Guest editorial by Tom Eston
Facebook yesterday announced a new remote log-out security feature that allows users to see all of the active login sessions for your Facebook account. How does this work? First, a little background education.
Say that you're logged in at home but later want to log into Facebook with another computer (i.e. your work computer). If you didn't have your work computer registered, you would have to register it and you would get an email saying a new device has used your account. The purpose is for the user to be notified if someone other then you uses your account.
The last piece was implemented by Facebook in May, but with the latest announcement Facebook will now actually show users the logged in sessions. Any Facebook user can now instantly end these sessions with a single mouse click. Based the Facebook blog, account activity will show the time Facebook was accessed, the device name set, the location (based on IP information) and the device type (web browser or mobile device) using your account.
My first reaction is that it's a good additional step in the right direction. However, here are four things to think about:
- Did you know you could receive email or SMS notifications when someone else uses your Facebook account? You probably didn't, as this setting is "off" by default. This feature was rolled out to all Facebook users earlier this year. I personally find it fascinating that Facebook's most controversial features in regards to privacy are "on" by default but new security controls are always "off."
- Facebook traditionally does a poor job of advertising its own security controls. This announcement is no exception. Yet, the social network is quick to announce that it can scan your email address book and harvest your friends' email addresses to see if they are on Facebook. You see these announcements quite frequently when you first log into Facebook. Why not announce new security controls this way? Unless you get Facebook Security page updates in your stream, heard about it from one of your friends, or read this article, you likely wouldn't know this feature exists.
- Adding a location to your account activity in this security control is especially interesting given the announcement of Facebook Places. This doesn't seem to be tied your actual location that Facebook Places uses; rather, it determines your location through your IP address. You already know that a location can be spoofed through Facebook Places but an IP address can be spoofed as well. Could attackers abuse this feature? Only time will tell.
- I'm intrigued by the question posed by Facebook in the announcement: "Have you ever borrowed a friend's phone to use Facebook and then forgotten to log out before you handed it back?" Why do we think it's OK to see a Facebook login and enter in our credentials (on your friend's phone, even)? This is why phishing for Facebook and other accounts still work extremely well. Here is a great example. Have you been to the Apple Store lately? Observe how many people are using Facebook on computers they don't own and forget to log out. Do we simply not care about the security of credentials that have access to our personal information?
While these four points may seem negative towards this new control, Facebook is trying some new and innovative ways to add some additional layers of security. But will you use it and do you even care?
Tom Eston is a senior security consultant for SecureState. Tom is actively involved in the security community and focuses his research on the security of social media. He is the founder of SocialMediaSecurity.com, an online community dedicated to exposing the insecurities of social media. Tom is also a security blogger and co-host of the Security Justice and Social Media Security podcasts.