03:10 PM
Connect Directly

Facebook Aims to Make Security More Social

Facebook's massive user base creates an opportunity to educate billions on security.

Facebook's user base of 2.13 billion poses for the social media giant both a challenge and an opportunity to secure a massive number of accounts while also educating users on best security practices. 

Other social media platforms, including LinkedIn, Twitter, and Instagram, also have the chance to enforce and foster strong security among users. But are they capitalizing on that opportunity?

"Getting people to care about their online privacy and security is always a challenge," says Paul Bischoff, privacy advocate with Comparitech. "Users are responsible for meeting Facebook halfway, but adjusting security and privacy settings is usually an afterthought that most of us put off for far too long."

It's an area where most social media companies could stand to improve, says Nick Hayes, senior analyst serving security and risk professionals at Forrester.

"There's a lot more social networks can be doing for security to help users improve their overall security posture," he explains. "Looking at the main social networks, there are different aspects of security we should be breaking into."

Facebook has a broad reach and its two billion users provide insight on how their ongoing security strategy is working. Hayes notes Facebook has done interesting and helpful things to boost user security, such as its early adoption of two-factor authentication.

"The one thing that we've definitely learned at the scale of two-billion-plus users is that there's really no one-size-fits-all approach," says Scott Dickens, product manager with the Facebook Account Integrity team, who led the redesign of Facebook's Security Settings page last year.

Redesign with Security in Mind

"There's a design focus on making sure users can easily identify and find the most important security tools," Dickens explains. Its facelift included a top-level menu for security and login, and stronger focus on frequently used features.

"Change password," the most common security function among users, is prioritized at the top so users can more easily access the option to set a cookie to remember their credentials. Most would prefer to access their accounts by tapping a photo of themselves, says Dickens, rather than entering their password every time they log in.

"We try to work on making security settings super easy to understand," he continues. "We wanted to take away as much jargon as possible and make it accessible to all of our users, not just the security experts."

For example, he says, Facebook used to use "login approvals" as the term to access multi-factor authentication settings. The team later learned people were searching for those settings by entering "two-factor authentication," and adjusted its terminology to match user behavior.

"We actually didn't get that right," Dickens admits. "It was one of those cases where, in trying to make it accessible, we may not have make it accessible to the audience who wanted to find two-factor authentication."

Login security continues to be a focus. Last year Facebook acquired Confirm.io, an identity verification startup specializing in tech that confirms user identities using photos of driver's licenses or other forms of ID. Facebook has so far had little to say about its plans for Confirm and how the new company will fit into its strategy going forward.

"Confirm.io's technology will most likely be used to improve and expand upon Facebook's two-factor authentication function," Bischoff predicts. It could improve security when logging in from unfamiliar devices and recovering accounts when someone loses credentials. "A biometric verification, such as a fingerprint or face scan, could serve as a more secure alternative."

Facebook's security initiatives include a new tool, also added in December, which helps verify phishing emails. You can view "recent emails about security and login" from the Security Settings page, where Facebook publishes security-related emails it sends to users. The idea is to prevent people from clicking fake login pages and entering credentials on malicious websites.

"It's a way to better understand which emails Facebook sent you, versus which mails might look like they're from Facebook but are not," says Dickens. This was an area where Facebook noticed other online services taking action, and added the feature to match the rest of the industry.

Balancing Business with Security

Hayes says while these recent security features are key steps, there is more Facebook could do to protect its audience. For example, its emails about account notifications don't contain much context, a move intended to get people to log into their accounts so they can view new messages. However, if emails had more context, it would be harder for attackers to replicate them.

The goal is to get people back on Facebook's platform, Hayes continues, pointing to a tricky problem: while the company needs to protect users, it's also a business that relies on consumer data to profit. The more people on Facebook, the more data and revenue it generates.

Identity and access management is an area where platforms could focus more on protecting users' connections with followers, social media accounts for brands, and the users interacting with company social accounts, which could put them at risk if compromised, he adds.

"They could be doing a lot more to help people understand where users and followers, and the connections they have with others, are legitimate," Hayes explains.

A recently added Facebook feature called "Protect," located in the app's navigation menu on iOS, redirects users to a download page for VPN service Onavo Protect, which Facebook acquired in 2013. According to the App Store page, Protect warns users when they visit potentially harmful sites. However, it also lets Facebook track users' activity.

"Like most VPNs, Onavo encrypts all the Internet traffic traveling to or from a device and routes it through an intermediary server in a remote location," says Bischoff. This does harden security, particularly on public WiFi, and can prevent Internet service providers (ISPs) from monitoring users' activity.

However, most VPN providers don't monitor or record users' traffic. Onavo's description says it's used to "improve Facebook products and services, gain insights into the protects and service people value, and build better experiences," he continues. Instead of ISPs tracking your activity, Facebook will do it instead.

Going forward, Hayes says there is an opportunity for Facebook to be more transparent in identifying security issues, and partner up with security companies to offer additional protection for users who want it. Not everyone has the same risk profile and the same risk tolerance, and people who want tighter security should be able to add it.

Related Content:




Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
2/20/2018 | 7:54:37 PM
Don't use Facebook's VPN
Eck. People are better off using ExpressVPN.
User Rank: Apprentice
2/21/2018 | 6:18:15 AM
FB security
Facebook has been having troubles for so long. Not sure when they will actually be able to resolve these issues.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.