The modern Face(book) of security …

The rise of social networking sites like Facebook has created entirely new social spaces for humans to interact in. From that perspective, Facebook and others like it are a success, providing a fascinating new way for people to connect. But one aspect that seems to be missing in the discussion of Facebook and others are security issues.

In this age of identity theft, security experts have come out with guidelines to help protect us from identity theft using all manner of schemes, but one of the methods that is growing very fast these days is phishing. Explained as simply as possible, phishing involves sending email or web links that appear to be from a reputable source (like your own bank or email company for instance) but are in fact fake pages designed to collect passwords. The first suggestion security experts have to combat this trend involves users paying attention to where they enter their passwords. For example, the ONLY place to enter your bank password is on your bank’s web site … not in an email, not on someone else’s site that claims to link to your bank, ONLY on your bank’s site. For your email account, you only enter the password on your email’s website … never on any other site.

Which leads to a very disturbing aspect of social networking sites like Facebook. I recently signed up for a Facebook account, and one of the first things I was asked to do is enter my email name and email password on the facebook site so they could search my address book for contacts. Now, I understand that they are trying to make the initial experience a bit more transparent for users, allowing a way to import your contacts and find them on Facebook, but this violates the first principle of anti-phishing behaviour … NEVER enter your passwords ANYWHERE but the specific site they are designed for. It strikes me that regardless of how many safeguards they put in place, the idea of giving my email password to ANYONE else for any reason is a serious breach of security protocol.

I am NOT trying to argue that Facebook is collecting email addresses and passwords, not at all. I expect Facebook is operating completely above-board, and when they say they don’t store your password, I have no reason to disbelieve them. But anti=phishing efforts, and efforts to combat identity theft in general, are issues of behaviour more than issues of technology … the sort of behaviour this “feature” of Facebook encourages is in direct violation to the advice of experts trying to help people avoid identity theft and phishing. It is a feature that I think needs to be re-thought.


14 Responses

  1. I am really glad you think the same way I do. I just thought it funny first off that they would want MY password to MY personal email account. I mean sometimes I get personal emails with codes and names and numbers and dollar amounts etc. that are meant for me and no one else and I don’t like the idea of having that open to Facebook like that. I mean, what is the purpose of an email password anyway? That is just too weird for me. Hence the reason why I will not be getting a Facebook account! Thanks for your input!

  2. Absolutely. Facebook should not be asking for your email and password to that email. And you should definitely not give it to anyone.
    I gotta say, that seems really dodgy. There is no way any website should need or ask for your email password. no way. i wouldn’t give out my front door or mailbox key to a random person asking, and giving out your email password is like doing that. i would advise the same being cautious…
    You would think if it was legitimate, it would let you manually enter the email addresses of your friends, there is no way it should have free access to your email account.

    It doesn’t seem right to me…. But maybe I just love a good conspiracy!! ^_^ Check out the link below

  3. but then again, your page also collects stats ( when people come through it. so who is to judge about collecting info ay?

    Editor’s Note:
    Well, I haven’t asked you for any of your existing passwords, and I won’t. Collecting info or running stats isn’t the issue … its the inherent security concerns with giving out any passwords to other people.

  4. I feel the same. I am a network engineer and the only thing I have in mind when I design networks is security. Most of my friends are part of the facebook and they keep sending me invitations to join them. But when I tried to register myself and saw that facebook is asking my full account information, including my password, I thought there is no way I am giving my password to ANYONE in this planet for any purpose. After all, what is the purpose of having a password?

    No, thanks Facebook, I won’t take it!

    Have a good one everyone.

  5. You don’t have to use the ‘login to your email’ facility… It’s there as a convenience. If you want to upload an email address list, or just type your ‘friends’ email addresses individually, then you can.

    I agree it’s another face (no pun intended) of the risks inherent in Internet use, but it’s not mandatory…


    Editor’s Note: True enough Craig, and thats the feature I used. thing is, thats not an obvious choice, and the way they have the sign-up designed, it looks like a necessary step is entering your email address. I’d rather see them take that off the sign-up completely, and leave an obvious link to the function on your home page somewhere to use if you choose to. With it in the sign-up like that, new users are often confronted with what looks like a demand for an email password before they can continue, and it takes some knowledge to be able to see that you can skip over that part. I’d like to see them be more explicit about it being optional, and not include it as part of the sign-up. As I said in the article, I can understand the desire for that functionality … I just think the obvious phishing implications need to be discussed as well.

  6. I was absolutely shocked when I saw Facebook asking for my e-mail account password. It took me several minutes of clicking around to find out how to add friends without doing so. I never did find a way to just type in e-mail addresses, but at length I found an option to upload a Thunderbird contact list.

    I agree with you 100% – even if Facebook doesn’t store your password (and that’s an IF – we have no way of knowing), it’s a serious violation of good security practices to give your password to a third party.

  7. A fine article, you are so right about this. Let’s hope it will be fixed soon.

  8. I typically use a “junk” email account for online use. I create this account with the bare minimum details required with no identifying information. I keep my work email account for work matters, and my personal ISP email account for personal correspondance between my friends only.

    If facebook wants to look at the spam in my junk account – go right ahead! But I do think that for the majority of the internet using population, who are somewhat lax about security, then it could pose a risk signing up with your work email account and handing over your passwords.

  9. Crazy. Even if Facebook use it a responsible matter, how about the guy that worked there for 3 days and gets fired. He collected alot of email adddress and password. I think people needs to worry about credit recepit, schredding..etc but the employee who works at these companies and got your birthday, ssn and other. For example, A company that does your paycheck…lots of person info. or your HRMS department — they can do you in if they don’t like you.

  10. Facebook asks you for an e-mail (user name) and a password (it is easier to remember one that you already have). this is to send you up dates and to create an account under that e-mails name. The password does not have to correspond with your e-mails password.

    Editor’s Note: There is a “feature” where Facebook asks for the password of your email account so they can mine your contact list for friends. Its not required to sign up, but the fact its not required is not well advertised. Besides, regardless of the reason for asking, and the utility of the information, the first cardinal rule of combating phishing is NEVER enter a password on ANY site except the one the password is for.

  11. I heard that employers and colleges could look at your face book account. Is this true, my teenager says it isn’t

    Editor’s Note: Employers and colleges routinely do background checks online, including in social networking sites like Facebook and MySpace … its worth paying attention to what you post, when you are doing it under a real name, which is the case for most people on Facebook.

  12. ran into this as well when i signed up for facebook is a total phishing technique and there is no way in hell i’m putting my personal email account password in there for ANY reason ever and i can see where many MANY ppl would be fooled into thinking they had to…

    shame on you facebook

  13. Is giving your name and birthdate also questionable, in terms of security matters????????????

  14. Is giving your name and birthdate also questionable, in terms of security matters????????????

    Yes, many sites use this data to verify authenticity in case a registered member forgot his password – e.g. the so called “secret questions”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: