As expected, Facebook’s recent introduction of new security measures was met with quite a lot of interest by the social media crowd. In this context, the perspective of setting up a list of Trusted Friends to help you in case of a hijack appears as a more friendly way of recovering things, but it also poses some problems…at least to me.
Many hair splitting voices ponder the question of securing security measures, i.e. securing the trusted friends list so that its illicit modification is not possible. At the moment, users on whose accounts the Trusted Friends option is available are requested to input their Facebook password to change the names on the list.
How do you find out what names are on the list? Deduction, I’d say….and not too much of it. It’s very likely that a user’s trusted friends are identical to those tagged as close friends. Even if more than 3 persons are on the close friends list, the selection process is already much easier. Let’s say somebody’s got 400 friends on his/her list. The Family and the Close friends lists will definitely save scammers’ precious time in sifting through the crowd to find the “Circle of Guardian Angels”.
Here’s one more problem: if control over the account is made possible by phishing, the phisher will know the password to that account and easily tamper with the list. What happens then?
Next, once you’ve secured the names of a person’s top three trusted friends, will it not be easier for you, as a master spammer and phisher, to craft customized messages targeting those very persons? For instance, you could create one of those nice Facebook chat robots that have the gift of the gab and set them off to extract sensitive info from the unsuspecting interlocutor or to send him/her to a malware-laden page.
Your guardian angels are supposed to receive a set of codes that will allow you to log back in to your account. Codes are apparently sent via e-mail or via the Facebook web page. Considering the flurry of spam e-mails claiming to come from the Facebook security department and asking users to input various data in order to reclaim their accounts, how will the trusted friends be able to distinguish between genuine and fake Facebook messages? Once the news is out that the account rescuing messages must contain a code and once the structure of those codes becomes public, who’s to say spammers will refrain from using this info to trick victims into revealing their data? After all, everybody knows now IT’S OK to receive and that you should EXPECT Facebook security notifications to help your friends in trouble. Come to think of it, this “friend in trouble” aura might even spare scammers some social engineering efforts, as the frame of mind is set: Facebook is asking you to HELP your friends.
Finally, as we’ve all come to understand, scams spread through viral mechanisms. In other words, once installed in your account, a malicious app will probably use its ability to generate automated messages apparently coming from you and get your friends into the vicious circle as well. Who can you trust then? And when? Isn’t that going to seriously reduce the chances of success of a security method based on the idea of TRUST? It’s not a philosophical meditation, but a very useful lesson we’d all like to avoid learning the hard way.
What to do then? Stay on the safe side and don’t put all your eggs in one basket. Translation: combine the Trusted Friends measure with the Login notification option. In this way, you’ll be able to notice abnormal activity faster.
This article is based on the technical information provided courtesy of George Petre, Bitdefender Senior Social Media Researcher.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.