Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:10 PM
Connect Directly

Facebook Aims to Make Security More Social

Facebook's massive user base creates an opportunity to educate billions on security.

Facebook's user base of 2.13 billion poses for the social media giant both a challenge and an opportunity to secure a massive number of accounts while also educating users on best security practices. 

Other social media platforms, including LinkedIn, Twitter, and Instagram, also have the chance to enforce and foster strong security among users. But are they capitalizing on that opportunity?

"Getting people to care about their online privacy and security is always a challenge," says Paul Bischoff, privacy advocate with Comparitech. "Users are responsible for meeting Facebook halfway, but adjusting security and privacy settings is usually an afterthought that most of us put off for far too long."

It's an area where most social media companies could stand to improve, says Nick Hayes, senior analyst serving security and risk professionals at Forrester.

"There's a lot more social networks can be doing for security to help users improve their overall security posture," he explains. "Looking at the main social networks, there are different aspects of security we should be breaking into."

Facebook has a broad reach and its two billion users provide insight on how their ongoing security strategy is working. Hayes notes Facebook has done interesting and helpful things to boost user security, such as its early adoption of two-factor authentication.

"The one thing that we've definitely learned at the scale of two-billion-plus users is that there's really no one-size-fits-all approach," says Scott Dickens, product manager with the Facebook Account Integrity team, who led the redesign of Facebook's Security Settings page last year.

Redesign with Security in Mind

"There's a design focus on making sure users can easily identify and find the most important security tools," Dickens explains. Its facelift included a top-level menu for security and login, and stronger focus on frequently used features.

"Change password," the most common security function among users, is prioritized at the top so users can more easily access the option to set a cookie to remember their credentials. Most would prefer to access their accounts by tapping a photo of themselves, says Dickens, rather than entering their password every time they log in.

"We try to work on making security settings super easy to understand," he continues. "We wanted to take away as much jargon as possible and make it accessible to all of our users, not just the security experts."

For example, he says, Facebook used to use "login approvals" as the term to access multi-factor authentication settings. The team later learned people were searching for those settings by entering "two-factor authentication," and adjusted its terminology to match user behavior.

"We actually didn't get that right," Dickens admits. "It was one of those cases where, in trying to make it accessible, we may not have make it accessible to the audience who wanted to find two-factor authentication."

Login security continues to be a focus. Last year Facebook acquired Confirm.io, an identity verification startup specializing in tech that confirms user identities using photos of driver's licenses or other forms of ID. Facebook has so far had little to say about its plans for Confirm and how the new company will fit into its strategy going forward.

"Confirm.io's technology will most likely be used to improve and expand upon Facebook's two-factor authentication function," Bischoff predicts. It could improve security when logging in from unfamiliar devices and recovering accounts when someone loses credentials. "A biometric verification, such as a fingerprint or face scan, could serve as a more secure alternative."

Facebook's security initiatives include a new tool, also added in December, which helps verify phishing emails. You can view "recent emails about security and login" from the Security Settings page, where Facebook publishes security-related emails it sends to users. The idea is to prevent people from clicking fake login pages and entering credentials on malicious websites.

"It's a way to better understand which emails Facebook sent you, versus which mails might look like they're from Facebook but are not," says Dickens. This was an area where Facebook noticed other online services taking action, and added the feature to match the rest of the industry.

Balancing Business with Security

Hayes says while these recent security features are key steps, there is more Facebook could do to protect its audience. For example, its emails about account notifications don't contain much context, a move intended to get people to log into their accounts so they can view new messages. However, if emails had more context, it would be harder for attackers to replicate them.

The goal is to get people back on Facebook's platform, Hayes continues, pointing to a tricky problem: while the company needs to protect users, it's also a business that relies on consumer data to profit. The more people on Facebook, the more data and revenue it generates.

Identity and access management is an area where platforms could focus more on protecting users' connections with followers, social media accounts for brands, and the users interacting with company social accounts, which could put them at risk if compromised, he adds.

"They could be doing a lot more to help people understand where users and followers, and the connections they have with others, are legitimate," Hayes explains.

A recently added Facebook feature called "Protect," located in the app's navigation menu on iOS, redirects users to a download page for VPN service Onavo Protect, which Facebook acquired in 2013. According to the App Store page, Protect warns users when they visit potentially harmful sites. However, it also lets Facebook track users' activity.

"Like most VPNs, Onavo encrypts all the Internet traffic traveling to or from a device and routes it through an intermediary server in a remote location," says Bischoff. This does harden security, particularly on public WiFi, and can prevent Internet service providers (ISPs) from monitoring users' activity.

However, most VPN providers don't monitor or record users' traffic. Onavo's description says it's used to "improve Facebook products and services, gain insights into the protects and service people value, and build better experiences," he continues. Instead of ISPs tracking your activity, Facebook will do it instead.

Going forward, Hayes says there is an opportunity for Facebook to be more transparent in identifying security issues, and partner up with security companies to offer additional protection for users who want it. Not everyone has the same risk profile and the same risk tolerance, and people who want tighter security should be able to add it.

Related Content:




Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/21/2018 | 6:18:15 AM
FB security
Facebook has been having troubles for so long. Not sure when they will actually be able to resolve these issues.
User Rank: Strategist
2/20/2018 | 7:54:37 PM
Don't use Facebook's VPN
Eck. People are better off using ExpressVPN.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.