Facebook Security for the Lazy
Every time you use Facebook, you probably have a nagging feeling in the back of your head that someone other than your friends is reading your posts. You should trust that feeling. At the same time, keep in mind that Facebook is a tool designed primarily for sharing personal information with large groups of people you barely know. Facebook is not your personal diary or a substitute for SMS. You just need to assume that everything you post on Facebook inevitably will end up in the hands of someone you don’t like very much. And then you proceed based on that assumption.
When I say “inevitably”, I mean there is nothing you can do to prevent your personal information from escaping. However, there are a few things you can do to delay and limit the damage. In January of 2011 Facebook has finally caught up with the rest of the twenty-first century and introduced HTTPS support. When you use HTTPS, everything you read or write on Facebook is encrypted before being sent over the network. This is a valuable feature to have if you are accessing Facebook from your employer’s network, as it makes it a lot harder for your boss to read your correspondence.
Enabling HTTPS for Facebook is easy. But keep in mind that there are a few Facebook apps that don’t yet have HTTPS support. You don’t want to use them anyway. So go to your Facebook Account Settings -> Account Security and check “Browse Facebook on a secure connection”, as the screenshot below illustrates.
Friends of Friends are Your Enemies
This “Friends of Friends” thing is the cornerstone of Facebook’s business model. The model in question is based on continuous growth of membership and member activity. The “Friends of Friends” feature is the big-block V8 driving this growth. On the other hand, logic dictates that these friends of your friends are mostly people you don’t know. Many of them you don’t want to know. And some of them you may want to punch in the face. Be careful when you choose to share details of your personal life with these shady characters.
The screenshot below shows the recommended minimum security requirements for sharing personal information on Facebook. First things first, make sure that “Everyone” can see nothing. I would encourage you to consider changing accessibility to your biography and photos where you were tagged to “Friends Only”. To make the changes, go to your “Privacy Settings” -> Customize settings.
It is also a good idea to make sure that your phone number (if you are using Facebook Mobile) is only visible to you. Disable “Include me in “People Here Now” feature: you don’t want Facebook alerting the entire world that you are at a local strip bar. Also disable “Friends can check me in to Places”. Nobody has time to use this feature anyway and if they do, they are up to no good.
Whenever you allow “Friends of Friends” to view your stuff on Facebook, you essentially delegate the job of managing your privacy to your online buddies. Doing so rarely works out for the best. Let’s say you have a hundred friends on Facebook and each of them has a hundred friends. This comes out to hundreds, perhaps thousands of people many of whom are roughly your age, living in the same area, working in the same field. They are not your friends – they are your competition. The last thing you want to give them is access to any kind of dirt on you.
Apps, Games, and Websites
Perhaps the biggest security threat on Facebook comes from apps and Web sites that can access your information. There are thousands of crooks who build up massive databases of user data under the cover of some innocuous-looking app or a silly online game. And the worst part is that you allowed them access to your personal information when you started using their software. Technically, they are not breaking any laws, but this does not mean that they won’t in the future.
Go to your “Apps, Games, and Websites” settings in your Facebook profile (see the screenshot above) and remove all but the most beloved and indispensable apps from the list. To help you make up your mind, Facebook tells you how long ago apps accessed your data. Definitely remove everything you haven’t used in the past month or two. Should you suddenly develop a need for one of these apps in the future, it is a simple matter of adding it back to the list.
While you are in the “Apps, Games, and Websites”, take a look at the “Game and app activity” section. By default, your “Friends” can see your apps and games activity. You may want to change this so that only you can view this information. In the same section, make sure that “Public search” and “Instant Personalization” are disabled. Today Facebook’s social engineers are stumbling around in search of new ways of integrating your personal life into their business master plan. They like a good challenge, so don’t make their jobs easier.
Your Stupid Password
Most Facebook accounts are compromised not with advanced computer hacking techniques but by using statistical analysis of popular passwords. In other words, these “hackers” are very good at guessing your passwords. Some years ago I was doing password quality analysis for a large company. This involved using a supercomputer to crack thousands of encrypted passwords, which were then analyzed using various statistical models. “Apple1″ was the most common password. If password ageing was enabled and “apple1″ password expired, guess what computer users changed it to? That’s right, “apple2″. Once a requirement for an 8-character password was introduced, the fruit of choice changed to “apricot1″. People love fruits.
Try to show some originality when selecting a password. Without a question, your most important password is that to your email account. Never ever use that same password for any other purpose. The first thing a hacker would do after unlocking your Facebook profile is to try to get into your email account with the same password. And once that happens, you may soon find yourself living in a cardboard box under a bridge. Having the same password for Facebook and email is like making a key that unlocks both your house and the safe inside it.