Endpoint

2/20/2018
03:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Facebook Aims to Make Security More Social

Facebook's massive user base creates an opportunity to educate billions on security.

Facebook's user base of 2.13 billion poses for the social media giant both a challenge and an opportunity to secure a massive number of accounts while also educating users on best security practices. 

Other social media platforms, including LinkedIn, Twitter, and Instagram, also have the chance to enforce and foster strong security among users. But are they capitalizing on that opportunity?

"Getting people to care about their online privacy and security is always a challenge," says Paul Bischoff, privacy advocate with Comparitech. "Users are responsible for meeting Facebook halfway, but adjusting security and privacy settings is usually an afterthought that most of us put off for far too long."

It's an area where most social media companies could stand to improve, says Nick Hayes, senior analyst serving security and risk professionals at Forrester.

"There's a lot more social networks can be doing for security to help users improve their overall security posture," he explains. "Looking at the main social networks, there are different aspects of security we should be breaking into."

Facebook has a broad reach and its two billion users provide insight on how their ongoing security strategy is working. Hayes notes Facebook has done interesting and helpful things to boost user security, such as its early adoption of two-factor authentication.

"The one thing that we've definitely learned at the scale of two-billion-plus users is that there's really no one-size-fits-all approach," says Scott Dickens, product manager with the Facebook Account Integrity team, who led the redesign of Facebook's Security Settings page last year.

Redesign with Security in Mind

"There's a design focus on making sure users can easily identify and find the most important security tools," Dickens explains. Its facelift included a top-level menu for security and login, and stronger focus on frequently used features.

"Change password," the most common security function among users, is prioritized at the top so users can more easily access the option to set a cookie to remember their credentials. Most would prefer to access their accounts by tapping a photo of themselves, says Dickens, rather than entering their password every time they log in.

"We try to work on making security settings super easy to understand," he continues. "We wanted to take away as much jargon as possible and make it accessible to all of our users, not just the security experts."

For example, he says, Facebook used to use "login approvals" as the term to access multi-factor authentication settings. The team later learned people were searching for those settings by entering "two-factor authentication," and adjusted its terminology to match user behavior.

"We actually didn't get that right," Dickens admits. "It was one of those cases where, in trying to make it accessible, we may not have make it accessible to the audience who wanted to find two-factor authentication."

Login security continues to be a focus. Last year Facebook acquired Confirm.io, an identity verification startup specializing in tech that confirms user identities using photos of driver's licenses or other forms of ID. Facebook has so far had little to say about its plans for Confirm and how the new company will fit into its strategy going forward.

"Confirm.io's technology will most likely be used to improve and expand upon Facebook's two-factor authentication function," Bischoff predicts. It could improve security when logging in from unfamiliar devices and recovering accounts when someone loses credentials. "A biometric verification, such as a fingerprint or face scan, could serve as a more secure alternative."

Facebook's security initiatives include a new tool, also added in December, which helps verify phishing emails. You can view "recent emails about security and login" from the Security Settings page, where Facebook publishes security-related emails it sends to users. The idea is to prevent people from clicking fake login pages and entering credentials on malicious websites.

"It's a way to better understand which emails Facebook sent you, versus which mails might look like they're from Facebook but are not," says Dickens. This was an area where Facebook noticed other online services taking action, and added the feature to match the rest of the industry.

Balancing Business with Security

Hayes says while these recent security features are key steps, there is more Facebook could do to protect its audience. For example, its emails about account notifications don't contain much context, a move intended to get people to log into their accounts so they can view new messages. However, if emails had more context, it would be harder for attackers to replicate them.

The goal is to get people back on Facebook's platform, Hayes continues, pointing to a tricky problem: while the company needs to protect users, it's also a business that relies on consumer data to profit. The more people on Facebook, the more data and revenue it generates.

Identity and access management is an area where platforms could focus more on protecting users' connections with followers, social media accounts for brands, and the users interacting with company social accounts, which could put them at risk if compromised, he adds.

"They could be doing a lot more to help people understand where users and followers, and the connections they have with others, are legitimate," Hayes explains.

A recently added Facebook feature called "Protect," located in the app's navigation menu on iOS, redirects users to a download page for VPN service Onavo Protect, which Facebook acquired in 2013. According to the App Store page, Protect warns users when they visit potentially harmful sites. However, it also lets Facebook track users' activity.

"Like most VPNs, Onavo encrypts all the Internet traffic traveling to or from a device and routes it through an intermediary server in a remote location," says Bischoff. This does harden security, particularly on public WiFi, and can prevent Internet service providers (ISPs) from monitoring users' activity.

However, most VPN providers don't monitor or record users' traffic. Onavo's description says it's used to "improve Facebook products and services, gain insights into the protects and service people value, and build better experiences," he continues. Instead of ISPs tracking your activity, Facebook will do it instead.

Going forward, Hayes says there is an opportunity for Facebook to be more transparent in identifying security issues, and partner up with security companies to offer additional protection for users who want it. Not everyone has the same risk profile and the same risk tolerance, and people who want tighter security should be able to add it.

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AppySpot
50%
50%
AppySpot,
User Rank: Strategist
2/21/2018 | 6:18:15 AM
FB security
Facebook has been having troubles for so long. Not sure when they will actually be able to resolve these issues.
Mtony
50%
50%
Mtony,
User Rank: Apprentice
2/20/2018 | 7:54:37 PM
Don't use Facebook's VPN
Eck. People are better off using ExpressVPN.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
CVE-2018-17980
PUBLISHED: 2018-10-15
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is execute...
CVE-2018-18259
PUBLISHED: 2018-10-15
Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.
CVE-2018-18260
PUBLISHED: 2018-10-15
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false.
CVE-2018-17532
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.