity, and Availability. Facebook has been fighting Confidentiality tooth and nail since its inception. Therefore, I say Facebook wholly fails the security test.
If you want confidentiality, you have to be certain to share only that which you are comfortable being made totally public. This goes for information written or spoken pretty much anywhere. Long gone are the days of ephemeral communication.
For what it's worth, Facebook's Availability (uptime) is pretty good, and these measures have the potential to improve Integrity, but only if implemented and used properly both by Facebook and the end users.
Putting aside one's opinion on Facebook's stance around privacy, I think Facebook is one of the sites with the best measures to insure integrity of the site, at least for a consumer site.
A few times, I was warned that someone tried to accessed my account from a different computer, and went through a multi-step process to prove that I was indeed me. And, though it was multiple steps, it wasn't too much of a hassle actually.
Another time, one of my friends' account was compromised by a scammer and I got the account shut down in a couple of hours.
Recent activity and global logout is pretty useful. I imagine Facebook will offer a two-factor authentication at some point down the road.
A nonsensical comment. Software security is one of the many things that can be purchased using money. Facebook has a lot of money, and they have used it to buy serious software security talent. I trust Facebook with my data more than I trust WePay. And I like WePay.
Trust them to do what, precisely? Give it away for free, when they change your security settings to "public" by default, while doing a good job at preventing people from hacking in to get almost identical information?
That was mostly my point to begin with. At best, these new "security" controls prevent attackers from stealing my account and defacing my data. Facebook loses the confidentiality battle and thus the war.
So, we're not allowed to reason about the security of Facebook's actual software, because you disagree with their business practices? Sorry, it simply does not follow that because they don't revere your privacy as much as you do that their service must be insecure.
You're allowed to reason about the security of Facebook's software. I simply posit that the security of their software makes little difference when they've already taken a compromising stance with their business practices. Also, I don't disagree with their business practices. It's their place. They can run it however they like just as pg runs this place however he likes. I respect that, and I compensate by being cautious (and wish more people would do the same.)
Notice that throughout the entirety of this, I've stated my opinion. No more, no less. I even lauded this move as a way to potentially increase Integrity assuming proper implementation and use, yet I get buried.
Doesn't this mean that if someone steals your phone, they can easily log into your facebook and take over the account (change your real password and e-mail)?
That's a good point, unfortunately not mentioned in the post. One could assume/hope that this one-time password doesn't give you access to that kind of functions.
If anything though, it makes it easier for your friends to log into your account and prank you: "Do you mind if I borrow your phone for a minute?" And then log in on their laptop.
You need your existing (real) password to change your password; e-mail is still possible to change. Probable attack vector is to do "lost password" link and then change it, but the same is applicable to anyone with a smartphone too (it just now applies to anyone with any phone hooked up to FB).
It wouldn't even have to be stolen. All someone would need is access to the phone for less than a minute, which is harder to detect than if it was stolen outright. Though smartphones already have other privacy risks and are therefore protected, people with regular mobile phones weren't previously at risk, and probably have no idea that letting someone borrow their phone for a minute (or leaving it unattended) now means giving full access to their Facebook account, continuing even after the phone is returned.
I was very pleasantly surprised to see the Activity in my account a few days ago. I know Gmail got there first a long time ago but it's very nice to have.
Now if I ever use it... It is hard to get to. I find that I peek at my Gmail activity more with the link on the bottom.
Chances are you wouldn't even know your phone has gone missing.
The perpetrator 'borrows' your phone .. sends a one shot password request .. logs in to your account and deletes the message. You find your phone where you left it and are non-the-wiser.
otp is great stuff, but it's a long way from becoming mainstream if it's kept hidden and difficult to use. first hurdle is getting people to understand why they would want to use it.
on an unrelated note, is anyone tackling comment spam by ignorant humans that's not relevant to the article? just look at the comments on the blog post to see what i mean.
This is not two factor authentication, this is merely trading one factor (your password) for another factor (your telephone). In proper two-factor authentication, you should be required to enter your real password into your phone and THEN get a one-time password back out (your telephone is a trusted device).
My teenage friends trade phones all the time and they constantly nab them out of pockets, backs, purses, etc. for a few seconds. This change makes it trivially easy to steal someone's credentials.
Since they didn't call it two-factor authentication, it's not fair to whack them for not implementing two-factor authentication. It's "I'm at someone else's computer" authentication, and it's a fine idea.
Within the next 2 years, most everyone's phone will already be logged in to Facebook, as smartphones become as cheap as iPods, mooting the latter concern. Regardless, if you can't safely use the feature, you'd be well advised not to use it.
I remember claims that, by now a couple years ago, cell phones would cost $10 and the batteries would last for weeks.
My phone dies in 3 days if I have bluetooth on, and it cost $60 for the one-step-above-dirt phone after a 2 year contract got me a discount.
Also, how many people do you think are "well advised" of safely using security features? Even simple ones? Who don't see Facebook as one gigantic privacy / security geyser? ie, non-security-aware-geek-types? This is a minor, arguable security improvement and a major feel-good for people who don't know any better, and not much else.
You say that most people don't understand security, and unfortunately, you're exactly right. So why do those who know better intentionally choose to make things /less/ secure but market it as /increasing/ security?
I don't see how perpetuating the problem (every phone device is going to be insecurely logged in within the next 2 years) moots the concern. "Everyone does it!" is no excuse for a poor security model.
---
Simply text "otp" to 32665 on your mobile phone, [...]. We're rolling this out gradually, and it should be available to everyone in the coming weeks.
---
To everyone in what countries? I guess US users only?
25 comments
[ 219 ms ] story [ 181 ms ] threadIf you want confidentiality, you have to be certain to share only that which you are comfortable being made totally public. This goes for information written or spoken pretty much anywhere. Long gone are the days of ephemeral communication.
For what it's worth, Facebook's Availability (uptime) is pretty good, and these measures have the potential to improve Integrity, but only if implemented and used properly both by Facebook and the end users.
A few times, I was warned that someone tried to accessed my account from a different computer, and went through a multi-step process to prove that I was indeed me. And, though it was multiple steps, it wasn't too much of a hassle actually.
Another time, one of my friends' account was compromised by a scammer and I got the account shut down in a couple of hours.
Recent activity and global logout is pretty useful. I imagine Facebook will offer a two-factor authentication at some point down the road.
Notice that throughout the entirety of this, I've stated my opinion. No more, no less. I even lauded this move as a way to potentially increase Integrity assuming proper implementation and use, yet I get buried.
If anything though, it makes it easier for your friends to log into your account and prank you: "Do you mind if I borrow your phone for a minute?" And then log in on their laptop.
Now if I ever use it... It is hard to get to. I find that I peek at my Gmail activity more with the link on the bottom.
When someone steals your phone, you can suspend your mobile service. You can also disassociate the number from Facebook.
The perpetrator 'borrows' your phone .. sends a one shot password request .. logs in to your account and deletes the message. You find your phone where you left it and are non-the-wiser.
on an unrelated note, is anyone tackling comment spam by ignorant humans that's not relevant to the article? just look at the comments on the blog post to see what i mean.
My teenage friends trade phones all the time and they constantly nab them out of pockets, backs, purses, etc. for a few seconds. This change makes it trivially easy to steal someone's credentials.
Within the next 2 years, most everyone's phone will already be logged in to Facebook, as smartphones become as cheap as iPods, mooting the latter concern. Regardless, if you can't safely use the feature, you'd be well advised not to use it.
My phone dies in 3 days if I have bluetooth on, and it cost $60 for the one-step-above-dirt phone after a 2 year contract got me a discount.
Also, how many people do you think are "well advised" of safely using security features? Even simple ones? Who don't see Facebook as one gigantic privacy / security geyser? ie, non-security-aware-geek-types? This is a minor, arguable security improvement and a major feel-good for people who don't know any better, and not much else.
To everyone in what countries? I guess US users only?