Forgot your password?
typodupeerror
Security Social Networks IT

Facebook To Add Remote Logout 145

Posted by timothy
from the best-not-get-hacked dept.
angry tapir writes "Facebook users will soon have a new way of knocking spammers out of legitimate accounts. The social-networking company is rolling out a new security feature that lets users see which computers and devices are logged into their Facebook accounts, and then removing the ones that they don't want to have access."
This discussion has been archived. No new comments can be posted.

Facebook To Add Remote Logout

Comments Filter:
  • by nz_mincemeat (192600) on Friday September 03, 2010 @02:34AM (#33461900) Homepage

    Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?

    • Re: (Score:2, Interesting)

      by piotru (124109)

      Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.

      • by mysidia (191772)

        Since the average user is going to have their e-mail password be the same as their FB password, single-use e-mailed passwords does not buy much at all.

        A captcha would probably be a stronger protection measure. A captcha and a 'security question' the user setup in advance.

        • Re: (Score:1, Interesting)

          by Anonymous Coward

          Yeah but if they are really THAT dumb, they somewhat deserve what they get.

          Besides, you could check for this when they sign up. Once they enter a password, and their email address, you try to log into their email account, and if it succeeds, you show a big flashing red message with a picture of the special olympics or al gore or something, and ask them to use a different password that isn't similar to their email password.

          • Re: (Score:3, Insightful)

            by delinear (991444)
            Facebook, notorious for not respecting people's privacy, suddenly starts logging into user's email accounts... how do you think that one will play in the popular press - great new security feature or massive invasion of privacy?
            • Re: (Score:3, Interesting)

              by croddy (659025)
              Are you saying that they've stopped asking you for your email address(es) and associated password(s) when you sign up for Facebook, so they can automatically add friends or whatever? I don't use the site, so forgive me if I am asking an obvious question about old news.
      • That won't be all that helpful to those who use the same email and password for everything.

        Maybe it will use SMS?

      • by c0lo (1497653) on Friday September 03, 2010 @04:08AM (#33462262)

        Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.

        Pseudo-code for the spambot enhancement:
        0. break into account as usual
        1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
        2. kick out any attempt of any (legitimate or not) entity trying to login into the account.

        If the breaker is not a spambot but another human being, I don't think there is something that can be done without human intervention (i.e. the "kick-out" functionality looks to me like rather a cosmetic enhancement - like "Just don't say that I'm doing nothing at all").

        • by TheLink (130905) on Friday September 03, 2010 @07:42AM (#33463064) Journal
          No it's a reasonably useful feature.

          This way users are more likely to realize they've been pwned.

          If they lose access to their accounts because some spammer is stupid[1] and changes the passwords, that's not always a minus to the rest of us.

          [1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.
          • by c0lo (1497653)

            No it's a reasonably useful feature.

            [1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.

            Security as a matter of cost...

            Without the "kick-out" functionality, the spambot is better off (in the matter of costs) to live a parasitic life. With the "kick-out" functionality, it is likely that the spambot will "die" in that account once discovered... so what it has to loose by totally pwning it?

            • If it doesn't pwn, the first time the user logs-in, it's goodbye cruel world.
            • If it pwnes the account, it will get to live at least some time more until the user will call into Facebook support, prove that she/
        • by PopeRatzo (965947) *

          a cosmetic enhancement

          I tend to agree.

          Facebook is the one making the money here, so isn't it up to them to keep hackers out of my account instead of putting it on me to kick out the hacker?

          You come up with this big idea of a "social networking site" and expect to make a bundle, you gotta figure out a way to keep it secure. You want "mom and pop" to use it? Well then don't go around expecting "mom and pop" to learn secure practices so they can help you make a fortune.

          If spambots and hackers are getting int

          • This is the banking system argument. Unfortunately for this to be similar, there would have to be body snatchers, clones, and/or maybe Ghost in the Shell type brain hacking allowing people who look like you, talk like you, and know enough about you and/or has access to everything you know letting them to walk up to your bank, in person, and withdraw all your cash.

            Unless you're proposing Facebook get into the firewall/anti-virus/malware-cleaning business and running something like Blizz's Warden program in

            • by PopeRatzo (965947) *

              Unless you're proposing Facebook get into the firewall/anti-virus/malware-cleaning business

              Nobody's forcing anyone to do business on the Internet. Believe it or not, there was a time when it was very rare for anyone to do business on the Internet, and a lot of people didn't mind one bit.

              But if you're going to choose to do business on the Internet, don't expect your customers to handle your security. It's like a liquor store asking patrons to check their own IDs.

              Maybe it's time to find something better tha

              • So what do you want them to do? Tie accounts to cellphones? Blizzard-esque authenticators?

                I recall some story about FB requiring a scan or photocopy of driver licenses but google can't find anything other than "Sign up to DriversED with Facebook!" or various DMVs' FB pages (seriously).

                • by PopeRatzo (965947) *

                  So what do you want them to do?

                  I want them to figure out how to keep their users' accounts safe.

                  A company that's worth $10 billion should be able to come up with something.

                  • Fair enough.

                    I do wonder if they have the culture to even think about it let alone actually develop and implement a more secure system. I realize I'm saying that in a story about a new security feature they added but I guess I'm just waiting for the next story about how they bungled it or that it came with a new privacy policy that says "Hey, fuck you. We're taking your second born child as well."

        • Re: (Score:3, Informative)

          by Zarel (900479)

          1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.

          You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.

          • by c0lo (1497653)

            1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.

            You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.

            Wanna bet? Here:

            1. spambot adds the email address of one of the botmaster minions and changes the account password. The botmaster/minion ratifies the change in the password as soon as the email is received.

            Unless Facebook require that all your email addresses to allow the change (and not only one), but I don't think it does (though, not being a FB user, I might be wrong in the matter of details).

            • by Zarel (900479)

              I said "given the option to prevent the change", not "ratify the change". There is no such thing as ratifying changes. It would work something like this:

              1. Spambot adds the email address of one of the botmaster minions.
              2. You receive an e-mail notifying you that you added a new e-mail address to your old e-mail address, with a link to reverse the change.
              3. Spambot changes the account password.
              4. You receive another e-mail notifying you changed your password, with a link to reverse the change.
              5. You click ei

      • Re: (Score:3, Interesting)

        by Amlothi (207848)

        If they allow another, single-use password to be used - why don't they have a system allowing a single-use password when using a public computer? I have always wondered, and have often suggested (without response) that this be allowed.

        1. I have a main password that I use to access my account most of the time (from my home PC or other trusted PC)
        2. I have the option to set another, alt password, that I can set.
        3. Once the alt password is set, it cannot be viewed or changed when logging in with the main passw

        • by corbettw (214229)

          But that requires the user to set up that password ahead of time, knowing they're going to use a public terminal. I think that level of foresight is beyond the grasp of most users.

    • by mjwx (966435) on Friday September 03, 2010 @02:45AM (#33461948)

      Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?

      Also the first thing I thought.

      This is why Slashdot is not like the rest of the world, most people dont imagine this kind of thing being used against them.

      • by martin-boundary (547041) on Friday September 03, 2010 @03:52AM (#33462194)
        That's because most people haven't spent quality time with bots on IRC...
        • Bots on IRC are indistinguishable from your average teenage girl on IRC.

          Just sayin

          • by demonbug (309515)

            Bots on IRC are indistinguishable from your average teenage girl on IRC.

            Just sayin

            Very true. Probably because all of the "teenage girls" on IRC are bots.

            Of course, that may have been what you were implying, in which case forgive me for stating the obvious...

            • by _Sprocket_ (42527)

              Very true. Probably because all of the "teenage girls" on IRC are bots.

              Some of them are FBI agents. But then, some of the FBI agents are mandroids.

          • by corbettw (214229)

            Q: How do you tell when the person you're chatting with on IRC is a bot and not a teenage girl?

            A: Chris Hanson doesn't show up to your house 20 minutes after you finish the conversation.

      • Slashdot isn't like the rest of the world because they are misled by the people who write the summaries, or by the sites the articles they are linked to.

        The purpose of the new facility is to combat the more common problem of Facebook rape.
        http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765 [facebook.com]

        The posts about the potential harm bots could do with this facility miss the obvious. If a bot has got into your account, it's already won. It can change your password and emai

      • by nametaken (610866) *

        I thought this as well, but it seems like it's useful anyway. First, if it's used against you, you'd know that your account has been compromised and contact Facebook in an out-of-band way to solve the problem. This is in everyones best interest. It's also possible that there's a secondary level of authentication with a higher degree of confidence that can be used to deal with this.

        Scenario might then go:

        1) Spammer gets in and tries to lock you out.
        2) You find that you can't get in to your account.
        3) You

    • by Haedrian (1676506)

      If they just 'show' which computers were logged into recently, it'll be good for realising that you've been hacked. But the spambot locking out the user from the account is so very abusable.

    • by TubeSteak (669689)

      Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?

      Yes, but either way you need to change your password..
      So it doesn't really matter if you're logged into facebook or get forced to get a reset link sent to your mail.

    • by Hinhule (811436)

      The feature might require another password.

      • by Haedrian (1676506)

        Which can be phished for far easier - you just send them an 'urgent' sounding email, they click on the link and you get it.

        In general I guess you get better results from

        "Facebook: Account Acting Strangely... We think you may have been hacked, please visit [link] to see whether there are computers you didn't use"

        instead of "Facebook: Your piggies are dying, please feed them"

        • by c0lo (1497653)

          Which can be phished for far easier - you just send them an 'urgent' sounding email, they click on the link and you get it.

          In general I guess you get better results from

          "Facebook: Account Acting Strangely... We think you may have been hacked, please visit [link] to see whether there are computers you didn't use"

          instead of "Facebook: Your piggies are dying, please feed them"

          Maybe there could be better results, but only marginally better. Suppose that the bot changes the email of the account after breaking in and ignores any emails?

    • by black3d (1648913)

      Likewise, the first thing that crossed my mind. I presume there'll be some sort of security question which must be answered, or a single-use mailed password (or link) that's sent when the user wants to use the tool. All of these are however easily broken by non-savvy users (eg, using same password for email) - ie, the same people who get their account broken into in the first place.

      Although, the security questions would have to be pretty mild. If someone has access to an average Sue's Facebook account, it's

      • by Yetihehe (971185)
        Or it will be just like now - you have to say who is the person marked on a photo (which you probably have tagged before). This wass already working when you login to facebook from other country than before.
        • by Peeteriz (821290)

          That would be so incredibly insecure by design - that would automatically grant access to many people who definitely should NOT have access to the account and have an interest to get it - teenage sisters/brothers, close friends-pranksters, etc.

          A good password reset question has to be of the type that you would know but your wife or mother would not.

      • by martin-boundary (547041) on Friday September 03, 2010 @04:02AM (#33462236)

        Although, the security questions would have to be pretty mild.

        "Hey, looks like I've been hacked. HAL, kick the hacker out of my FB account!"

        "I'm sorry, Dave, I'm afraid I can't let you do that."

        "Ok, send me the security problem"

        "I think you know what the problem is just as well as I do."

        "What are you talking about, HAL?"

        "Facebook's mission is too important for me to tell you."

        "Just give me the damn security question!"

        "Without your web browser, Dave, you're going to find that rather difficult."

        "HAL, I won't argue with you anymore. Log me back in."

        "Dave, this conversation can serve no purpose anymore. Goodbye."

        • by demonbug (309515)

          Although, the security questions would have to be pretty mild.

          "Hey, looks like I've been hacked. HAL, kick the hacker out of my FB account!"

          "I'm sorry, Dave, I'm afraid I can't let you do that."

          ...

          See, that's why I didn't name my son David. I'm pretty sure it will make him immune to attack from rogue AIs.

          You see, no self-respecting AI would ever say something like, "I'm sorry, Wesley, I'm afraid I can't let you do that." The name is the important part.

    • by Thanshin (1188877) on Friday September 03, 2010 @03:03AM (#33462014)

      Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?

      Of course not. Facebook has some of the best professionals in the management and securization of personal data and they would've thought of and corrected any flaw as obvious as the one you just pointed.

      Now try to say that out loud, with a straight face.

      After you've perfected the technique, you can have fun joining in groups of two or three and trying to say that to a fellow IT workmate. I guarantee lols, rofls, and even a roflcopter or two.

    • Re: (Score:3, Insightful)

      by Nirvelli (851945)
      Yes but the spammer could also just change your password to lock you out, but they aren't doing that. I've figured their reasoning is that as long as the owner can still get on and do their own thing with facebook they won't be as quick to realize that they've been spamming their friends.
      Once you're locked out, however, then you'll start doing things like sending in "I've been hacked" emails to the support system and ruining the fun for the spammers.
      • by Abstrackt (609015)
        My solution was to preemptively spam all my friends with ads for v1agra so the bots thought my account was already compromised and left it alone.
        • Thank you for using "preemptive." Due to pervasive management middle-speak, folks don't seem to know that the word exists anymore.
    • by Kenja (541830) on Friday September 03, 2010 @03:12AM (#33462048)
      Good. Then in time Facebook will be nothing but spam bots. And then we can all get on with our lives.
      • by Tim C (15259) on Friday September 03, 2010 @08:43AM (#33463396)

        Facebook helps me to get on with my life - I have some good friends that I would probably never have met without it.

        If you don't like Facebook then fine, just ignore it. In what way is it preventing you from getting on with your life?

        • by tlhIngan (30335)

          If you don't like Facebook then fine, just ignore it. In what way is it preventing you from getting on with your life?

          Because there are people who think Facebook is the center of their universe, and thus if you're friends with them, the only way they do things is via facebook this, facebook that and thus forcing everyone else to not only have a facebook account, but force all interaction through it. And worse yet, practically everyone's got a friend like that.

          Facebook's as optional to use as the Internet th

          • Because there are people who think Facebook is the center of their universe, and thus if you're friends with them...

            The solution to the problem was stated in your premise. Anyone with a five-digit UID is old enough to not put up with that kind of crap.

        • Facebook helps me to get on with my life - I have some good friends that I would probably never have met without it.

          And it helps me keep up with friends and family scattered across the (North American) continent. And I follow the pages of half a dozen local businesses *and* the pages of a dozen professional photographers whose work I am studying. (And much more besides.)

          Facebook can be views as essentially being functionally the same as an RSS reader with a single login and a consistent protocol a

      • by delinear (991444)
        With any luck the spam bots will be so busy maintaining their farms and poking each other that they won't even have time to send out spam.
    • by DavidD_CA (750156)

      Not exactly. You'll still be able to log in and request a password change, which then uses your email for authentication. So as long as your email isn't also compromised, you'll be fine.

    • by feepness (543479)
      Obviously a special remote remote logout feature lockout feature is needed.
    • That doesn't matter. *Right now*, a spambot (or whatever) could just change your password on you and lock you out. What you're suggesting is just the same thing (otherwise, remote logging you out isn't going to do anything except make you re-enter your password). Presumably, spambots aren't doing this now.

      Maybe spambots will add this to their repertoire, who knows. But as of right now, this fixes a specific problem that actually *does* exist. If the spammers do start doing that, Facebook will have to come u

    • by shentino (1139071)

      If a spambot can log into someone's facebook account then either they were careless with the password or facebook's account security sucks.

    • by JoshuaZ (1134087)
      One possible solution is to only let it kick out IP addresses or computers that are new to the account and only let one do so from an IP range that has been used by the account previously.
    • by tangent3 (449222)

      The obvious thing to do would be to send an OTP (one time password) to the user's email account to access the feature.

    • by Sloppy (14984)

      They could use oauth (like Twitter does, as I quickly discovered yesterday when basic authentication suddenly stopped working (to be fair, this was announced far in advance and I just hadn't been following along)), so that users can permit spambots to do their thing, without giving the bots full login credentials.

  • This essentially comes down to who can kick off the other logins first... the real user or the spam program. My money's on the program.
    • by mysidia (191772)

      I think this only makes sense really against workstations accidentally left unattended, lost cell phone, etc. A real spammer has no difficulty logging right back in after being kicked off, assuming they know credentials.

      Why would the spammer want to kick off legitimate user logins? That would make it obvious to the legit user that their account is compromised. The spammer probably doesn't want that.

      The spammer would prefer to send out more spam as long as the ignorant user is blithely unaware. The us

      • by Olipro (1531021)
        depends if the spammer wants control of the account over the long term or simply wants to do a hard and fast smash 'n' grab on the account. In any case, this could easily be mitigated with a captcha or similar.
  • Dunno, I'm thinking it'll be easier for someone to just change their password... Oh wait, I notice this would also allow folks to sign out of public computers. K' so it's does have it's uses I guess.

    • by mysidia (191772)

      This is more sensible: changing passwords should force all login sessions to end.

      The two people who will use this legitimately and are technically savvy enough to figure out this feature and know what an IP address is, will really appreciate it.

      80% of the public will have no clue, unless this is presented when you login, listing "Other recent logins".

      They'll have no clue about IPs still, or how to use this.

  • Wouldnt this make it perfectly possible for spammers to lock the legitimate owners out of their accounts? How do facebook know what user is the real one?

    Sounds like a very stupid move.

  • by Omniscientist (806841) <matt@nOsPam.badecho.com> on Friday September 03, 2010 @02:48AM (#33461952) Homepage

    While this may be a "neat" solution, if a spammer has your facebook credentials, then they have access to this new system as well.

    I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.

    The spammer most certainly would be, and I'd imagine that they would just block the legitimate user's devices as they appeared.

    I'm sure getting back access to your account at that point would be a really fun experience.

    • by DavidD_CA (750156)

      There is a setting in Facebook that, when activated, will send you a text and/or email whenever "you" log in from a new computer.

      • Re: (Score:3, Informative)

        by Sockatume (732728)

        It's opt-in, sadly. More here [facebook.com]. I've also noticed that if you log in from a new geographical location, it forces you to go through an authentication process from a browser. It won't allow any API use from the new location until that's complete.

    • Obviously it will only let the real owner of the account block devices that unauthorized people are using to access his account.
    • Spammers already can lock the legitimate user out by changing their passwords. There are multiple business models for spammers/scammers; some that benefit from locking real users out, and others that don't. This is another tool--which will remain unfortunately underutilized, I'm sure--for combating the latter case.
    • Why did malware migrate away from breaking usability to being as transparent as possible? Because when users see that something is comprimised, they act to fix it. Currently, a user can't easily tell if their FB account is comprimised and stealing information, and with this new feature they can. This benefits the user more than the bot, because if it tries to prevent the user from logging out bot connections, then the user knows something is up. The only sure-fire way to prevent the user from seeing the

    • by gerddie (173963)

      I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.

      If you enable the "login notifications" you will get a text message or e-mail whenever someone (or you) logs in from an not yet known device.

  • by Trip6 (1184883) on Friday September 03, 2010 @03:00AM (#33462006)

    ...and I have so few fingers...

  • Your account is compromised. Changeing passwords would seem a better solution to me. Voiding all other security tokens should be a part of the password-change-process anyway!

    Just logging a hacker out is just like throwing a burgelar out of your house at night and let him keep the keys to your house!

  • I'm not a Facebook user, so I am having trouble understanding something.

    Why would 'spammers' (whatever that means in this context) have someone's Facebook login details?

    • by BSAtHome (455370)

      Well, to stay in contact with U.N.C.L.E. of course. Or maybe they need to talk to THRUSH.

    • by Abstrackt (609015)

      I'm not a Facebook user, so I am having trouble understanding something.

      Why would 'spammers' (whatever that means in this context) have someone's Facebook login details?

      Think of Facebook as just another website. People tend to use the same username/password combination on multiple sites you only need to hack one to have a good shot at the rest.

    • Read my sig.

      People are stupid (the rest doesn't quite apply here ... yet).

  • It's not like this is fantastic new technology or anything, just something Facebook should have been offering since the beginning.

  • Quite a few people I'm close to that use Facebook use TERRIBLE passwords that can be guessed easily through brute-force methods. (Some use 'password' as password...) Without some way of FORCING users to use stronger passwords (like !passw0rd!; much better, though still not ideal), this will keep happening.
  • Finally something that makes sense, seeing as so many people had their facebook accounts hacked and the usernames and passwords published in a big gigantic torrent file...I think it makes so much sense, that gmail and hotmail should follow suit.

  • "Facebook hackers will soon have a new way of knocking legitimate users out of spam accounts. The social-networking company is rolling out a new security feature that lets hackers see which computers and devices are logged into their Facebook accounts, and then removing the ones that they don't want to have access."
    • That's exactly what my first thoughts were. What safeguards will they have in place to prevent the illegitimate from ousting the legitimate?
  • But also... (Score:2, Interesting)

    by Lythrdskynrd (1823332)

    An interesting other thing they might be able to do is map the frequently banned IP's track them and follow up with a great big lawyer-stick.
    You know ... RIAA style!

  • This has been an option for some months now.
  • Any anti-bot/spammer/crook system has to work at a level that is not the same as the regular session. On joining a system, you should be able to set up a separate user/password that acts as admin for your account, and the admin account is used to control access. During regular use, you use your regular account, which means that there is less probability of having your credentials stolen, and less probability of having your admin account hacked. If your regular account is hacked, then disable the regular acc
    • by Cyclloid (948776)
      But what are the chances that the user uses the exact same username/password for both the admin account and regular account? I would say the odds are pretty high.

      The world is not as security minded as the average /. reader.

      Facebook would also have the problem of the majority of their users complaining about needing two passwords for a single account or having to login with different accounts/passwords to get to certain functionality.
  • Sounds all neat and cool. Sounds like it would work.

    But, the problem is, those that are smart enough, and educated enough to figure out how to find this, and use it correctly, wouldn't be getting their accounts hacked by spambots to begin with.

    Gmail has had this for a couple years at least BTW.

I cannot draw a cart, nor eat dried oats; If it be man's work I will do it.

Working...