Following a series of high-profile incidents of security breaches, popular social-networking Web site Facebook has responded by working in additional security layers for its user log-in process.
According to a blog post by Lev Popov, who signed off as a software engineer on Facebook's site integrity team, the company has been "testing a new feature" that allows users to approve devices that they commonly use to access the site. In the event that a device outside of this pre-approved list logs in to one's account, users will be notified, he added.
"For example, you can save your home computer, your school or work computer, and your mobile phone. Once you've done this, whenever someone logs in to your account from a device not on this list, we'll ask the person to name the device," said Popov in the posting.
He also pointed out that Facebook had furthermore built a new system to "block suspicious log-ins before they happen".
This new system will require the person trying to access a user's account from an "unusual device" to answer an additional verification question to prove his or her identity as the real account owner, said the engineer. Popov also noted that these verification questions are designed to be easy for users to answer, but not for "a bad guy", and that the company has "already seen some great results".
Cybercrooks favoring Facebook
Popov's blog post comes days after a Facebook board member, Jim Breyer, got caught up in a phishing scam in which a Facebook event invitation was sent out to all 2,300 contacts listed on his account.
ZDNet Asia's sister site, CNET News, reported that the Accel Partners venture capitalist unwittingly forwarded the message, which read: "Would you like a Facebook phone number?", and anyone who responded had the same message sent to their own list of contacts.
"This was a phishing scam and Jim's account appears to have been compromised. The issue has since been resolved and we're actively trying to block this activity," the company was quoted as saying in the article.
Unfortunately for Facebook, Breyer's faux pas was not the only high-profile security breach the site had to endure over the past few weeks.
Last Thursday, CNET News reported on how a bug in the site's "Preview my profile" feature revealed some users' live chat messages and pending friend requests to their contacts. While Facebook did not disclose how many users' information was exposed and for how long, the article did state that the company's engineers had temporarily disabled Facebook Chat to fix the problem.
Earlier in April, ZDNet Asia also reported on a hacker peddling 1.5 million Facebook user accounts in an underground hacker forum.
The hacker was asking for US$25 to US$45 per 1,000 user accounts, or US$0.25 per account. When benchmarked against Symantec's Internet security threat report for April, which listed the estimated cost for e-mail IDs and passwords at between US$1 and US$20, hacker "Kirllos'" asking price was considerably lower, the report stated.
The cybercrook had already sold 700,000 accounts at the time of the article's publication, according to VeriSign's iDefense group.
Kirllos was identified by Facebook on Thursday. According to a PC World report, the company's forensics team, working with other industry contacts, had figured out who Kirllos was, although Facebook declined to say much save that the hacker was based out of Russia.
A company spokesman, Simon Axten, was quoted as saying: "We have identified Kirllos' identity through IP addresses, online accounts and other information, and believe that he's very likely a low-level actor."