Staying Safe on Facebook by InfoSec Institute
Our friend, Patrick Lambert from InfoSec Institute wrote this very informative article on how to stay safe on Facebook, in response to our previous post, "Social Media: A Staple or A Recipe for Disaster?"....
With around a billion users, Facebook is definitively the most popular social network in the world. It offers all kinds of features, from your own personal wall, to games, messaging, email and more.
As such, it’s no surprise that Facebook accounts are something hackers target on a regular basis. In fact, these accounts are compromised so often that on underground Russian hacker forums, they are sold at a rate of $2 per account. That’s how much your Facebook account, your past life on the social network, and all your connections, would be worth to a bad guy on the other side of the world. There are many trivial ways for these crooks to compromise a Facebook account, and that’s why you need to take some steps to make sure they won’t get yours.
Some of the ways hackers use to take over Facebook accounts include phishing emails, trying to trick you to log in through a fake Facebook portal, and malware. There are dozens of viruses spreading throughout the net on a constant basis that do nothing but look for unpatched computers, and then take over the social media accounts you log into. This could mean your own account, but for many professionals, it’s often more than one.
If you run your own business, or handle the corporate accounts of the place you work at, you may well be logging into more than one account, and if your computer gets compromised, then all of the accounts could be in danger. Worse, Facebook makes it fairly tricky to gain access back. The way this site works is that if you try to gain access to a compromised account, it will ask you to identify some of your friends. If you have just a few dozens close friends, that may not be too hard. But the truth for many of us is that we often befriend people we don’t know that well, and being shown their current profile picture may not be all that helpful in recognizing their name. So it’s best if you can avoid having to go through account recovery altogether.
Thankfully, Facebook offers some features that can be useful to make sure your account is safe. First, the site has geo-ip monitoring software. This means that if you try to log in from a remote location, like say Eastern Europe, the site will detect it and ask additional questions, sometimes even sending you an email. This brings us to a key security feature everyone should know for both Facebook and all other online accounts.
In almost every case, the one most vulnerable part of the whole account login process is the email you use. Everything is tied to that one email address, including what you type in when you log in, and what is used if you try to reset your password or to recover your account. But for most people, their email address is well known. So the first thing to do is sign up with a second, hidden email. Use an address that no one knows about to log into these services, or associate it as a hidden email in the Facebook settings, something you can easily do. That way, if someone tries to log in as you, they will need to know what that secret address is.
Another feature few people know about is two-factor authentication. Facebook offers a second authentication feature called Login Approvals which is the same thing as Google’s authenticator or PayPal’s token. You can enable it in the security options, and then use the Facebook mobile app on an Android or iOS device to generate a code every time you log in from a new computer.
By using these two tricks, you can greatly reduce the chance that your Facebook account will be compromised. With Facebook’s popularity continuing to rise, more and more hackers will be looking for ways to break into and exploit user’s sensitive information. It is more important now, than ever before, to take premeditated action against these attacks to keep your accounts safe.
Patrick Lambert is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that has trained over 15,000 people.