Facebook To Add Remote Logout 145
angry tapir writes "Facebook users will soon have a new way of knocking spammers out of legitimate accounts. The social-networking company is rolling out a new security feature that lets users see which computers and devices are logged into their Facebook accounts, and then removing the ones that they don't want to have access."
Stating the obvious... (Score:5, Insightful)
Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
Re: (Score:2, Interesting)
Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.
Re: (Score:1)
Since the average user is going to have their e-mail password be the same as their FB password, single-use e-mailed passwords does not buy much at all.
A captcha would probably be a stronger protection measure. A captcha and a 'security question' the user setup in advance.
Re: (Score:1, Interesting)
Yeah but if they are really THAT dumb, they somewhat deserve what they get.
Besides, you could check for this when they sign up. Once they enter a password, and their email address, you try to log into their email account, and if it succeeds, you show a big flashing red message with a picture of the special olympics or al gore or something, and ask them to use a different password that isn't similar to their email password.
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
same email and password (Score:2)
That won't be all that helpful to those who use the same email and password for everything.
Maybe it will use SMS?
Re: (Score:2)
Maybe it uses a security question, and works like a password reset.
Re:Stating the obvious... (Score:5, Interesting)
Yes, unless there is another, single-use password specifically for this purpose, sent to the contact email address.
Pseudo-code for the spambot enhancement:
0. break into account as usual
1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
2. kick out any attempt of any (legitimate or not) entity trying to login into the account.
If the breaker is not a spambot but another human being, I don't think there is something that can be done without human intervention (i.e. the "kick-out" functionality looks to me like rather a cosmetic enhancement - like "Just don't say that I'm doing nothing at all").
Re:Stating the obvious... (Score:4, Interesting)
This way users are more likely to realize they've been pwned.
If they lose access to their accounts because some spammer is stupid[1] and changes the passwords, that's not always a minus to the rest of us.
[1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.
Re: (Score:2)
No it's a reasonably useful feature.
[1] If you kick out the real user from his/her account you significantly raise the odds that someone is going to do something about/to you. Whereas previously the real user might not even notice his/her account is being used for spam, or not even care.
Security as a matter of cost...
Without the "kick-out" functionality, the spambot is better off (in the matter of costs) to live a parasitic life. With the "kick-out" functionality, it is likely that the spambot will "die" in that account once discovered... so what it has to loose by totally pwning it?
Re: (Score:2)
I tend to agree.
Facebook is the one making the money here, so isn't it up to them to keep hackers out of my account instead of putting it on me to kick out the hacker?
You come up with this big idea of a "social networking site" and expect to make a bundle, you gotta figure out a way to keep it secure. You want "mom and pop" to use it? Well then don't go around expecting "mom and pop" to learn secure practices so they can help you make a fortune.
If spambots and hackers are getting int
Re: (Score:2)
This is the banking system argument. Unfortunately for this to be similar, there would have to be body snatchers, clones, and/or maybe Ghost in the Shell type brain hacking allowing people who look like you, talk like you, and know enough about you and/or has access to everything you know letting them to walk up to your bank, in person, and withdraw all your cash.
Unless you're proposing Facebook get into the firewall/anti-virus/malware-cleaning business and running something like Blizz's Warden program in
Re: (Score:2)
Nobody's forcing anyone to do business on the Internet. Believe it or not, there was a time when it was very rare for anyone to do business on the Internet, and a lot of people didn't mind one bit.
But if you're going to choose to do business on the Internet, don't expect your customers to handle your security. It's like a liquor store asking patrons to check their own IDs.
Maybe it's time to find something better tha
Re: (Score:2)
So what do you want them to do? Tie accounts to cellphones? Blizzard-esque authenticators?
I recall some story about FB requiring a scan or photocopy of driver licenses but google can't find anything other than "Sign up to DriversED with Facebook!" or various DMVs' FB pages (seriously).
Re: (Score:2)
I want them to figure out how to keep their users' accounts safe.
A company that's worth $10 billion should be able to come up with something.
Re: (Score:2)
Fair enough.
I do wonder if they have the culture to even think about it let alone actually develop and implement a more secure system. I realize I'm saying that in a story about a new security feature they added but I guess I'm just waiting for the next story about how they bungled it or that it came with a new privacy policy that says "Hey, fuck you. We're taking your second born child as well."
Re: (Score:2)
Why are banks able to provide a much higher level of security for online accounts without "checking my DNA"?
You want to say "Facebook can't be more secure" and I say "baloney". They're supposed to be big innovators, so innovate some security.
Re: (Score:3, Informative)
1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.
Re: (Score:2)
1. adjust the account email address to something at your choice. Potentially, follow this by a change of the password for that account.
You know, this can't actually result in an account takeover. Facebook implements a reasonably secure e-mail address change feature - all your existing e-mail addresses are notified and given the option to prevent the change.
Wanna bet? Here:
1. spambot adds the email address of one of the botmaster minions and changes the account password. The botmaster/minion ratifies the change in the password as soon as the email is received.
Unless Facebook require that all your email addresses to allow the change (and not only one), but I don't think it does (though, not being a FB user, I might be wrong in the matter of details).
Re: (Score:2)
I said "given the option to prevent the change", not "ratify the change". There is no such thing as ratifying changes. It would work something like this:
1. Spambot adds the email address of one of the botmaster minions.
2. You receive an e-mail notifying you that you added a new e-mail address to your old e-mail address, with a link to reverse the change.
3. Spambot changes the account password.
4. You receive another e-mail notifying you changed your password, with a link to reverse the change.
5. You click ei
Re: (Score:3, Interesting)
If they allow another, single-use password to be used - why don't they have a system allowing a single-use password when using a public computer? I have always wondered, and have often suggested (without response) that this be allowed.
1. I have a main password that I use to access my account most of the time (from my home PC or other trusted PC)
2. I have the option to set another, alt password, that I can set.
3. Once the alt password is set, it cannot be viewed or changed when logging in with the main passw
Re: (Score:2)
But that requires the user to set up that password ahead of time, knowing they're going to use a public terminal. I think that level of foresight is beyond the grasp of most users.
Re:Stating the obvious... (Score:5, Interesting)
Yes I can't see any solution that isn't going to hurt at least a little bit. Maybe they could have some fun with it though. As soon as someone hits the "log other session out" button, the account is prevented from sending any messages (stop you doing a spam-and-run) and a 60 second timer starts and the other session is alerted that someone wants to kick them out. If they click the 'contest' button then a fight to the death begins to prove which is the real slim shady. Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user. If you don't know stuff about your facebook friends then you deserve to lose the account anyway :)
If you had a webcam you could take a photo of yourself holding todays newspaper or striking a specified pose or something and your friends could decide if that is really you and if the picture is really current (because bot's don't know how to use photoshop :)
My biggest concern is that it's going to be an arms race with facebook vs the bots and that over time the bots are going to have to be written smarter and smarter and that they'll eventually become self-aware!
Re: (Score:2)
Honestly, I really like that idea (friends voting on who the real friend is). You reach a certain point where it just isn't worth the time and effort to write a better bot while the average Facebook user has time make a hand-stitched devil costume, drive to Iowa and take a pic beside the road that says, "I'm the real Gary and I hate all of you."
Then again, I just like the idea of running users through ridiculous hoop when they create a password like, 'joanie372010' with a pic on the account that says, "Here
Re: (Score:2, Informative)
Each user is quizzed on facts about their friends that happen to be online (the account is locked to prevent you looking that stuff up) and whoever knows the least stuff about their friends gets kicked. The online friends judge which is the real user
Facebook already has something like this implemented if you log in from somewhere "unfamiliar". Not sure exactly how far you have to be from home, but when I went on vacation to another country and tried to log in I got prompted to identify 7 friends tagged in different photos. Any wrong answer would have kicked me out
Re: (Score:2)
I have had to go through that process as well, and it was incredibly frustrating. People get tagged in photos they aren't actually in all the time. So I had to pass the test by guessing which friend was tagged in a picture of a snowmobile or an infant.
I don't know if it's just my friends or if it's commonplace- either way, the system is broken.
-b
Re: (Score:2)
Whatever made you think in the first place, that the hackers ever cared to leave the legit user in possession of the account?
When Push comes to shove, a lot of users are going to permanently loose accounts, and Captcha's not going to help, hasn't been an effective Captcha developed yet.
And at that point, facebook looses all value to it's user base and becomes "Oh you still use Facebook? That's so yesterday!"
Re:Stating the obvious... (Score:5, Insightful)
Also the first thing I thought.
This is why Slashdot is not like the rest of the world, most people dont imagine this kind of thing being used against them.
Re:Stating the obvious... (Score:5, Insightful)
Re: (Score:1)
Bots on IRC are indistinguishable from your average teenage girl on IRC.
Just sayin
Re: (Score:2)
Bots on IRC are indistinguishable from your average teenage girl on IRC.
Just sayin
Very true. Probably because all of the "teenage girls" on IRC are bots.
Of course, that may have been what you were implying, in which case forgive me for stating the obvious...
Re: (Score:2)
Very true. Probably because all of the "teenage girls" on IRC are bots.
Some of them are FBI agents. But then, some of the FBI agents are mandroids.
Re: (Score:2)
Q: How do you tell when the person you're chatting with on IRC is a bot and not a teenage girl?
A: Chris Hanson doesn't show up to your house 20 minutes after you finish the conversation.
Re: (Score:2)
Slashdot isn't like the rest of the world because they are misled by the people who write the summaries, or by the sites the articles they are linked to.
The purpose of the new facility is to combat the more common problem of Facebook rape.
http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765 [facebook.com]
The posts about the potential harm bots could do with this facility miss the obvious. If a bot has got into your account, it's already won. It can change your password and emai
Re: (Score:2)
I thought this as well, but it seems like it's useful anyway. First, if it's used against you, you'd know that your account has been compromised and contact Facebook in an out-of-band way to solve the problem. This is in everyones best interest. It's also possible that there's a secondary level of authentication with a higher degree of confidence that can be used to deal with this.
Scenario might then go:
1) Spammer gets in and tries to lock you out.
2) You find that you can't get in to your account.
3) You
Re: (Score:2)
If they just 'show' which computers were logged into recently, it'll be good for realising that you've been hacked. But the spambot locking out the user from the account is so very abusable.
Re: (Score:2)
Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
Yes, but either way you need to change your password..
So it doesn't really matter if you're logged into facebook or get forced to get a reset link sent to your mail.
Re: (Score:2)
The feature might require another password.
Re: (Score:2)
Which can be phished for far easier - you just send them an 'urgent' sounding email, they click on the link and you get it.
In general I guess you get better results from
"Facebook: Account Acting Strangely... We think you may have been hacked, please visit [link] to see whether there are computers you didn't use"
instead of "Facebook: Your piggies are dying, please feed them"
Re: (Score:2)
Which can be phished for far easier - you just send them an 'urgent' sounding email, they click on the link and you get it.
In general I guess you get better results from
"Facebook: Account Acting Strangely... We think you may have been hacked, please visit [link] to see whether there are computers you didn't use"
instead of "Facebook: Your piggies are dying, please feed them"
Maybe there could be better results, but only marginally better. Suppose that the bot changes the email of the account after breaking in and ignores any emails?
Re: (Score:2)
Likewise, the first thing that crossed my mind. I presume there'll be some sort of security question which must be answered, or a single-use mailed password (or link) that's sent when the user wants to use the tool. All of these are however easily broken by non-savvy users (eg, using same password for email) - ie, the same people who get their account broken into in the first place.
Although, the security questions would have to be pretty mild. If someone has access to an average Sue's Facebook account, it's
Re: (Score:2)
Re: (Score:2)
That would be so incredibly insecure by design - that would automatically grant access to many people who definitely should NOT have access to the account and have an interest to get it - teenage sisters/brothers, close friends-pranksters, etc.
A good password reset question has to be of the type that you would know but your wife or mother would not.
Re: (Score:2)
"What is your favorite kind of porn?"/"Who is your favorite porn star?"
Re:Stating the obvious... (Score:5, Funny)
"Hey, looks like I've been hacked. HAL, kick the hacker out of my FB account!"
"I'm sorry, Dave, I'm afraid I can't let you do that."
"Ok, send me the security problem"
"I think you know what the problem is just as well as I do."
"What are you talking about, HAL?"
"Facebook's mission is too important for me to tell you."
"Just give me the damn security question!"
"Without your web browser, Dave, you're going to find that rather difficult."
"HAL, I won't argue with you anymore. Log me back in."
"Dave, this conversation can serve no purpose anymore. Goodbye."
Re: (Score:2)
"Hey, looks like I've been hacked. HAL, kick the hacker out of my FB account!"
"I'm sorry, Dave, I'm afraid I can't let you do that."
See, that's why I didn't name my son David. I'm pretty sure it will make him immune to attack from rogue AIs.
You see, no self-respecting AI would ever say something like, "I'm sorry, Wesley, I'm afraid I can't let you do that." The name is the important part.
Re:Stating the obvious... (Score:5, Funny)
Wouldn't that feature let the spambot do the same and deny the legitimate owner access to the account?
Of course not. Facebook has some of the best professionals in the management and securization of personal data and they would've thought of and corrected any flaw as obvious as the one you just pointed.
Now try to say that out loud, with a straight face.
After you've perfected the technique, you can have fun joining in groups of two or three and trying to say that to a fellow IT workmate. I guarantee lols, rofls, and even a roflcopter or two.
Re: (Score:3, Insightful)
Once you're locked out, however, then you'll start doing things like sending in "I've been hacked" emails to the support system and ruining the fun for the spammers.
Re: (Score:2)
Re: (Score:2)
Re:Stating the obvious... (Score:5, Insightful)
Re:Stating the obvious... (Score:5, Insightful)
Facebook helps me to get on with my life - I have some good friends that I would probably never have met without it.
If you don't like Facebook then fine, just ignore it. In what way is it preventing you from getting on with your life?
Re: (Score:2)
Because there are people who think Facebook is the center of their universe, and thus if you're friends with them, the only way they do things is via facebook this, facebook that and thus forcing everyone else to not only have a facebook account, but force all interaction through it. And worse yet, practically everyone's got a friend like that.
Facebook's as optional to use as the Internet th
Re: (Score:2)
The solution to the problem was stated in your premise. Anyone with a five-digit UID is old enough to not put up with that kind of crap.
Re: (Score:2)
And it helps me keep up with friends and family scattered across the (North American) continent. And I follow the pages of half a dozen local businesses *and* the pages of a dozen professional photographers whose work I am studying. (And much more besides.)
Facebook can be views as essentially being functionally the same as an RSS reader with a single login and a consistent protocol a
Re: (Score:2)
Re: (Score:2)
Not exactly. You'll still be able to log in and request a password change, which then uses your email for authentication. So as long as your email isn't also compromised, you'll be fine.
Re: (Score:2)
Changing the email address sends an email to every account you have with a link which you can click to cancel the change of address AFAIK.
Re: (Score:2)
Dunno. Are you suggesting we should send Mark Zuckerberg personally to each person's home for verification when someone wants to log in?
I agree that it's not perfect, and probably never will be.
But for those who use public computers and forget to log off, this is a great step forward to protecting them.
And for those who gave up their passwords in a phishing scam, Facebook has a feature to page you whenever "you" log in from a new computer. Again, far better than what most banks offer, let alone other soci
Re: (Score:2)
Completely missing the obvious... (Score:2)
That doesn't matter. *Right now*, a spambot (or whatever) could just change your password on you and lock you out. What you're suggesting is just the same thing (otherwise, remote logging you out isn't going to do anything except make you re-enter your password). Presumably, spambots aren't doing this now.
Maybe spambots will add this to their repertoire, who knows. But as of right now, this fixes a specific problem that actually *does* exist. If the spammers do start doing that, Facebook will have to come u
Re: (Score:2)
If a spambot can log into someone's facebook account then either they were careless with the password or facebook's account security sucks.
Re: (Score:2)
Re: (Score:2)
The obvious thing to do would be to send an OTP (one time password) to the user's email account to access the feature.
Re: (Score:2)
They could use oauth (like Twitter does, as I quickly discovered yesterday when basic authentication suddenly stopped working (to be fair, this was announced far in advance and I just hadn't been following along)), so that users can permit spambots to do their thing, without giving the bots full login credentials.
Oh wonderful (Score:1)
Re: (Score:1)
I think this only makes sense really against workstations accidentally left unattended, lost cell phone, etc. A real spammer has no difficulty logging right back in after being kicked off, assuming they know credentials.
Why would the spammer want to kick off legitimate user logins? That would make it obvious to the legit user that their account is compromised. The spammer probably doesn't want that.
The spammer would prefer to send out more spam as long as the ignorant user is blithely unaware. The us
Re: (Score:1)
Well, the info provided is kind of useful? (Score:2)
Dunno, I'm thinking it'll be easier for someone to just change their password... Oh wait, I notice this would also allow folks to sign out of public computers. K' so it's does have it's uses I guess.
Re: (Score:1)
This is more sensible: changing passwords should force all login sessions to end.
The two people who will use this legitimately and are technically savvy enough to figure out this feature and know what an IP address is, will really appreciate it.
80% of the public will have no clue, unless this is presented when you login, listing "Other recent logins".
They'll have no clue about IPs still, or how to use this.
huh?? (Score:1)
Wouldnt this make it perfectly possible for spammers to lock the legitimate owners out of their accounts? How do facebook know what user is the real one?
Sounds like a very stupid move.
Re: (Score:1)
Sounds like a very stupid move.
Not thought out very well. (Score:4, Interesting)
While this may be a "neat" solution, if a spammer has your facebook credentials, then they have access to this new system as well.
I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.
The spammer most certainly would be, and I'd imagine that they would just block the legitimate user's devices as they appeared.
I'm sure getting back access to your account at that point would be a really fun experience.
Re: (Score:2)
There is a setting in Facebook that, when activated, will send you a text and/or email whenever "you" log in from a new computer.
Re: (Score:3, Informative)
It's opt-in, sadly. More here [facebook.com]. I've also noticed that if you log in from a new geographical location, it forces you to go through an authentication process from a browser. It won't allow any API use from the new location until that's complete.
Re: (Score:1)
Re: (Score:1)
Just like XP zombies, there is value in stealth (Score:2)
Why did malware migrate away from breaking usability to being as transparent as possible? Because when users see that something is comprimised, they act to fix it. Currently, a user can't easily tell if their FB account is comprimised and stealing information, and with this new feature they can. This benefits the user more than the bot, because if it tries to prevent the user from logging out bot connections, then the user knows something is up. The only sure-fire way to prevent the user from seeing the
Re: (Score:2)
I must admit I am not familiar with the nature of "facebook spam", but I assume that it is possible that the user may not know his or her account has been compromised. He or she may have no inclination to be constantly monitoring the list of logged on devices.
If you enable the "login notifications" you will get a text message or e-mail whenever someone (or you) logs in from an not yet known device.
The Facebook dyke has so many holes... (Score:5, Funny)
...and I have so few fingers...
Re:The Facebook dyke has so many holes... (Score:4, Funny)
Call a friend to help finger the dyke!
Re: (Score:2)
dike, dyke,
Let's call the whole thing off!
Isn't that a bit too late? (Score:2)
Your account is compromised. Changeing passwords would seem a better solution to me. Voiding all other security tokens should be a part of the password-change-process anyway!
Just logging a hacker out is just like throwing a burgelar out of your house at night and let him keep the keys to your house!
What the ... ? (Score:2)
I'm not a Facebook user, so I am having trouble understanding something.
Why would 'spammers' (whatever that means in this context) have someone's Facebook login details?
Re: (Score:2)
Well, to stay in contact with U.N.C.L.E. of course. Or maybe they need to talk to THRUSH.
Re: (Score:2)
I'm not a Facebook user, so I am having trouble understanding something.
Why would 'spammers' (whatever that means in this context) have someone's Facebook login details?
Think of Facebook as just another website. People tend to use the same username/password combination on multiple sites you only need to hack one to have a good shot at the rest.
Re: (Score:1)
Read my sig.
People are stupid (the rest doesn't quite apply here ... yet).
GMail has had this forever (Score:1)
It's not like this is fantastic new technology or anything, just something Facebook should have been offering since the beginning.
Advocating better passwords is better... (Score:2)
Finally, a feature worth... (Score:1)
Finally something that makes sense, seeing as so many people had their facebook accounts hacked and the usernames and passwords published in a big gigantic torrent file...I think it makes so much sense, that gmail and hotmail should follow suit.
Hacker's Version: (Score:1)
Re: (Score:2)
But also... (Score:2, Interesting)
An interesting other thing they might be able to do is map the frequently banned IP's track them and follow up with a great big lawyer-stick. ... RIAA style!
You know
This isn't new (Score:1)
Better security: Give users an admin account too (Score:1)
Re: (Score:1)
The world is not as security minded as the average
Facebook would also have the problem of the majority of their users complaining about needing two passwords for a single account or having to login with different accounts/passwords to get to certain functionality.
Going about it all wrong. (Score:1)
Sounds all neat and cool. Sounds like it would work.
But, the problem is, those that are smart enough, and educated enough to figure out how to find this, and use it correctly, wouldn't be getting their accounts hacked by spambots to begin with.
Gmail has had this for a couple years at least BTW.
Re: (Score:1)
Re: (Score:2)