Bill Pringle - [email protected]

|  Home  |  News  |  Downloads  |  LDS  |  Talks  |  Famly History  |  Facebook  |  Games  |  Mobile  |  About Me  |

Facebook security issues

Bare Minimum:


Facebook is a very popular social networking site, but there are a number of security issues with the site that can put you at serious risk if you aren't careful. The number of facebook account hackings seem to be on the increase (at least I've been getting more bogus messages recently), and this page is in response to a friend who asked what to do after her account got hacked.

While any online account is in danger of being hacked, Facebook has unique features that make this danger even more likely. For one thing, it is very common to post personal information which can be used to steal your identity. But the significant danger is because it is so easy to run malicious programs that can hack your account. In particular, be very careful using any application that asks to access your profile.

Keep in mind that if your account is compromised, not only is your personal information exposed, but the personal information of all your friends as well. So, even if you don't have anything sensitive in your profile information, your friends might. Every time you take one of those quizzes on facebook, you are risking your information and that of your friends.

Prevention Techniques

It is much easier to prevent having your account hacked than to recover from a hacked account. Here are some good security practices that you should keep in mind not only for Facebook, but for any other web site account you might have.

Don't use Internet Explorer
There are a lot of security problems with IE. I recommend that you use Firefox or Chrome instead. Other possible browsers are Safari and Opera.
One of the nice things about Firefox and Chrome is all of the add-ons you can get. Some of the add-ons that I consider essential are:
  • Adblock Plus — you don't see any ads
  • NoScript — won't allow a web site to run Javascript unless you give it permission
Since ads are suppressed, you are less likely to see dangerous links. By blocking Javascript on all but the web sites you trust, you are less likely to see dangerous links. Firefox will prevent cross-site linking, which is a practice that hackers use to insert dangerous code within regular looking links.
Never click on a link
Never click on a link contained in any e-mail message or IM. Also, never type a URL directly into the address bar of your browser.
When you get an e-mail with a link, don't click on it. Hover your mouse over the link and right-click the mouse, and select "Copy Link Location" in Firefox. Next, paste the link into Google and click on search. You should see at the very top of the search results the page you expected. If, however, you see comments about phishing, malware, etc. then you know not to go there.
If somebody tells you a URL to type into your browser, ignore them. Instead, type the URL into the Google search bar and hit ENTER. As above, you should see the page you were expecting. If not, then either you made a typo, the person giving the URL was wrong, or the site is dangerous.
The more a message encourages you to click on a link, the more you should not click on it. If you see something like "OMG!!! YOU MUST SEE THIS" that is a pretty good sign that the link is bogus. The same goes to "Girl killed herself after her father posted this on facebook" or any similar message. And, of course, "Who is viewing your profile, click here to see" is a great link to avoid.
It is a common practice by malware writers to purchase domain names similar to valid sites, especially commonly mispelled names. They then set up a web site that looks the same as the real site. When you click on any link on the bogus site, you run the risk of downloading malware. These sites will also try to get the user to enter passwords or personal information.
Use a strong password
Find a balance between a password that is easy for you to remember and one that is hard to guess. It should have at least 6-8 characters, and should include letters and digits or possibly symbols. You should never use any word that would appear in a dictionary, the names of your pets, spouse, kids, friends, etc. There are several techniques you can use to do this:
One trick is to make up a saying or phrase and then use the first letter of each word, or possibly a symbol to represent the word. For example, let's use the phrase "This is my secret password for facebook." We could make that "t=msp4fb". We could emphasize certain words to make the password even stronger: "THIS is my SECRET password for FACEbook" can become "T=mSp4Fb"
You can make up your own symbols for words, such as "=" for is or equals, "<" for less than, before, left, etc. and ">" for greater than, after, right, etc. There is a special language call leet that might give you some more ideas for symbols. If you use leet, you might want to type short words in leet rather than just the first letter. Be careful using uncommon symbols, some systems might have problems with strange characters in the password field.
Don't use the same (or similar) password for more than one site. At a minimum, make sure your Facebook password is completely different than your password for any other site.
There are times when using the same password isn't so bad. There are lots of web sites where you don't store personal information, credit cards, etc. Basically, you don't care if somebody hacks into those kinds of web accounts. If you have a lot of these kinds of web sites, then you might be able to get away by using the same password for all those kinds of web sites. Remember, however, if somebody hacks one of those sites, they can get into any of the others.
Don't Give Out Your Password
Of course, having a strong password doesn't help if you give your password to others. Although you hopefully would not give your password to a stranger, there are many ways in which malicious users can trick you into revealing your password. A common way is to create web sites that look like legitemate web sites, and when the victim attempts to login, their user name and password are saved and used later to hack into their account.
Facebook offers a very sneaky way of getting you to enter your user name and password: by offering to help you find your friends on facebook. Facebook asks you for your email address and password, and then uses this information to access your address book / list of contacts. They then search facebook for any matches. The problem, of course, is that your email address and password are now stored inside a facebook database. And, since facebook doesn't have a history of keeping your private information very private, you should be very concerned about that. If you want to find friends on facebook, search for them using their email address.
If you have already given out your email address and password, change your password immediately. If, in the future, you need to enter that information, I would recommend that you login to your email account, change the password to something simple (like "secret") and then submit that password. Once you have done what you needed to do, go back into your email account and change your password to something strong.
Always logout when you are done
I recall using a public terminal, and going to LinkedIn, and was surprised to find myself logged in as someone else. If you don't logout when you are done, you risk having somebody else do things with your account or download key loggers, malware, etc.
Some web sites use cookies to remember who you are so that you don't have to sign in each time. While this might be convenient when using your desktop at home, it can be disasterous on your laptop, cell phone, or PDA. When you logout, that usually destroys the cookies so that you will have to login the next time.
Change your password fairly often
If you change your password too often, it makes it hard to remember, and you might start writing it down, which would be very dangerous. The idea is to change your password often enough so that by the time somebody figures out your password, you have changed it.
Make sure you don't have a pattern between different passwords. If your password is secret1, then secret2 isn't a good password. (Of course, secret1 is a lousy password to begin with.)
Don't let others use your computer, phone, PDA, etc.
I realize that some of your friends might think you are strange if you don't let them use your computer to check their e-mail, but remember that they might accidentally download some malicious program, or actually post or send something under your name. How many times have you seen a friend status message something like: "I am a douche bag", followed by an explanation that the message was from somebody else. Usually these messages are funny or embarassing, but you haven't any control.
Of course, if you have logged out from all of your applications, your friend won't be able to access your accounts, but they can still download malware to your computer, and possibly change your default settings to something strange.
Run Anti-virus and anti-spyware software
Not only should you run anti-virus software, but make sure you get updates on a regular basis. I usually run an update every morning, followed by a scan of my computer. Most computers come with anti-virus, but if you need a free program, try AVG Free.
Most people know about anti-virus, but not as many are aware of anti-spyware software. This works similar to anti-virus, but it is looking for programs that do things like track your web browsing. Here are some free anti-spyware software that I have used:

Facebook Dangers

Personal Information

Facebook has some additional features that make it easier to expose your information. For one thing, you are more likely to include personal information on the web site. Be very careful because this can be used for identify theft. You can also help burglars know when you are going to be away from home for long periods of time ("I'm leaving tomorrow to XXXX for a whole three weeks!"). I have heard (but not confirmed) that someone had their place broken into after they mentioned going away for a long weekend on facebook.

Depending on how much information you put into your profiles, you might be at risk for identity theft. All that is needed to identify a person is their birthday, their sex, and their zip code. If you have your birthday, address, and phone number, you are making it easy for somebody to steal your identity. With that information, people can search various on-line databases to uniquely identify a person. Since most people on facebook use their actual names, that makes identity theft even easier. Don't display your birth year. Just put the city name instead of your actual address; if you live near a large city, then enter that name instead of your actual town. And be careful what you post on your wall. I've seen people put their actual address, their cell phone number, when they were going to be away, etc. on their wall, which is very dangerous.

One thing that many people don't know is that some digital cameras encode information about the picture within the image. By posting a picture you took with your fancy new digital camera, you might be exposing much more information than you think. Of course, having a picture of you standing in front of your large flat screen gives burglars an incentive to see when you are going to be out of town.

Friends List

Some people accept any friend request they get, whether they know the person or not. This is a serious problem, since whoever you accept will be able to see all your personal information. They can also see personal information about your friends. So, even if you only accept friends from people you know, if you have a friend that accepts anybody's request, your personal information might be exposed. Make sure your personal settings are restricted to "friends only", not "friends of friends."

I had a friend that got a friend request from somebody she was already friends with. She asked about it, and the person said they couldn't remember their password so had to set up a new account. As time went on, she realized that this wasn't her friend. It was somebody impersonating her friend. He basically store her friend's identity.

Debt collectors have been known to find people who are behind in their debts, send them a friend request, and then start to bother them. If they can't connect to the person of interest, they try to friend their friends. In one case, they friended the person's mother and told them that failure to pay might end up in jail time. A few clever collectors have their profile picture set to a cute young woman in order to get men to accept their requests. (read more details)

Most employers will search facebook, myspace, etc. to find out more about people applying for a job. So having those embarassing pictures open to the public might prevent you from landing your next job. Do you want your future employer reading your smart aleck comments on your wall?

You can create several different friends lists, and then assign different permissions to each list. This will allow you to accept a friend request and still restrict what they can see. With this arrangement, your close friends can see everything you have on Facebook, but your business or casual friends will only see some basic information. You can read more about managing friends lists.


Another serious danger on facebook are all of the applications. Any application that asks to access your profile information puts your information at risk. What's worse, if any of your friends use those applications, they also put your information at risk, even if you never run an application. Supposedly, these applications only use this feature to put the results and some cute picture on your home page, or help you remember events, birthdays, etc. However, facebook doesn't bother to check any of these applications. There is no rating system, so that you have no idea if the application is safe or malicious.

The ACLU has highlighted these dangers recently by creating their own quiz, which displays all the information that is available to the quiz. It is important to realize that quizzes aren't created by facebook, but by facebook users - any facebook user can create a quiz. Why would you trust an anonymous programmer that you know nothing about with not only your own personal information, but information about all your friends? When you run a quiz, you give the application permission to access anything in your profile, including your friends' profiles. A quiz can do anything you can do on facebook; actually, even more. And no virus or malware scan will even see any of this, let alone prevent it.

It is important to realize that applications aren't affected by what browser you run or what anti-virus or anti-malware software you run. The damage isn't done on your machine, it is done on the facebook servers. As soon as you run an application, you have given it permission to do anything it wants to any and all of your information, and any information you can see about your friends. And remember, the people who write applications aren't hired by facebook, they are anyone who wants to write an application.

What kind of problems can applications raise?

Photo of the Day
There was one application called Photo of the Day that actually sent your personal information to the author. This was built as part of a research project, and became quite popular, without people knowing that their information was being compromised.
The Danger of Facebook Quizzes
Many people seem to enjoy taking lots of quizzes on facebook. There are several problems with quizzes:
  • Accuracy - does anyone actually believe those quizzes?
  • Exposure - the authors have access to all your answers and your personal information
  • Control - you are giving the application permission to do things in your name
For example, the article The Danger of Facebook Quizzes gives examples of how quizzes have been used to sell personal information to drug and marketing companies, based on your answers. So if you mention you have trouble sleeping, you might start getting e-mail, junk mail, or even phone calls trying to sell you sleep products.
One quiz asked the names of your pets, kids, spouse, etc. These are what many people use for their passwords. Even if you don't use them for passwords, the information you provide might be used by a malicious person to construct a message using social engineering that looks genuine, but isn't. For example, someone could send something to your friend and mention your brother John, or your dog fluffy, which can cause your friend to think they are talking to one of your friends.
Facebook Fan Check (or Stalker Check)
There are rumors going around that the Fan Check (which used to be known as stalkercheck) is a virus.
I would like to remind people that any application that asks permission to access your profile puts your facebook account at risk (and the facebook accounts of all your friends as well.)
However, what is going on might be something different. It might be a fake virus alert to trick you into infecting your computer.
Here is how these kinds of things work:
  • Somebody starts a rumor that something is actually a virus.
  • They include a link to some site that supposedly "fixes" the virus.
  • The link actually contains malware that will infect your computer.
At this point, there is no proof that Fan Check / stalker check is a virus. I know of two friends who have used it, and neither have reported any problem. Of course, that might just mean that somebody hasn't set up a bogus web site yet.
Remember, be *very careful* before installing anything on your computer. This shows how people can be tricked into downloading something to "fix" a problem they think they have, when they are actually infecting their computer with malware.

Any time something asks permission to access your profile, I recommend you say "no". Granted, you won't be able to take the lame quizzes, or stick silly pictures on your page, but at the same time, you are less likely to have your identity stolen or your account hacked. The choice is yours.

Recovering After Being Hacked

Most people know they should close the barn door after the horse got out, but what should you do if your account has been hacked? For starters, you should change your password. That may or may not prevent future problems, but it can't hurt. If you used the same password (or a similar password) for any other accounts, make sure you change those as well.

The next thing you want to do it try to figure out how your account got hacked. If you have run a new application, maybe you want to block it. Of course, clever authors of malicious software won't do anything at first, and wait a while before doing anything bad. That makes it more difficult to identify the source of the problem. If you don't really need some application, get rid of it. Better safe than sorry.

Notify your friends. If your account has been hacked, your friends are in danger of being hacked as well. If you know the cause, warn them not to click on the application, message, etc.

Check your account settings, especially all of your security settings. Malicious software often tries to spread as much as possible. By letting all people view your information, it will increase the chances that somebody else might get infected with whatever trashed your account.

Facebook News and Articles

To keep track of news articles dealing with Facebook, see my News Page, which contains articles about Facebook, security, privacy, and other technical topics.

Protecting of Your Privacy

One of the most common source of data leaks happens when people get their laptops stolen. If it is a personal laptop, the user might lose critical data, and private information (such as login information for banks, credit cards, etc.) If, however, it is a corporate or government laptop, then sensitive information of many people can be exposed. In addition to stealing computer equipment, dishonest people can break into online systems and steal information from files and databases.

The sad thing is that there is a simple way to prevent such leaks by using encryption packages. An encrypion package will scramble the data so that if you display the contents, you won't be able to understand what it says, unless you provide the correct encryption key.

The nice thing about encryption packages is that it is very easy to use and transparent to the user. When you first boot up your laptop, you will have to enter an encryption code. Once you enter the correct code, the laptop continues to boot up and runs essentially the same as if it were not encrypted at all. The only change is supplying the encryption code at start-up.

As long as you remember to shut down your laptop (or console PC), an unauthorized person would not be able to obtain any of your personal data (assuming you pick a reasonable encryption key).

Another good use of encryption is with databases. By encrypting sensitive (or all) fields, the data in those fields will be encrypted, using the specified encryption key.

Valid XHTML 1.0 Transitional Valid CSS!

© 1999-2014 Bill Pringle.      Hosting courtesy of CHCS Consulting.      This site best viewed with FireFox. Get Firefox!