Category: social media

Facebook Security: Watching Over Your Facebook Account Activity

December 10th, 2012
Monitoring your Facebook account for unusual activity is one of the best methods available to prevent attackers, spammers, and malicious people from taking over your account and causing trouble for you and your Facebook friends. Attackers want to get access to your Facebook account for a several reasons. If you are a public person, then you may have people that oppose your views. Sending messages from Facebook contrary to your stated position on an issue may confuse your followers and lead to personal difficulties and unnecessary confrontation. Attackers and spammers want to use your account to get to your Facebook friends. Specifically, they want to send messages to your Facebook Friends pretending to be you. Your Facebook Friends are more likely to trust posts and messages from your account. Attackers use your account to spread malicious software and links to your Facebook Friends. Spammers use your account to send unsolicited commercial messages or links to surveys. Regardless of what they send, you will have a difficult time explaining the messages sent from your account and assisting in the cleanup. Leaving your Facebook account logged in and abandoned is an opportunity for someone to mess around with your Facebook account settings, your profile, and send unflattering messages in your name.

If you access Facebook from multiple devices like your home computer, your laptop, your tablet, your phone, a work computer, a friend’s computer, the library computer, the school computer, then you should be aware that you need to monitor your account for unusual activity. It’s quite easy to forget to logout of Facebook. Some less scrupulous individuals may have access to your account and can life miserable for you. Remember, just closing the tab in the browser or even exiting from the browser software will not log you out of Facebook. You have to select “Log Out” from the triangular drop down menu in the top right portion of the Facebook page.

A button to allow websites to use the Facebook authentication system

Using Facebook Apps allows the developers and owners of those applications to access to your account and some of your private information and Facebook Friends. The same is true for using “Login with Facebook” (sometimes called “Connect with Facebook”) on another web site. You have to allow those web sites and applications explicit access to your Facebook account and information. Facebook identifies which information they need to access so you can make a decision about the access prior to approving it. But over time, you may no longer use those applications or web sites. In some cases Facebook applications have been intentionally malicious or at least “noisy” in that they post status messages and annoy you and your Facebook Friends. Canceling the access of old, unused and malicious web sites and Facebook applications is prudent.

Monitoring your Facebook account activity is very important to maintain the security of your account and to prevent unwanted access by others. Some of methods to maintain your account security involve enabling Facebook security features, reviewing your Facebook account status, and reviewing the applications you have previously approved access to your account.

Facebook account Login Notifications provide an easy way to monitor your account and the devices used to access it. Login Notifications are useful in that you are immediately informed if your account is accessed from a new device without your knowledge. You can also assign a unique name to each device used to access your Facebook account for later review. Enabling this feature will keep you better informed about unauthorized access to your Facebook account and provide you with an easy method to review the approved devices later. To learn how to enable Login Notification for your Facebook account, please see my previous post on Login Notifications.

Periodically you should review your list of approved devices, web sites, and applications. You may no longer have access to a particular device, borrowed someones’s device to access your account, or allowed access to a Facebook application then never used it again. There may be web sites that you signed into only once and never returned or no longer use. Facebook applications are easy to start using but are often forgotten. Reviewing your approved devices, web sites, and applications and canceling their access is available through the Security Settings page on Facebook.

Monitoring Account Activity and Canceling Access

Here is how to monitor your Facebook account and review the web sites, applications, and devices that have access to your account:
1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge icon next to it. Click on it.
4. If you have Login Notifications enabled, look for “Recognized Devices” and click on it. You will see a list of devices on which you have logged into your Facebook account. Review the list and click on the “Remove” link for each device for which you want to remove access. Click on “Save Changes”.
5. To review from where your Facebook account has been accessed, select “Active Sessions”. A list of sessions will be presented. Review the list and click on the “End Activity” link to cancel access for a session. End any activity on sessions you don’t recognize.
6. On the upper left portion of the Facebook page you will see a tab called “Apps”. Click on it. You will see a list of web sites and applications that you have authorized to access your Facebook account. For any web site or app that you are not familiar with or have not used in a while, you should remove it by clicking on the “X” icon to the right of the entry. You can also limit some of the access that the approved applications have by clicking on “Edit”. Some of the access that application originally requested can be curtailed by selecting “Remove”. You should remove access to any action that you do not believe that the application needs.
The Facebook Account Settings for Facebook Apps

Monitoring and Controlling Account Activity Considerations

Using the Facebook-provided tools for monitoring and controlling access to your account can reduce the chances that someone can take over your Facebook account, but there are some things to remember when using these tools:
1. The more computers you use, the longer your list of Active Sessions and Recognized Devices will be. Periodically, you should trim that list down to the specific systems that you use most often.
2. Limiting the access a web site or application has may impact the usefulness of the of the application or web site. You can experiment and adjust the access as needed.
3. If you remove access for a session or device that you were using, you will be asked to login to your Facebook account again when you use that device.
Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features
Facebook Security: Use Login Notifications to Watch for Unauthorized Access

November 28th, 2012
Sometimes you just need to borrow a computer to check Facebook. You may be in the school library or the computer lab. You may be at a friend’s house and want to show them a video or a post on Facebook. But can you trust the computer you are using? Does it have malware or a key stroke logger that can capture your username and password? How would you know? You may decide that the likelihood of this happening is pretty low. But what if you guessed wrong and some bad people have your account details. How would you know?

If an attacker were able to get your Facebook account details, they may want to use your account in ways that wouldn’t expect. They may merely want your account to spread commercial messages (spam) to your Facebook Friends. They may have more malicious purposes and try to get your Friends to try out a malicious Facebook App. Since they have access to your account, they are pretending to be you. Your Facebook Friends might not be able to tell that it’s not you. Since these message appear to come from you, you will have the burden of resolving any problems caused. It is simply better to protect your account from unauthorized access and avoid the unpleasant aftermath from losing control of your account.

Facebook provides two security tools that allow you to control access to your account from various devices. Login Approvals, which I covered in “Facebook Security: Using Login Approvals to keep bad guys out of your account“, sends a security code to you when your Facebook account logs in from a new computer or device. Login Notifications inform you when your Facebook account is used to login from a new, unrecognized device. Using these tools together, you can control your account access and to be informed when a new device is used to access it.

Login Notifications inform you when your Facebook account is accessed by an unrecognized device. Whenever you log into your Facebook account from a new device, you will be asked to give it a name. Once you do, Facebook will send you a text message and/or an email message telling you that your account was accessed from a new computer or device. If you were the person accessing your account, then you can ignore the message. If, however, it is not you, then the email message contains a link that you can click to secure your account and prevent the other person from using your account. If you are logged into Facebook when an unrecognized device is used to access your account, you will see a notification on the page and a message in your Notification drop-down menu. The notifications will have links for you to review the login and cancel it, if needed.

Enabling Login Notifications

Setting up your Facebook Account to use the Login Notification system requires that you register your mobile phone with Facebook. To register your mobile phone, check out my article “Facebook Security: Register Your Mobile Phone to Use Advanced Security Features“. Once you have that configured, you can receive codes from Facebook when you need to log into a computer that you do not own.

Setting up your Facebook Account to use the Facebook Login Approval system requires that you register your mobile phone with Facebook. Once you have that configured, you can request one-time passwords from Facebook when you need to log into a computer that you do not own.
1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge icon next to it. Click on it.
4. A list of security settings are presented. Look for “Login Notifications” and click on it.
5. Select the methods by which you will be notified when your account logs into Facebook (email and text message) and click the “Save Changes” button.
Facebook account settings for Login Notifications

When you enable Login Notifications you may see a new window that describes some issues that may occur with the current configuration of your web browser. Review that information. You may need to make changes to your web browser configuration in order for Login Notifications to work well. The message from Facebook might also include some instructions on logging out of your account before Login Notifications begin to work.

Login Notification Considerations

Using the Facebook-provided tools for controlling access to your account can reduce the chances that someone can take over your Facebook account, but there are some things to remember when using these tools:
1. With Login Notifications enabled for Email, you receive an email every time an unrecognized device is used to log into your Facebook account. If you suspect that someone is using your account without your knowledge, you can click the link in the email message to Secure Your Account. This will step you through the process of locking down your account to prevent misuse by others. If you enable text message notification only, there is no link in the message. You will need to log into Facebook and review the Active Sessions and remotely terminate access there.
2. Facebook uses cookies to aid in recognizing computers and devices. If your web browsing is configured to delete cookies every time you quit the web browser software, then Facebook will attempt to approve your device every time you log into Facebook. You can either configure the web browser to not delete cookies when exiting or approve the device every time.
3. Private browsing (or “Incognito Mode“) is a web browser mode that does not save cookies, your browsing history, and other web privacy related information. Accessing Facebook using a private browsing mode will require you to approve your device every time you log into Facebook. You can either avoid using private browsing or approve the device every time.
4. If you are already logged into your Facebook account through a web browser, you will see a notification when your account is accessed from another computer or mobile device. From the Notifications drop-down menu you can cancel access to that device.
Facebook Login Notification through the web browser.

Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features
Facebook Security: Using Login Approvals to keep bad guys out of your account

November 15th, 2012
UPDATE (November 28, 2012): Added a link to recent post on Facebook Login Notifications.

If you want to stay in touch with your Facebook Friends throughout the day, sometimes you have to access your Facebook account using computers or mobile devices that you do not own. You may be a student and use the school’s computers. If you work in an office environment, your office computer might be the one you use. These devices can have malicious software that might capture your Facebook account username and password. Once an attacker, spammer, or malevolent person gets a hold of your Facebook account, they can make your life difficult by sending dangerous links or unsolicited commercial messages (spam) to your friends. Others may cause havoc for you personally by changing your status or profile, taunting and annoying your Facebook Friends, or sending obscene or hateful messages to other people. Since these message appear to come from you, you will have the burden of resolving the problems caused. It is better to protect your account from unauthorized access and avoid the unpleasant aftermath from losing control of your account.

Facebook provides two security tools that allow you to control access to your account from various devices. Login Approvals are used when your Facebook account logs in from a different computer or device. A security code is sent to you via text message. Login Notifications, which I covered in “Facebook Security: Use Login Notifications to Watch for Unauthorized Access“, inform you when your Facebook account is used to login from a new, unrecognized device. Using these tools together, you can control your account access and to be informed when a new device is used to access it.

Login Approvals work by sending you a text message to your registered mobile phone when you log into your Facebook account from a different computer or mobile device or from a different web browser. After your Facebook username and password are entered, Facebook sends you to a page where you are asked to enter your security code. Simultaneously, a text message is sent to your mobile phone. The text message contains a six-digit security code that you must enter on the web page. Once the security code is entered correctly, you will asked to create a name for the device. This allows you to assign a unique name that you can remember later when you review the devices you have previously approved. After that, you can use Facebook normally with the new computer or device. Someone with your Facebook account username and password will not be able to get your unique security code sent to your mobile phone, so they will not be able to access your Facebook account.

Enabling Login Approvals

Setting up your Facebook Account to use the Login Approval system requires that you register your mobile phone with Facebook. To register your mobile phone, check out my article “Facebook Security: Register Your Mobile Phone to Use Advanced Security Features“. Once you have that configured, you can receive codes from Facebook when you need to log into a computer that you do not own.
1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Security” with a gold badge icon next to it. Click on it.
4. A list of security settings are presented. Look for “Login Approvals” and click on it.
5. Enable Login Approvals by selecting the checkbox. A window will open that describes Login Approvals and how it works. Click on the “Set Up Now” button to proceed.
6. Facebook will send a text message to your mobile phone with a six-digit code. A window will open and ask you to enter the code you received. Enter the code and click “Submit”.
7. Facebook will then ask you to name the computer you are using. This is your chance to choose a useful name that you can recognize later in a list of known devices. Choose a name for your computer, like “Home Computer” or “Work Laptop”, and click “Next”.
8. Login Approvals are now enabled. A new window will open with some additional details and security warnings. These are important, so please read the information provided. Click “Next”.
9. Another window will open and ask you to configure the Code Generator. I’ll cover the Code Generator in an upcoming article. For now, click “Not Now”.
Facebook Account Settings showing that Login Approvals are configured.

Logging into Facebook with Login Approvals

When you have Login Approvals configured, you will be asked to enter a code each time you log into your Facebook account from a computer or device you have not used previously. In Facebook terms, this is an “unrecognized” computer or device. When you use a different device, Facebook wants to make sure that it really is you. To do this, the code is sent to your mobile phone, which is the one piece of equipment that you are likely to have with you at all times.

Facebook Login requesting a Security Code

When you log into Facebook, enter your username and password as usual. If they are correct, you will receive a text message on your phone from Facebook. Enter that code on the “Enter Security Code” web page. Once you enter the correct code, you will be ask to choose a name for the device. Choose a unique name that will allow you to remember the device you are using.

If someone has been trying to log into your Facebook account but has not entered the correct code, Facebook will ask you to review those entries. This is your opportunity to see if your account is being targeted. In some cases, it might be you. You may have made a mistake will logging into your account. Review these attempts carefully though. It may mean that someone has your account password. While they didn’t get into your account, it might be a good time to change your password, just in case.

Login Approval Considerations

Using the Facebook extra security features like Login Approvals for controlling access to your account can reduce the chances that someone can take over your Facebook account, but there are some things to remember when using these tools:
1. When you log into the Facebook mobile application, you will see a message indicating that a text message has been sent to your registered cell phone. Click “OK” and you will return to the login screen again. (You can exit the mobile application to retrieve the security code and then launch the mobile application again.) Enter the security code from the text message into the “Password” field. If entered correctly, you will be able to access Facebook through the mobile application. If you have Login Notifications enabled, you will also receive an email notifying you that your account was accessed on a mobile device.
2. Facebook uses cookies to aid in recognizing computers and devices. If your web browsing is configured to delete cookies every time you quit the web browser software, then Facebook will attempt to approve your device every time you log into Facebook. You can either configure the web browser to not delete cookies when exiting or approve the device every time.
3. Private browsing is a web browser mode that does not save cookies, your browsing, and other privacy related information. Accessing Facebook using a private browsing mode will require you to approve your device every time you log into Facebook. You can either avoid using private browsing or approve the device every time.
4. If you lose your cell phone, you cannot receive the security code to log into your Facebook account from new devices. If this happens, you need to log into your Facebook account from a previously approved device, disable Login Approvals, and remove your cell phone from Facebook.
5. If you delete your registered cell phone from Facebook, Login Approvals will be disabled automatically. An email will be sent indicating that it was turned off. You cannot use Login Approvals without a cell phone to receive the security code.
6. You may need to create Facebook App Passwords for applications that cannot use Login Approvals. I will cover those in an upcoming article.
Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features
Facebook Security: Use One-Time Passwords to Keep Bad Guys Out

October 23rd, 2012
Some Facebook users access Facebook using a variety of computers, some of which they do not own. If you are at the library and want to ask a question of your teacher or fellow students, you can use a library computer to log into Facebook and ask your question. If you are visiting a friend’s house and want to share a photo you just took with your friends on Facebook, you can log into your Facebook account and upload the photo. You may just be hanging out at a cafe and want to check into Facebook to see what’s going on. You can use the cafe’s computer to check in at Facebook. But have you thought about that computer on which you are logging into Facebook?

Not every computer is safe to use. Personal computers are the targets of spammers and attackers and are often hosts to malicious software. Malware known as “keystroke loggers” can record every character you type on the keyboard, including all of the ones for your online account usernames and passwords. Once collected, those usernames and passwords can be used to access your online accounts without your permission, and perhaps without your knowledge. Keystroke loggers and other malicious software can be “installed” by deceiving the user or using vulnerabilities in software on the computer. Users can be tricked into installing software that appears to be legitimate but is not. Other types target and exploit weaknesses in the software of the web browser, an extension or plugin, or even the operating system itself.

One-time passwords are a way of authenticating yourself to a system through the use of a single-use secret that is specific to you and may have a limited time period of validity. In other words, you have two passwords. One that you know. One that is generated for you or sent to you. You have to have both passwords to log in. Some one-time password systems involve the creation of one-time passwords through a software tool, having a printed list of passwords that you carry with you, or a small hardware device that displays a new series of numbers every minute.

Facebook’s one-time password system uses your mobile phone and its text message capabilities. When you need to log into Facebook on a public computer or someone else’s, you send a text message to Facebook and within a minute or so you will receive a message back with a six-digit number, which is your one-time password. This password is valid for twenty minutes. In order to use the Facebook one-time password system, you will need to register and verify your mobile phone with Facebook first. This is necessary to prove that you are the owner of the phone number for your mobile phone.

Facebook also added the ability to generate the one-time password using the Facebook Mobile App. I’ll cover that App in a future article.

Enabling One-time Passwords

Setting up your Facebook Account to use the Facebook One-time Password system requires that you have a registered mobile phone with Facebook. I cover registering your mobile phone in another article. Once you have that configured, you can request one-time passwords from Facebook when you need to log into a computer that you do not own.

Requesting a One-time Password

Here is how to request a one-time password to log into Facebook from a public computer or someone else’s computer:
1. Use your registered mobile phone and send a text message with the message “otp” to 32665 (“FBOOK”), which is the SMS short code for Facebook. Within a minute or so, you should receive a text message in reply with a one-time password.
  The One-time Password you receive should be entered into the Password field instead of your password.
2. Go to the Facebook login page. Enter your Facebook email account username and the 6-digit one-time password into the password field. If you entered everything correctly and within the twenty minute time period, you should be logged into Facebook.
One-time Passwords Considerations

One-time passwords reduce the likelihood that your Facebook password will be captured by spammers or attackers, but there are some things to keep in mind.
1. Any computer can be untrustworthy, including your own. Your best defense is to make sure your computer has the latest software updates installed and that your anti-virus software is updating daily and scanning the system regularly. Always install the updates when prompted and enable auto-updates, if available. Does this mean that you should use one-time passwords on your own computer? The answer might be “yes” if you have not applied updates in a while or have no anti-virus software installed.
2. Sometimes the Facebook One-time Password system may not send a response quickly after you request a one-time password. Be patient. They usually arrive within a minute.
3. The one-time passwords that you receive from Facebook over SMS are valid for twenty minutes. If you request one and are not able to log in before the twenty minutes are up, just request another one.
Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features
Facebook Security: Register Your Mobile Phone to Use Advanced Security Features

October 22nd, 2012
Facebook has added several security features to keep your account safe from attackers and spammers. Some of these features use your mobile phone to alert you about activity on your account and to request and receive security codes to log into your Facebook account. Facebook One-time Passwords allow you to request a unique code to log into your account from untrusted public or borrowed computers. This system protects your account because you need your account password and a code that is sent to your phone. Facebook Login Approvals send codes to your mobile phone when you log into your Facebook account from a computer that you have not used before. Facebook Login Notifications alert you when your account is accessed from a computer have not used before. All of these advanced Facebook security features take advantage of a device that you are likely to be carrying nearly all of the time. Mobile phones are a quick way for Facebook to notify you about login activities on your account and to give you access to your account when you are using a different computer.

To use these features, you need to register your mobile phone with Facebook. By registering, you confirm that you are the owner of the phone. The registration process is designed to ensure that you have the phone in your possession. This is accomplished by having you send a brief message to Facebook’s text messaging number. Once you do, you will receive a reply text message with a code that you then enter into mobile phone configuration on Facebook’s web site.
Registering Your Mobile Phone

Here is how to register your mobile phone with Facebook.
1. Click on the “triangle” drop-down menu in the upper right portion of the Facebook page.
2. Select “Account Settings”. A new page will open.
3. On the upper left portion of the Facebook page you will see a tab called “Mobile” with a mobile phone icon next to it. Click on it.
  Facebook Mobile Settings configuration in Account Settings.
4. If you have not added a phone before, there will be a green button that says “Add a Phone”. Click on it. (If you have registered your phone, you can see the details about your currently registered phone.)
5. A small window will open. You need to select your country and mobile carrier. Once you have made your selections, choose “Next”.
6. Pick up your mobile phone and send the letter “F” to 32665 (“FBOOK”), which is the SMS short code for Facebook. Within a minute or so you should receive a confirmation code in a text message reply.
  Facebook Mobile Settings configuration window to enter the confirmation code you receive.
7. Go back to the Facebook web page and enter the confirmation code that you received. If all goes well, you have now confirmed that you are the owner of the phone.
8. You can configure various settings associated with your phone from the “Mobile Settings” tab.
Mobile Phone Considerations

Registering your mobile phone with Facebook will help you to protect your Facebook account. There are some things to remember if you decide to use your mobile phone with Facebook for the advanced security features.
1. You will be sending and receiving text messages with your mobile phone. Make sure that you aware of the costs of these messages. If you have a large number of messages available per month or an unlimited plan, then you should have no issues.
2. If someone borrows or steals your mobile phone, they can request a one-time password to gain access to your Facebook account. This assumes they know the email address you use to log into Facebook. Prevent someone from using your phone without permission by enabling a lock screen on your phone.
3. If you loose your mobile phone, you should remove that phone from Facebook’s Mobile Settings configuration to prevent a thief from accessing your account with one-time passwords and accessing other Facebook services through text messaging.
4. If you replace your mobile phone with a new one in the future, you will need to update your mobile phone settings in Facebook.
Resources

Check our guide: Own Your Space, “A Guide to Facebook Security”

Facebook Extra Security Features