Is Facebook finally taking security seriously?
Late last week, I logged into my Facebook account and saw a small banner and link at the top of the newsfeed that claimed to take me to a page with security tips. I’ll be honest: I didn’t click on the link because I’m wary about things like that. I wanted to see what my trusted security sources were saying about the link first, and if it was cool, then I’d check out the link on a return trip to Facebook.
Well, the link appears to be legitimate, but oddly enough, I haven’t seen the link again on my newsfeed. So I had to depend on outside articles to explain the security tips. (I tried searching through my account settings, but the tips were nowhere to be found on a quick check.) The tips were pretty straightforward: advice on how to spot a scam, password security and adding your mobile phone number for an extra layer of security.
(As a side note, I’m kind of shocked at the adverse reaction to asking for the cell phone number. It’s not that I necessarily agree with the tactic, but Facebook is hardly the first site to ask for that information as a security measure.)
The password and scam tips are all things that any smart computer user would know and practice, but the timing couldn’t be better. Password security has entered a lot of casual conversations lately, thanks to the recent LinkedIn and eHarmony breaches. Perhaps those breaches were the wake-up call we needed on the importance of having strong passwords and different passwords for your different sites, especially sites loaded with personally identifiable information.
It’s also a reminder that Facebook scams are an on-going problem. In fact, on Friday, I got an email from someone at ESET with Facebook in the subject line. I thought at first it was commentary on the Facebook security tips; instead it was a warning about the latest Facebook scam — an update of the “you must verify your account now or lose it” scam. Security researcher Cameron Camp explained on the ESET blog:
Notice how target-word-rich this example is, there is scary sounding language about the SOPA ACT (and a few misspelled words and syntax errors, a tip the author probably doesn’t speak English as a first language). the call to action is in RED, apparently for added effect. The second thing to note is that the website is definitely NOT facebook.com, but some other domain name, which clearly wouldn’t be a host of an official notification with the ability to suspend your account.
Also, check out the timing, the scam coming right along with these other major breaches and with the call to check out Facebook’s security tips.
Camp went on to say this:
It seems that tapping into the vast pool of over 900 million Facebook users is a favorite strategy among scammers these days, and this is no exception. But as my friend Randy Abrams has pointed out for some time, much of the nastiness could be averted simply by educating/imploring users not to click on suspicious-looking emails. The same is true of apps these days. The problem, he opines, is that the average user doesn’t really have a clear sense of what a suspicious-looking email/app is, and how to tell the difference between legitimate ones and scams.
Anyone who works in IT or security should recommend that employees check out Facebook’s security tips — and that includes actually going to the page that explains all of the different scams and techniques the bad guys use — and then begin a conversation on how protecting one’s self on Facebook and social media sites extends to everything you do on the network.