Facebook might just make it that little bit easier for hackers to get into your account

If you use Facebook and you do not at the very least have a love-hate relationship with it, then you probably just aren’t thinking about what you do there. I find myself often thinking that it’s time to just close my Facebook account, but on the other hand, having moved to Australia, I have found that a fair number of Facebook groups have become the de facto forums of the Social media era. As such, even though I try to limit my time on my main page, and post very little, Facebook’s groups still have some value to me.

But before I get to the actual topic of this post, perhaps just some comments on Facebook in general. First, remember that there is no such thing as a free lunch. Facebook offers us this awesome tool for connecting with other people from all around the world, even, to quote Philo Farnsworth, people we would ordinarily never invite into our homes (yes, in the Facebook era, we may even have to redefine the word “friend”). And Facebook gives us all this for free. That’s right—spend as much time as you want, upload as many photos and videos as you like, all at no cost. No subscription fees, no data fees, nothing. Except… that’s not true. We pay, and oh, do we pay! We pay for the use of the site with our time, with our data, with our photos. We willing submit ourselves to manipulation and marketing, from which they make millions, in exchange for the service they give us. Of course, since it’s a trade, one may argue that the price we pay is fair for the service we get. I will not get drawn into a debate about that now, since that is not what I want to discuss. Let’s just assume that most of us are perhaps paying a bit too much and getting far too little.

Nonetheless, if you do find yourself getting sucked in to Facebook, here’s some help.

  1. Install Social Fixer, and spend a few (really only a few) minutes figuring out how to use it. And if you like the service, make a donation. This one thing along will start killing the Facebook time-suck, and will transform your use of the site. I would argue that no-one should be using Facebook without this tool, but that may be akin to saying that I think Facebook’s default interface is dysfunctional, or that I think no one should ever be using the Facebook app on their phones (for which statements I make no excuses).
  2. I use the RescueTime service to monitor my productivity on my pc. Using this, I can monitor how much time I am spending on distracting things like Facebook, and my target is less than 15 min per day.

But now, on to the reason for this post. Facebook, as anyone who reads any real (not fake) news (i.e., who does not read news brought to them by Facebook), will know, Facebook has a really spotty history on protecting your privacy. Not only are they harvesting your personal information and mining it for their own profit, but they have been repeatedly accused of creating such confusing and user-unfriendly privacy settings (we shall see an example of this shortly), that many people are totally unaware of how much of their data is on display for the whole world to see.

Privacy? What’s that?

Take a look at this privacy setting, as an example. It is so obtuse to get to, that just trying to find it proves how confusing Facebook has made things. Did you know that, if your privacy settings are not set right, then people whose friend requests you ignore (no indication is given of what length of time is defined by Facebook as “ignore”) or even delete will automatically be rerouted to start following you? That means if you allow followers, and delete someone’s friend request, they automatically become a follower (when did that become a good idea?). This Facebook help page explains the process.

Having your Facebook account hacked, 101

However, what I noticed recently, and what prompted this post, was that Facebook, in an attempt to make life easy for their users, has inadvertently opened up what is, to my mind, a huge security hole. So I want to describe it, and make some suggestions as to what you can do about it.

What I noticed is that I normally access Facebook from my personal pc, where I have the “remember me” login setting turned on—this stores a cookie on the pc, allowing me to be logged in automatically when I navigate to their page. However, last week I tried to log on from a different computer, and seeing as I had entered my password so long ago (because of the “remember me” setting), I momentarily forgot it and typed in the wrong password. Lo and behold, I received an e-mail in all three of my e-mail accounts allowing me to log in by simply clicking on the link in the e-mail. Without the password. I couldn’t believe it when I saw it, but I thought that I had to test it out, and it really did just log me into my Facebook account, no password required (see my comment about two-factor authentication below).

So how is that a danger? Well, imagine a hacker gets your e-mail password. Presumably, they won’t have the password without the e-mail address, so that means that they can log into your e-mail account. Now they go to www.facebook.com and try to log in with your e-mail address, and any password. Facebook helpfully sends this e-mail out, and the hacker, who has access to your e-mails, clicks the link, and is logged into Facebook. All they do then is permanently delete the aforementioned Facebook e-mail from your mailbox, and you will be none the wiser. This whole transaction can take only a matter of seconds, and if you were not also logged into your e-mail account and watching your inbox at precisely the same time, you would not even know it. But now your Facebook account has also been hacked, and, for example, they could go to the settings page and download all your Facebook data. Nice? Definitely not! Or they could change your Facebook password, and lock you out of your own account. And spam all of your Fakebook friends (sorry for the typo!).

I must add that this kind of hack is not new. Most websites have an “I forgot my password” feature that allows you to type in your e-mail address, get an e-mail with a special link, and then reset the password without knowing the existing password. Hackers have been able to exploit this in exactly the same way as I have described above. But at least that added a layer of complexity to the process, and that complexity makes it easier for you to discover that your accounts have been hacked. Facebook has just dispensed with that, and made it ultra-convenient for this hack. Sure, they could argue that your e-mail account being hacked is not their responsibility, but I don’t think leaving a back door for anyone to get into their service on the basis of a compromise elsewhere is justified. Imagine you had accounts with two different banks, and bank B had a function that allowed all your money to be withdrawn provided someone had your card and pin for bank A! “Ludicrous!” you would say, and I would agree. Which is precisely my point.

The second security setting to set on both your Facebook and e-mail accounts is to activate two-factor authentication, and not to use your e-mail address as your second authentication source (why this is a bad idea should be quite evident by now), but rather to use your cell phone number to receive an authentication code via SMS. Of course, this means surrendering yet another piece of your data to Facebook, but hey, relax, they are spying on—oops, not spying, monitoring you—so much, they probably have that data anyway. For example, Facebook is tracking your web browsing history).


In short, then, be savvy when you use Facebook. Accept that you are paying for the service you are using with your privacy, and decide whether that is an acceptable trade for you. If not, quit the site, delete your account, or at least start restricting your use of the site. There really is no other way. And make sure you have checked your privacy settings, and that you have a good password and two-factor authentication set up.