Facebook admits 1 in 4 chance your account will be compromised this year
Facebook compiles masses of private data in user accounts; 60K of them are hacked or corrupted every day
By this time no one really expects a lot of security from Facebook.
The Internet's most popular black hole of personal data has improved login security quite a lot this year – especially after founder Mark Zuckerberg's personal account was hacked in January.
Facebook added an an optional encrypted HTTPS connection and a form of behavioral analysis called "social authentication" that would flag the accounts of people who seemed to be logging in from places too far apart geographically to be the same person.
It also maintains a simplistic how-not-to-be-hacked security tips page and offers free six-month demos of McAfee security to users worried about having their accounts cracked.
Facebook leads market in methods to violate users' trust and privacy
C
ritics warn that the real security risk is from Facebook itself, which keeps a record as much as 800 pages long of data on users, that includes such extranea as every person who has ever Poked you and every conversation you've ever had.
Even after you delete the data – even after you delete your whole profile – Facebook keeps that data, with your name and all the other personal information associated with it.
Even when faced with fines for violating specific privacy laws of some countries, Facebook refuses to delete or turn over all a user's personal data, in order to protect its trade secrets. Those secrets presumably include how much data it actually keeps after pretending to delete it and how it packages and sells your personal data to third parties.
It will sometimes even block efforts of users to copy or migrate that data to other services or back it up onto their own storage media, almost as if it views your personal data as its corporate property.
Oh, Facebook also installs persistent cookies that remain active in your system for up to a month after you log in to the service that will automatically log you (or whoever is using your computer) in to Facebook automatically when you visit, or when you click a Like button on other sites – thereby tracking your activity outside the Facebook network.
It may be prosecuted under U.S. federal wiretapping laws for that one. No federal charges have been filed, though there are plenty of lawsuits being filed by customers annoyed at being spied on and specifically angry that Facebook twice denied doing it and twice claimed to have stopped.
That should be the big privacy concern about Facebook according to security and privacy experts who compare the breadth of information it collects and refusal to admit to the secret police of some authoritarian countries.
That may be a little extreme in that we don't know of anyone Facebook has actually executed.
It's still a lot of private information and a lot of power for an online service to hold over millions of consumers who might prefer their private conversations not be made public or sold to commercial interests that, like Facebook, clearly don't have the customer's best interests in mind.
When security is a problem, add ways to avoid passwords!
So, on how many levels is it disturbing that as a "security" measure, Facebook has created the social-network version of the neighbor to whom you give a house key in case you're ever caught away from home and have to call to ask if they'll go over to water the plants, the dog or the children?
The Trusted Friends and Apps Password lets users pick three trusted friends who can vouch for them in case they ever forget their password and can't pass any of the tests Facebook supplies to create a new one.
The Apps Password portion of that service offers to generate a secure password for another online service, which Facebook will keep for you so you never have to log in to other services again.
In addition to keeping all your social networking information in one convenient place, Facebook will keep all your other passwords, too.
Very reassuring, no?
Not really. Hacking an ex- or current-partner's Facebook account has become the snooping method of choice among the digital set, replacing the reading of diaries, searching private email, sifting through text messages on unguarded cell phones and what I'm sure are a host of other methods of cyberstalking unknown to those who are not either obsessive, possessive exes or the victims thereof.
Facebook's two-pronged effort to become Top Privacy Risk
An infographic Facebook posted more to show the range and interconnections among its security measures also shows that, of the 1 billion Facebook logins every day, only .06 percent are compromised. Not all of those are cracked by someone else; it also includes some account problems that make Friends disappear, users can't get to their own data and other problems. 600,000 Facebook logins are compromised every 24 hours.
"... or, if you really like to make your mind melt, [that's one account compromised] one every 140 milliseconds. (By comparison, a blink of the eye takes 300-400 milliseconds) ," according to the NakedSecurity blog at security vendor Sophos.
"Friend" means something very different on Facebook than on real life, NakedSecurity reminds us, just before pointing out that if yours is one of the 600K accounts compromised every day, it's likely whoever took it over would also change who your trusted friends are, potentially blocking you from re-acquiring the account, or making your friends vulnerable to serial attacks.
Multiply those 60,000 login fails by 365 days and Facebook is admitting that 219 million end user accounts are compromised every year. That's 29 percent of 750 million accounts Facebook lists as active.
Estimate just half of those are hacks rather than login problems and you have 14.5 percent of all Facebook members at risk of data theft every year. That's 109 million accounts.
And remember, those aren't just pages of sarcastic comments and a few random friend pictures. They're accounts on which Facebook maintains as much as 800 pages of detailed information, fills with data it refuses to let users delete and data on customers' behavior the customers never authorized anyone to collect.
There's no guarantee even an effective cracker could cut through the data profile to the 800 pages of metadata. Just having access to data users enter on purpose is problematic enough, especially as Facebook adds features like Apps Password that would give a bad guy who took over one account access to a range of others as well.
And a login failure rate of 29 percent? Hacking rate that half of that? How many security specialists would be able to keep their jobs with that high a risk that user data would be compromised?
That may not be a concern at Facebook which – judging from its consistent policy of vacuuming up every bit of private data it can find while providing security for users about as effective as a damp paper safe – would probably regret data breaches only because each one represents the exposure of private data for which it had not been paid.
If the hacked data or compromised login is yours, though, your opinion might be a bit more harsh.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.
