Recently we blogged here about some new Facebook privacy controls.
I decided to check and see if the new controls were rolled out. The first thing I noticed was that Facebook noticed I was not logging in from my normal location and wanted to ask me a few “security questions”. Hmmm, ok. The first security question was not really a question at all. I had to enter a captcha. I found it ironic that I was asked to type in the words “eviler and”. Given that Facebook founder Mark Zuckerberg thinks that anyone who trusts him with confidential information is stupid (to put it much more politely than Mark actually said it), perhaps eviler was an appropriate captcha word for the site. As for the word “and”, it was like Facebook's improved privacy settings… we’re left hanging, there is no “and” at this time.
After the captcha I was asked for my date of birth. I don’t regard public information as a practical security question. I doubt it is too difficult to find my date of birth. Finally, Facebook prompted me to choose a name for my computer and register it so that I would not be prompted with security questions each time I log in. Facebook uses a cookie to keep track of the computer name. While a bit of a convenience for me, this is not much security. To mimic an attacker trying to access my account, I logged out, deleted the cookies, and logged back in. I was asked to give the computer a name again, so I used a different name than the last one I had used. Instantly I was logged into my account again. My choice of a good password is a far more robust defense against account hijacking than a cookie with a computer name.
Facebook is also talking about adding location capabilities so you can let your friends know exactly where you are when. There are some serious privacy and security implications surrounding broadcasting your location. Hopefully Facebook will have comprehensible and functional privacy features rolled out before they add the location features. When Facebook does roll out the location features, I recommend that you make sure your privacy settings are appropriate. Personally, I won’t be using the location features.
It is better that Facebook gets the improvements right rather than roll them out on a specific date. Still, do you trust a company to honor the privacy settings when the CEO thinks you’re a “dumbf*ck” to trust him?
Director of Technical Education
Author ESET Research, ESET