Indeed, over the last few years Facebook has taken steps to improve the security of its platform in several ways.
For example, last year Facebook introduced a system that lets users request a one-time password to log in from a public terminal that might have keystroke-logging spy software installed. Users send an SMS text message containing the letters “otp” to 32665 (“FBOOK”) from a registered cell phone, and Facebook’s servers send back a password that can be used just once to log into the user’s account. The theory is that it doesn’t matter if a hacker is running a password sniffer, since the password won’t work a second time.
Another innovation is the way that Facebook allows users to monitor the various Web browsers and devices from which they log into Facebook. By clicking on the “Account Settings” pull-down menu and selecting the “Account Security” section, Facebook users are able to see all of the devices currently authenticated, any of which can be remotely logged out—useful if you happen to leave yourself logged in on your parents’ computer. You can also have Facebook send an SMS notification to your cell phone whenever a new device accesses your Facebook account. Of course, if you see a connection from a machine that you don’t recognize, it’s time to change your password.
Unfortunately, Facebook still has two important vulnerabilities that makes its website significantly less secure than those of most U.S. banks: its reliance on a single user name and password to gain access to an account, and its use of an unencrypted cookie for tracking which web browsers are logged in.
The user name and password combo provide a point of weakness. Facebook accounts can be compromised by an attacker who might steal this information from another site—or guess it by trying many combinations in succession (a so-called brute-force attack).
“We’ve built systems to protect against these types of brute-force attacks,” says Simon Axten, a spokesperson for Facebook. “For example, if we detect a number of suspicious login attempts for a given account, we will require a CAPTCHA, and we may even temporarily suspend access to the account.”
Facebook monitors a number of “signals,” including location and device, Axten says, to determine when an account is being subjected to a sustained attack. “Once we’ve flagged an attempt—even if the correct login credentials have been entered—we’ll require the person logging in to provide additional authentication by, for example, answering a security question, entering a code sent via SMS, or identifying friends tagged in photos to which the account owner has access.”
Nonetheless, there are ways to gain access to a person’s Facebook account even without knowing the password. That’s because Facebook uses something called an authentication cookie to keep track of a Web browser when it’s logged in. Unlike Facebook passwords, which are encrypted when they’re sent over the Internet, the cookies are sent to Facebook’s non-encrypted Web servers every time a computer communicates with the site. This isn’t much of a risk if you are using a hard-wired Internet connection or an encrypted wireless connection at work or at home. But if you are using Facebook over an unencrypted wireless access point at a coffee shop or airport, someone running a packet sniffer on a laptop could steal your authentication cookie out of the air and then log into Facebook as you.
Such sniffing became easier than ever to perpetrate last fall, when Eric Butler, a freelance Web application and software developer in Seattle, released a Firefox plug-in called Firesheep that automates the process. With Firesheep running inside Firefox, you get a list of every authentication cookie that’s been sniffed: just click on the account name and—voilà—you are accessing the user’s account without even having to log in.
Right now the only way to protect yourself against cookie sniffing is by accessing Facebook using the encrypted connection at https://ssl.facebook.com/. According to Axten, the server is still undergoing testing and will be more widely promoted as an option “in the coming months.” He adds, “As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks.”
Axten says, “Facebook faces a security challenge that few, if any, other companies, or even governments, have faced—protecting more than 500 million people on a service that is under constant attack. The fact that less than one percent of Facebook users have ever encountered a security issue on the site is a significant achievement of which we are very proud.”