Facebook One-Time Password: Gold Or Pyrite?

Facebook is rolling out a new security feature that allows users to get a one-time password to log in. The site claims doing so will make "safer to use public computers." Is it really a security gold nugget, as they are saying, or is it just a lump of fool's gold?Honestly, when I read the announcement I thought it was a nice idea, but...there are some flaws in the plan, as Graham Cluley pointed out here in his blog post. In his post, he talks about his primary concerns, which are mislaid mobile phones; would you notice if someone changed your mobile number on Facebookw and if you believe a computer is insecure, then why are you accessing Facebook with it in the first place?

I definitely agree on his mobile phone points. While I seem to be surgically attached to my phones, many of my friends are not. They leave them lying around in the open, or simply lose them. Of course, a black hat could then ask for a one-time password, but as many smart mobile phones have a Facebook application, so it's simply easier to attack the account directly. Why make extra work, right? As a bonus, they have access to send SMS text messages, post bogus messages to your wall, and if it's there, access your email.

Also, how often do you really check the information you put in your profile? If you're like most people, then it's only when and if you need to change anything. Many users would never know if anything had been changed in there, including the mobile number, simply because they don't ever think to check.

If you are going to a public machine, then a keylogger can be the least of your worries. There are many ways to spy on you, and keyloggers aren't the only way to capture information. Some malware is able to capture what's in the window via screenshots or following mouse clicks. Yes, I know Facebook credentials have been captured by keylogging malware, but many malware authors simply aren't that bothered. The social engineering scams are doing a much better job of capturing login details than a keylogger.

But the main thought I had was while this is all well and good of Facebook, it isn't taking the security far enough. Why not require strong passwords? What about security questions on login? Those could even have the option (as many do) to not ask again on a machine you trust, so you can opt out. This "opt" sort of seems like a concession being thrown out there, rather than a true commitment to user security and privacy.

Beth Jones is a Senior Threat Researcher in SophosLabs North America. She manages the day-to-day research and analysis activities of incoming suspicious malware threats and potentially unwanted applications that arrive in the Lab via Sophos customers, partners, and prospects.