Every Time You Blink, Facebook Locks Out Two Potentially Hacked Accounts

Happy Halloween! So I'm running a bit behind today after getting a hysterical phone call from a spooked dude about his computer being haunted. The CD drive would eject on its own, the mouse was moving about as if haunted, web pages were opening in new tabs, and his mail was being opened in front of his eyes. This is someone whose wife can't understand why their computer keeps getting vicious and malicious infections, since (wink, wink) he swears he's not cruising porn. There was no ghost in his Windows machine, big shocker I know, but I keep an imaged copy of his computer on hand since those malware tainted phishing emails to click and view hot chicks are apparently too much temptation. Just the same, you should keep an eye out for Halloween terror tricks, pranks and poisonous treats like the "virus of doom" or a haunted computer.

Now to something really scary - in the time it takes you blink, at least two Facebook accounts have been hacked. To honor National Cybersecurity Awareness Month, Facebook, the huge intelligence spy machine, claimed that "security and safety are at the core" of the social network. According to a security infographic, "only" 0.06% Facebook logins are compromised daily. While .06% each day looks like a tiny number, with more than 1 billion Facebook logins per day, that small percentage of potentially hacked accounts is actually equal to about 600,000 attempted breaches every 24 hours. However, to really boggle the brain, Sophos' Graham Cluley, who always keeps an eye on Facebook and alerts users of the newest scams, broke down the Facebook figures even more. "If you really like to make your mind melt," those 600,000 daily breaches mean there is "one every 140 milliseconds. (By comparison, a blink of the eye takes 300-400 milliseconds)," Cluley wrote.

In the Naked Security comments, a Facebook security team member seemed to take exception to their own terminology on the infographic and wanted to clarify, "600,000 times a day, we STOP a bad guy from getting access to an account even though he has guessed, phished, or stolen the login and password of an account." The security infographic states, Facebook 'roadblocks' "250 - 600,000 accounts on any given day to help protect the integrity of the site." Okay, then for every blink you make, Facebook security locks out at least two potentially hacked accounts. Wow, still sounds like a favorite hangout playground for cybercrooks.

When Facebook tooted their new security measures horn, to protect users' privacy, it made me accidentally swallow my soda down my windpipe and then choke violently for a good minute. The company that still hasn't enabled privacy-by-design has allowed users to choose "trusted friends" who can help prove your identity if you get locked out of your account. "It's sort of similar to giving a house key to your friends when you go on vacation--pick the friends you most trust in case you need their help." The blog post continued, "If you forgot your password and need to login but can't access your email account, you can rely on your friends to help you get back in. We will send codes to the friends you have selected and they can pass along that information to you." It's better than nothing, but it seems to be flawed logic. For example, if your Facebook account is hijacked and the attacker wanted to keep control, wouldn't the attacker change who is listed as your trusted "Guardian Angels"?

Despite the Facebook Immune System (FIS) that battles against spam, infections seem to spread like a person with a cold who sneezes on his hand and then, in the next second, holds out the germy thing to shake hands and thereby exploit a vulnerable friend who trusts him. Recent research showed that Facebook's 800 million users are vulnerable to socialbot attacks even if their profile is protected by privacy settings. Because "the socialbots posed as friends, they were able to extract some 46,500 email addresses and 14,500 physical addresses from users' profiles- information that could be used to launch phishing attacks or aid in identity theft," reported New Scientist.

Facebook claims to "ban IPs, user accounts and apps that are reading public data too aggressively." Yet what about the aggressive tactics by Klout? Danny Brown wrote about how Klout was using our family on Facebook to violate our privacy. Brown gave an example of a child's private Facebook profile which had allowed no access to Klout, but was gobbled up and given a Klout social influence score based off one comment on his mom's public Facebook wall. Brown said to Klout, "If you're going to activate accounts for people who have their feeds set to private, and justify it by saying, 'But they spoke to someone who has a public account', that's crap. That's like saying, 'Well, we're going to telemarket call your son's private phone number because we overheard you asking for his new number on your public phone'," Brown said. Then Pam Moore the Marketing Nut lashed out at social puppetry for Klout. It's "a dream come true for Facebook as we were feeding the puppet eating data monsters with every click!" Facebook must not regard Klout's scraping data off profiles set to private "aggressive" enough to block.

It is probably quite the cybersecurity nightmare to try to protect users, who are the weak link, from phony chat messages, or "a friend needing help," clickjacking, like-jacking, and rogue apps that don't even exist like those to block profiles, to appear invisible or to see what creepers are checking them out. Then there's survey scams at the end of games, offers to get something such as Facebook credits, an iPad, or gift cards for free. Don't forget alleged breaking news or fake celebrity gossip with sexy, shocking, or extra sensational headlines. Not just on Halloween, every day there's countless tempting treats on Facebook that users find out too late were instead tricks tainted with poison.

Subscribe to the Security Watch Newsletter

Comments