Facebook has recently updated their security settings. In this How-to we highlight some of the updates and the security nuances to help you stay on top of your account security settings. Paul Laudanski blogged about the subject awhile back, if you want to reference that security primer.
When you login to your account, you may now be greeted by an offer to take a tour of the new features, so let's get started:
The first option is to tag who I happen to be with, in this way you can share with friends on Facebook what you’re up to at the time, and what friends or colleagues you may have with you.
This is handy to make your profile more relevant, it’s also a perfect profiling tool for scammers, identify thieves and other targeted attacks like spearphishing. If a scammer, for example, sees you spending much more time with certain individuals on your friend list, an increased weight can be assigned, signifying importance, of this contact. They say you’ll become like an average of your five closest friends within five years (test that in your own life), this means the algorithms can start to predict with increasing accuracy what that picture will look like. This creates a weighted profile of yourself, so scammers will know much more accurately how to target you. It’s true that’s you’re known by the company you keep – now it’s more true than ever.
I opted out of the feature, not just because I have no friends, or ones that want to be seen with me. I think my friends deserve not to be snooped on by scammers, and if scammers know they’re with me at the time, there’s a lot that can be inferred about their preferences from that information, not just what bad restaurant we’ve chosen. The scammers would, for example, know that they aren’t likely at home, and so physical property scams would be more likely at the friend’s house, all without their knowledge. That can’t be what friends are for.
Here you can opt to display where you are located when you update your status:
Notice the “Add Location” was checked by default. It seems like a handy feature, after all, you can keep up with your friends a little better this way, and they can keep up with you, find out where you are, what you’re doing etc. Keep in mind, a scammer might want to know the same things. If you took a picture of the beach two minutes ago, and you live hundreds of miles from any beach, it’s safe to say you’re not home. This type of information opens the door to physical threats against your home, after all, you won’t be home within a couple hours at least.
I clicked “Don’t Add Location”, I’ll just have to let my friends know where I am the old fashioned way – call them.
Here you can determine the audience for your status updates:
You have these choices:
It’s nice that they mention Public vs. Everyone. Public has a way of letting you know that pretty much anyone can see content that’s Public, not just Everyone who’s your friend. To quote Facebook, “The setting still means the anyone on the internet can view this content, and any of your past Everyone posts are still visible to the same audience.” Facebook calls this the “inline audience selector.”
I clicked on the link at the bottom of the dialog box that says “Learn more about what’s new” and it takes me to a page with a nice overview:
Now let’s head over to account settings and look around. Here it tells you the last time you changed your password:
If it really is never, you can change that here.
Now let's look at the Security Settings section. Here you can change various settings so we'll examine some of them and see what they do:
Let’s start by enabling Secure browsing, so your traffic will be encrypted while you’re logged in. This makes it more difficult for prying eyes to intercept your communication with Facebook and do nasty things. It’s simple and it’ll give you a nice little boost in security, so why not?
It’s not enabled by default, but you can enable it like this:
When you do enable https, Facebook should automatically re-direct you to the https:// version of the site, instead of the regular http://. The next time you login, it should do the same.
Next, we enable Login Notifications. This will send you an email when someone logs in from a new device. Typically, you use just a few devices to access Facebook, so if a scammer logs in from somewhere on the other side of the world, now you will know. A good idea to play it safe, so we enable this as well.
Here you can choose to specifically allow/deny a login from a computer the system hasn’t seen before. If you only access Facebook from a single (or a couple) devices, this might make sense. If you work on the road from a variety of platforms, the extra steps might become a burden. Your level of paranoia is also a factor. If you think you need this feature, enable it. In this example, we leave it disabled.
Third party apps would appear to the main Facebook site as a third party attempting to access your information. If you had Login Approvals enabled, you’d get a notification each time the app tried to access information, a possible big pain. If you use this feature, you generate login information for the app, and then it uses it to access your information.
So if you turned on Login Approvals, you might like this too, unless you want a lot of notifications, or don’t use third party apps.
This is a list of the devices that are approved to be used to log in to your Facebook account, if you enabled the Login Notifications above. There should be a list of devices, which you will be prompted to provide names for. If some device not listed tries to login, it will question whoever is attempting the login.
Here, you can see who’s currently logged in, and kick anyone out who shouldn’t be there. It will also try (with varying degrees of success) to tell you what type of OS and browser they use.
Facebook has seen meteoric growth in the past few years, and has been busily trying to match the growth with a matching security stance, no small task. Expect them to continue to roll out changes, and expect to need to keep on top of your security settings to stay protected. In the future we may do another blog as new changes are rolled out.
Author Cameron Camp, ESET