Facebook To Add Remote Logout 145
angry tapir writes "Facebook users will soon have a new way of knocking spammers out of legitimate accounts. The social-networking company is rolling out a new security feature that lets users see which computers and devices are logged into their Facebook accounts, and then removing the ones that they don't want to have access."
Re:Stating the obvious... (Score:2, Interesting)
Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.
Not thought out very well. (Score:4, Interesting)
While this may be a "neat" solution, if a spammer has your facebook credentials, then they have access to this new system as well.
I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.
The spammer most certainly would be, and I'd imagine that they would just block the legitimate user's devices as they appeared.
I'm sure getting back access to your account at that point would be a really fun experience.
Re:Stating the obvious... (Score:5, Interesting)
Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.
Pseudo-code for the spambot enhancement:
0. break into account as usual
1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
2. kick out any attempt of any (legitimate or not) entity trying to login into the account.
If the breaker is not a spambot but another human being, I don't think there is something that can be done without human intervention (i.e. the "kick-out" functionality looks to me like rather a cosmetic enhancement - like "Just don't say that I'm doing nothing at all").
Re:Stating the obvious... (Score:1, Interesting)
Yeah but if they are really THAT dumb, they somewhat deserve what they get.
Besides, you could check for this when they sign up. Once they enter a password, and their email address, you try to log into their email account, and if it succeeds, you show a big flashing red message with a picture of the special olympics or al gore or something, and ask them to use a different password that isn't similar to their email password.
Re:Stating the obvious... (Score:3, Interesting)
If they allow another, single-use password to be used - why don't they have a system allowing a single-use password when using a public computer? I have always wondered, and have often suggested (without response) that this be allowed.
1. I have a main password that I use to access my account most of the time (from my home PC or other trusted PC)
2. I have the option to set another, alt password, that I can set.
3. Once the alt password is set, it cannot be viewed or changed when logging in with the main password.
4. After logging in with the alt password one time, the alt password will no longer work. Following this, logging in with the main password allows the user to set another (different) alt password.
I'd feel much more comfortable logging into an account using a public terminal if I knew that the password was disposable.
Re:Stating the obvious... (Score:5, Interesting)
Yes I can't see any solution that isn't going to hurt at least a little bit. Maybe they could have some fun with it though. As soon as someone hits the "log other session out" button, the account is prevented from sending any messages (stop you doing a spam-and-run) and a 60 second timer starts and the other session is alerted that someone wants to kick them out. If they click the 'contest' button then a fight to the death begins to prove which is the real slim shady. Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user. If you don't know stuff about your facebook friends then you deserve to lose the account anyway :)
If you had a webcam you could take a photo of yourself holding todays newspaper or striking a specified pose or something and your friends could decide if that is really you and if the picture is really current (because bot's don't know how to use photoshop :)
My biggest concern is that it's going to be an arms race with facebook vs the bots and that over time the bots are going to have to be written smarter and smarter and that they'll eventually become self-aware!
Re:Stating the obvious... (Score:4, Interesting)
This way users are more likely to realize they've been pwned.
If they lose access to their accounts because some spammer is stupid[1] and changes the passwords, that's not always a minus to the rest of us.
[1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.
But also... (Score:2, Interesting)
An interesting other thing they might be able to do is map the frequently banned IP's track them and follow up with a great big lawyer-stick. ... RIAA style!
You know
Re:Stating the obvious... (Score:3, Interesting)