10 Tips to Secure Your Facebook Account
I created Facebook account because I’d like to know the features, how to attack it and other risks associated with some reasons:
1. My daughter and friends have Facebook
2. I’ve strong interest to make people aware of various security risks, especially in virtual world.
3. I’ve been appointed to be a technical adviser in a film about hacking, with hacking Facebook account in a scene.
After 2 weeks playing with Facebook, I’d like to share 10 tips how to secure your Facebook account.
1. Do NOT login from http://www.facebook.com
The page is not encrypted. Your login information (email and password) is encrypted. But, since the login form is embedded inside a frame, users can not see whether it is encrypted or not. The following pictures show that there is no lock sign (https enable) in the right bottom.
Attacker can use fake Facebook web site to steal user’s password without giving the victim any clue of attack.
2. Do login from https://login.facebook.com/login.php?login_attempt=1
When you are in http://www.facebook.com just click Login botton without fill in the email and the password.
You will be automatically directed to the encrypted login page.
You can verify the login session is encrypted by looking for the lock sign in the right bottom of your browser.
3. Do NOT continue the login process if there is any security warning / alert
If you click Yes, malicious person might attacking your encrypted traffic (https session). Press Esc button on your keyboard to stop the login process.
4. Do NOT forget to logout
If you are not using your own computer, only closing the browser will leave your login session to be used by other people. I found this case many times in public PC.
5. Do NOT work with system administrator privilege
Surfing the Internet, opening email, images, documents and other normal activities must not use user account with administrator privilege. It’s VERY-VERY dangerous!!! Unfortunately, majority of Windows users work with administrator privilege. I wrote this article about it in Indonesian. Here is the English version translated by google.
6. Beware of Malicious Facebook Widget
Widget, the third party application, allows its author to access sensitive information or install spyware in the target computer. There are already two malicious Facebook applications: Secret Crush and Error Check System attacking Facebook users.
7. Beware of unsecure computer
Unsecure computer can be any computer which is not patched, has no updated anti virus, or is infected by malware. Computer infected by Koobface worm (koob = book), keylogger or other malware steals users password.
8. Beware of Wi-Fi Internet connection
Only Facebook login process is encrypted using SSL/TLS (https). Your Facebook cookies can be easily captured from the air. Wi-Fi protected with WEP encryption can be easily broken in maximum 10 minutes. Malicious person can set up free Wi-Fi access point. He gives you free access, you give him all unencrypted information, including Facebook cookies. Don’t keep private or sensitive information in your Facebook.
9. Think Security First before click
Clicking any URL in Facebook wall is a risk. Malicious person and malware (malicious software) such Koobface are spreading their maliciouse code using the wall posting. It’s also easy to impersonate your friend or family in Facebook by creating another account using the same name.
10. Make your families and friends aware
The key to make you secure is to ensure your families and friends also are aware of various security risks. Sharing this article (via email, Facebook’s wall, etc) will help me, you, our families and friends to survive in this (dangerous) virtual world. You’re the key to security!
If you can read Indonesian, please joint Komunitas Keamanan Informasi (Gildas)