Stay Safe on Facebook Part 2: Enhanced Security Features

      
Facebook has been constantly improving its security features to protect its users, they have added SSL,login notifications, recent activity logs etc..Recently they have added  "Two Factor authentication mechanism " to improve the security further.Its an opt-in feature which when enabled asks for a password send to the registered mobile number while trying to login from new computer. To enable this feature, go to Facebook Account Settings-> Account Security and enable Login Approvals.

You can read the official blog post about Login Approvals here.For Login approvals to work, you need to provide your mobile number, and have to ensure that you don't lost your mobile.Whenever a Login attempts happens from an unknown computer( from a system where your have never used Facebook before) an SMS will be send to your mobile number with an authorization code which is needed to login.

In case if you ever lost your mobile phone, you can change your number and/or disable Login approvals from a system already recognized by Facebook.

If somebody get holds of your password somehow and tries to Login to your account, you will get an SMS with authorization code as well a FB notification.

In cases where its not a Login by you, you can reject that Login and change your account password.Facebook also seems to provide login attempt location ( probably based on the IP address).

You can read few more posts related to Facebook security here,here and here.

Can Facebook use my name and profile picture in ads?

There were many speculations related to Facebook using users profile picture and social data in their own advertisements. For people concerned about their privacy please read the how to blog from F-Secure turn of this feature.

If you are a Facebook member and like a Facebook page and/or mention a Facecbook page in a wall update, Facebook can use your name and possibly your picture in ads that are shown to your friends.
In fact, your name might be appearing in Facebeook ad now saying that you like a certain brand. Facebook opts everyone into Facebook Ads. And you probably know that because you’ve read Facebook’s Statement of Rights and Responsibilities so carefully
You can opt-out of letting Facebook use your name or profile picture  in ads served to your friends by going to Account.

You can read the full version of the blog here.

Secure Your Facebook Account With SSL and Login Alerts

Recently Facebook has rolled out few new features that will enable the users to user their Facebook account with better sense of security. The newly introduced Secure Browsing feature allows users to always  use secure connection(https) for Facebooking. While facebook were already using secure connection for their login sessions, regular user activity was not protected.

Enabling Secure Browsing ensures that your data can't be seen by ISPs,your company Admins or other users. This is especially important in cases,where you are using Facebook from public computers or while surfing on an unencrypted wireless network.

To enable Secure Browsing functionality in your account go to Account -> Account Settings -> Account Security.
Check the option "Browse Facebook on a secure connection (https) whenever possible". From now onwards all your facebook conversations will be over https(you can verify this from the https:// prefix in the address bar).

 

There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.

Two more useful features are also available now, Login alerts and Activity viewer.
Login alerts will send you login notifications to your email or phone(if you have added a mobile device to your account) when a login occurs from an unknown computer.This will act as a early warning  in case somebody tries to access you account.
Activity monitor will let you check the recent activities happened in you account, how many logins happened in the recent past,how many sessions are still open.If you finds that there is any unauthorised activity in you account, there is an option to end that particular session also.

You can read the facebook blog post about new features here

FACEBOOK "Like" SCAMS

If you are a regular user of FB, there is a high chance that you must have seen something like this in your Newsfeed.

 The title will create such a curiosity in one's mind that, you will be forced to click on it. On clicking the link, you will be taken into a website with a "Like" button and with with texts asking you to click on the like button to proceed.

If you click on the Like button, it will be added to your likes and interests [ As per FB documentation, a page you Like will have capability to publish content to your News Feed whenever it pleases to, till you manually remove it ] Once you Liked the page, it will again ask you to share it with your friends as Step2 to view the "Amazing Content".

If you click the Share button, a popup window will come up asking you to Share the content with your friends.If you try to Skip it, an alert window will come saying unless you share this, you won't be able to see the content.

Driven by curiosity and unaware of the consequences, many people will actually share it!!, leading to further propagation of the scam. The result of all these so called "Steps" is that you will be presented with page asking you to perform "Human Verification" by completing a survey!!.Each time someone does a survey, the Scammer get money!! and free publicity, what an amazing marketing strategy!!.

How it is done?

By checking the source code of the page, it can be seen that Scammers are exploiting FB's own social plugin APIs!!.

They have added few Javascript of their own to detect using pressing 'Like' button, also to create an alert if the person refuses to Publish it to friends .

In this particular case, FB's own APIs are being used, and no password stealing code/malware download code has been found.But since 'liked' page has the capability to push content into the user, its very much possible to do worm/Trojan spreading using similar tactics.
Digging deep into the code, the final destination to which user will taken after Liking and Publishing is found.

If you visit this page directly, you will be treated with a page asking to complete the survey.If you act fast enough to hit the 'Escape' key as soon the page is getting loaded to stop the advertisement from getting loaded, you will be able to see the "Actual Amazing Content".

This just one of the hundreds if not thousands SCAMS that being propagated over FB, most of them uses the same tactics.If you have already fallen for one, go to Likes and Interests in your profile and remove the particular page.If you haven't , be careful not be a victim.Happy Facebooking!! :)

Stay safe on Facebook

There has been so many talks about FB privacy recently, so I thought of putting my thoughts and tricks found on the net to stay as safe as possible on FB while connecting with the friends,[ the safest thing will be not to have an account and you can live without any fear of leaking your personal data ;) But since now FB has become part of our life for the most that is not entirely possible ]

Still not convinced the need to lock down your account!!! visit http://youropenbook.org/. Its a website that lets people search through the content posted by other people, who didn't bother to keep their updates private!!. A quick look at the recent searches will give you a glimpse of real danger!!.

So hope that site will make you understand the need for privacy [:P]. But unfortunately the privacy settings in FB are not that simple, even if you master it today it will definitely changed in few days!!. To add to the complexity, FB follows the "opt-out" policy than the "opt-in",which will make the profile public by default and gives you an option to opt-out!!.It should have been the other way around!.

Anyways, there are few apps/sites that will let you check the privacy level of your FB profile.
Privacy Check App

This is a FB application that will let you rate your profile privacy out of 21.It seems its impossible to hit a score of 21.I have found that a score of 15 will ensure you a profile with enough privacy. Mine was 14 before I changed the settings.
As a foot note, you can in-fact lock down your account to 100%, but then there won't be any point in having such an account. So have look at your score and decide on your self what to expose and what not to.
Another good tool is Reclaim Privacy but it was not working at the time of writing of this blog, hopefully soon it will be back in action.

What made FB so popular is the huge collection of apps it had.Which has now become the most serious threat to the users, because of the fact that once you let an application access  your profile,by default it will have access to all your personal information until you manually revoke it!!!. So far I haven't found any easy way to say which all applications are harmful and which are not!!. The best thing to do now if you are serious about privacy is go to Application Settings by clicking the Account tab on your top right side and remove all applications that you are not using now.You may have to check this list often to make sure that  no apps have sneaked in.

Facebook SCAMS

As Facebook is growing in popularity,its increasingly becoming the target for various kinds of malicious attacks.I have spotted one such scam couple of days back, which will trick people into copy pasting javascript code into their browser's address bar.The code in the scam which I spotted did nothing but to invite all FB friends to view this particular scam page by sending out suggestions.Though it seems a harmless( irritating though) trick, one could some malicious intend ( say fetching the contacts personal details or session cookie) to it.
It started with the suggestion I received from a friend that I should become the fan of the page "WORST STATUS UPDATE ON THIS PLANET".Clicking this particular invitation will bring you into a page like this.

According to this page it is a two step process(!!) to reveal the WORST STATUS UPDATE EVER, first of which is to click the [LIKE] button.  

One you click the button, it will redirect you to another page, which will ask you to copy paste the given code into the browser's address bar and wait for the content to load.
While you wait, the code running in the background will send out suggestions to your FB friends, to become the fan of this page( which explains the suggestion I got).This page is no longer accessible now(thankfully), it might have taken down by the FB.

Googling parts of the javascript code showed that its a readily available piece of code to invite all your friends.Which shows this is not the only attempt made.( google revealed same tricks were used by scammers for long time, but still 2000+ people fell for this!!!).Its really disturbing to see that people blindly believe everything they see in the social networking sites( esp if it's supported/suggested by a friend). We really need to realize that not everything  we see needs to be true. So the best practice from my point of view is to think before you do something online.
Always remember, "NEVER COPY PASTE ANYTHING INTO THE ADDRESS BAR, NO MATTER WHAT IT CLAIMS TO DO"