Facebook's user base of 2.13 billion poses for the social media giant both a challenge and an opportunity to secure a massive number of accounts while also educating users on best security practices.
Other social media platforms, including LinkedIn, Twitter, and Instagram, also have the chance to enforce and foster strong security among users. But are they capitalizing on that opportunity?
"Getting people to care about their online privacy and security is always a challenge," says Paul Bischoff, privacy advocate with Comparitech. "Users are responsible for meeting Facebook halfway, but adjusting security and privacy settings is usually an afterthought that most of us put off for far too long."
It's an area where most social media companies could stand to improve, says Nick Hayes, senior analyst serving security and risk professionals at Forrester.
"There's a lot more social networks can be doing for security to help users improve their overall security posture," he explains. "Looking at the main social networks, there are different aspects of security we should be breaking into."
Facebook has a broad reach and its two billion users provide insight on how their ongoing security strategy is working. Hayes notes Facebook has done interesting and helpful things to boost user security, such as its early adoption of two-factor authentication.
"The one thing that we've definitely learned at the scale of two-billion-plus users is that there's really no one-size-fits-all approach," says Scott Dickens, product manager with the Facebook Account Integrity team, who led the redesign of Facebook's Security Settings page last year.
Redesign with Security in Mind
"There's a design focus on making sure users can easily identify and find the most important security tools," Dickens explains. Its facelift included a top-level menu for security and login, and stronger focus on frequently used features.
"Change password," the most common security function among users, is prioritized at the top so users can more easily access the option to set a cookie to remember their credentials. Most would prefer to access their accounts by tapping a photo of themselves, says Dickens, rather than entering their password every time they log in.
"We try to work on making security settings super easy to understand," he continues. "We wanted to take away as much jargon as possible and make it accessible to all of our users, not just the security experts."
For example, he says, Facebook used to use "login approvals" as the term to access multi-factor authentication settings. The team later learned people were searching for those settings by entering "two-factor authentication," and adjusted its terminology to match user behavior.
"We actually didn't get that right," Dickens admits. "It was one of those cases where, in trying to make it accessible, we may not have make it accessible to the audience who wanted to find two-factor authentication."
Login security continues to be a focus. Last year Facebook acquired Confirm.io, an identity verification startup specializing in tech that confirms user identities using photos of driver's licenses or other forms of ID. Facebook has so far had little to say about its plans for Confirm and how the new company will fit into its strategy going forward.
"Confirm.io's technology will most likely be used to improve and expand upon Facebook's two-factor authentication function," Bischoff predicts. It could improve security when logging in from unfamiliar devices and recovering accounts when someone loses credentials. "A biometric verification, such as a fingerprint or face scan, could serve as a more secure alternative."
Facebook's security initiatives include a new tool, also added in December, which helps verify phishing emails. You can view "recent emails about security and login" from the Security Settings page, where Facebook publishes security-related emails it sends to users. The idea is to prevent people from clicking fake login pages and entering credentials on malicious websites.
"It's a way to better understand which emails Facebook sent you, versus which mails might look like they're from Facebook but are not," says Dickens. This was an area where Facebook noticed other online services taking action, and added the feature to match the rest of the industry.
Balancing Business with Security
Hayes says while these recent security features are key steps, there is more Facebook could do to protect its audience. For example, its emails about account notifications don't contain much context, a move intended to get people to log into their accounts so they can view new messages. However, if emails had more context, it would be harder for attackers to replicate them.
The goal is to get people back on Facebook's platform, Hayes continues, pointing to a tricky problem: while the company needs to protect users, it's also a business that relies on consumer data to profit. The more people on Facebook, the more data and revenue it generates.
Identity and access management is an area where platforms could focus more on protecting users' connections with followers, social media accounts for brands, and the users interacting with company social accounts, which could put them at risk if compromised, he adds.
"They could be doing a lot more to help people understand where users and followers, and the connections they have with others, are legitimate," Hayes explains.
A recently added Facebook feature called "Protect," located in the app's navigation menu on iOS, redirects users to a download page for VPN service Onavo Protect, which Facebook acquired in 2013. According to the App Store page, Protect warns users when they visit potentially harmful sites. However, it also lets Facebook track users' activity.
"Like most VPNs, Onavo encrypts all the Internet traffic traveling to or from a device and routes it through an intermediary server in a remote location," says Bischoff. This does harden security, particularly on public WiFi, and can prevent Internet service providers (ISPs) from monitoring users' activity.
However, most VPN providers don't monitor or record users' traffic. Onavo's description says it's used to "improve Facebook products and services, gain insights into the protects and service people value, and build better experiences," he continues. Instead of ISPs tracking your activity, Facebook will do it instead.
Going forward, Hayes says there is an opportunity for Facebook to be more transparent in identifying security issues, and partner up with security companies to offer additional protection for users who want it. Not everyone has the same risk profile and the same risk tolerance, and people who want tighter security should be able to add it.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.