The difference is that there have been reported sightings of Bigfoot.
The keynote address at the Virus Bulletin conference today was given by Nick Bilogorskiy, a member of the security team at Facebook. To start with, I have known Nick for several years and I can tell you that he is very intelligent and a terrific person. That said, I do take exception with some of what Nick presented. Nick claimed that security is the top priority at Facebook. If you go to http://www.facebook.com (while not logged in) you arrive at the Facebook homepage. Do you know how many times the word “security” appears there? Zero. There are absolutely no links to anything about security. On Facebook’s home page, security is non-existent and there have been no reported sightings. If your account has been compromised and you cannot log onto it, don’t look to www.facebook.com for anything resembling help. There is a help link on the Facebook homepage and it does take you to a page with a security link, and on that page there is a category for “my account has been compromised, but in the case you can’t log into your account it is very, very difficult to figure out what to do, if possible at all.
Nick also mentioned a feature called “Account Activity”. The idea is that you can see if you are logged in from other devices. For example, you logged in using a friend’s phone or computer and forgot to log off. The Account Activity feature will let you see all places you are logged in from. The problem is that it is difficult to find this feature. If you search “Account Activity” in the Facebook search field you will get results for Delta Skymiles, EBay, and the Securities Exchange Commission (SEC), but not for Facebook.
If Facebook wants people to believe that security is anything more than their last priority they need to make security visible to users. There needs to be a link to security related topics right on the log in page. The link should include both reporting mechanisms and, get this, it is a novel idea, educational resources so a user can learn about being secure on Facebook before they even sign up! Imagine that, proactive security. Once logged in there should be a link to security resources on each user’s homepage.
There have been numerous reports of sightings of Bigfoot, the Abominable Snowman, and even the Loch Ness Monster, but no reported sightings of Facebook security. It is long past time for this to be changed.
Director of Technical Education
Author ESET Research, We Live Security