Facebook is countering reports about scams affecting its users and a rising user perception of insecurity with new security tweaks and the release of statistics suggesting that most of its 800 million active users experience few problems. The company is also announcing two new features. One generates passwords for your Facebook apps to protect your main account; another deals with a side effect of security—the lockdown of compromised accounts—by enabling your Facebook friends to help you recover an account.
While Facebook employs some of the highest-tech tools in the business, it is also one of the Web's most attractive targets by dint of its size. The first feature the social network is announcing is app passwords, which provides a separate layer of password security for Facebook apps. In part this is meant to improve an existing login security feature called two-factor authentication, which sends a text message to your mobile phone bearing a unique code that must be entered to complete the login.
While this can effectively block hackers who've gotten hold of your password, it also has a downside: if you use the feature, you have to repeat the process each time you want to use an app. The second feature, called "trusted friends," will make it easier to recover your account if it is shut down or if you lose your password. If you can't access your e-mail account to retrieve a new password, Facebook will send codes to a preselected group of friends so that they can pass the codes to you.
"Facebook seems to be introducing some sensible new controls; time will tell whether they are effective and strike the right balance, that helps legitimate websites rid themselves of Malware infections, among other things.
The company said 4 % of links shared on Facebook are spam; only one in 200 users experience spam on any given day; and .06 % of a billion daily logins each day are compromised. "We wanted to show the immense scale at which we operate and the immense challenge to secure three quarters of a billion users and to be smart about how we do it. However, all this comes amid a drumbeat of reports about scams on the network. And Facebook's own data suggest that large numbers of people are exposed to some scams over time—and that the site does experience 600,000 compromised logins daily. Each compromised login can mean a hacker or criminal might be sending attacks to a user's contacts under his or her name.
These messages could be phishing schemes that try to trick people into revealing passwords for bank accounts or other services. Others could contain links that try to defraud users by flashing phony warnings of infection and prompting them to pay for phony anti-virus software. These messages may include links to malicious sites that make attempts to download viruses to steal data or hijack the computer for Cyber-Attacks.
In the past year or two, Facebook and other websites have seen a rising number of malicious Web addresses that lead to attacks like these. So over the past year Facebook has enlisted two outside firms—Web of Trust and Websense—to help the site block known malicious links. The targets are gathered from security companies, law enforcement, and even actual users who report suspicious links.
The problem with this method is that there's a time lag before many such links are detected. Often, they are further hidden by link-shortening services such as Bit.ly. Earlier this year, the Web security firm Symantec reported that in 2010, malicious links made up two-thirds of all such short links on social networks. The company added that almost 90 % of them had been clicked by users at least once.
In addition to the tweaks announced, a remarkable real-time fight is escalating. Facebook actively looks for patterns of viral propagation and other behavior that seems malicious. Machine-learning algorithms update every 30 minutes to find and squelch the source of such attacks. "One of the most important things that Facebook can be doing is looking for new threats in real time.
A crucial security feature that Facebook has not yet fully implemented, is default encryption (as denoted by Web addresses starting with "https" rather than "http"). The latter, older system leaves someone logging in via Wi-Fi at a Starbucks, for example, at much greater risk of having his or her unencrypted information intercepted.
Last year Gmail moved to https as the default setting. But Facebook currently offers it only as an option. This is problematic, because "the people who are most likely to need the feature are the least likely to know they need to turn it on."
In a statement, Facebook said it is "making progress daily" toward default encryption. "We continue to work towards making this setting a default feature as soon as possible," the statement said, but it noted that this requires ironing out site stability and speed issues. Facebook is also working with app developers so that encryption works across the site.