Facebook is a very popular social networking site, but there are a number of security issues with the site that can put you at serious risk if you aren't careful. The number of facebook account hackings seem to be on the increase (at least I've been getting more bogus messages recently), and this page is in response to a friend who asked what to do after her account got hacked.
While any online account is in danger of being hacked, Facebook has unique features that make this danger even more likely. For one thing, it is very common to post personal information which can be used to steal your identity. But the significant danger is because it is so easy to run malicious programs that can hack your account. In particular, be very careful using any application that asks to access your profile.
Keep in mind that if your account is compromised, not only is your personal information exposed, but the personal information of all your friends as well. So, even if you don't have anything sensitive in your profile information, your friends might. Every time you take one of those quizzes on facebook, you are risking your information and that of your friends.
It is much easier to prevent having your account hacked than to recover from a hacked account. Here are some good security practices that you should keep in mind not only for Facebook, but for any other web site account you might have.
- Don't use Internet Explorer
- There are a lot of security problems with IE. I recommend that you use Firefox instead. Other possible browsers are Safari and Opera, along with the new Chrome from Google.
- One of the nice things about Firefox is all of the add-ons you can get. Some of the add-ons that I consider essential are:
- Adblock Plus — you don't see any ads
- Never click on a link
- Never click on a link contained in any e-mail message or IM. Also, never type a URL directly into the address bar of your browser.
- When you get an e-mail with a link, don't click on it. Hover your mouse over the link and right-click the mouse, and select "Copy Link Location" in Firefox. Next, paste the link into Google and click on search. You should see at the very top of the search results the page you expected. If, however, you see comments about phishing, malware, etc. then you know not to go there.
- If somebody tells you a URL to type into your browser, ignore them. Instead, type the URL into the Google search bar and hit ENTER. As above, you should see the page you were expecting. If not, then either you made a typo, the person giving the URL was wrong, or the site is dangerous.
- It is a common practice by malware writers to purchase domain names similar to valid sites, especially commonly mispelled names. They then set up a web site that looks the same as the real site. When you click on any link on the bogus site, you run the risk of downloading malware. These sites will also try to get the user to enter passwords or personal information.
- Use a strong password
- Find a balance between a password that is easy for you to remember and one that is hard to guess. It should have at least 6-8 characters, and should include letters and digits or possibly symbols. You should never use any word that would appear in a dictionary, the names of your pets, spouse, kids, friends, etc. There are several techniques you can use to do this:
- One trick is to make up a saying or phrase and then use the first letter of each word, or possibly a symbol to represent the word. For example, let's use the phrase "This is my secret password for facebook." We could make that "t=msp4fb". We could emphasize certain words to make the password even stronger: "THIS is my SECRET password for FACEbook" can become "T=mSp4Fb"
- You can make up your own symbols for words, such as "=" for is or equals, "<" for less than, before, left, etc. and ">" for greater than, after, right, etc. There is a special language call leet that might give you some more ideas for symbols. If you use leet, you might want to type short words in leet rather than just the first letter. Be careful using uncommon symbols, some systems might have problems with strange characters in the password field.
- Don't use the same (or similar) password for more than one site. At a minimum, make sure your Facebook password is completely different than your password for any other site.
- Don't Give Out Your Password
- Of course, having a strong password doesn't help if you give your password to others. Although you hopefully would not give your password to a stranger, there are many ways in which malicious users can trick you into revealing your password. A common way is to create web sites that look like legitemate web sites, and when the victim attempts to login, their user name and password are saved and used later to hack into their account.
- Facebook offers a very sneaky way of getting you to enter your user name and password: by offering to help you find your friends on facebook. Facebook asks you for your email address and password, and then uses this information to access your address book / list of contacts. They then search facebook for any matches. The problem, of course, is that your email address and password are now stored inside a facebook database. And, since facebook doesn't have a history of keeping your private information very private, you should be very concerned about that. If you want to find friends on facebook, search for them using their email address.
- If you have already given out your email address and password, change your password immediately. If, in the future, you need to enter that information, I would recommend that you login to your email account, change the password to something simple (like "secret") and then submit that password. Once you have done what you needed to do, go back into your email account and change your password to something strong.
- Always logout when you are done
- I recall using a public terminal, and going to LinkedIn, and was surprised to find myself logged in as someone else. If you don't logout when you are done, you risk having somebody else do things with your account or download key loggers, malware, etc.
- Change your password fairly often
- If you change your password too often, it makes it hard to remember, and you might start writing it down, which would be very dangerous. The idea is to change your password often enough so that by the time somebody figures out your password, you have changed it.
- Make sure you don't have a pattern between different passwords. If your password is secret1, then secret2 isn't a good password. (Of course, secret1 is a lousy password to begin with.)
- Don't let others use your computer, phone, PDA, etc.
- I realize that some of your friends might think you are strange if you don't let them use your computer to check their e-mail, but remember that they might accidentally download some malicious program, or actually post or send something under your name. Usually these messages are funny or embarassing, but you haven't any control.
- Of course, if you have logged out from all of your applications, your friend won't be able to access your accounts, but they can still download malware to your computer.
- Run Anti-virus and anti-spyware software
- Not only should you run anti-virus software, but make sure you get updates on a regular basis. I usually run an update every morning, followed by a scan of my computer. Most computers come with anti-virus, but if you need a free program, try AVG Free.
- Most people know about anti-virus, but not as many are aware of anti-spyware software. This works similar to anti-virus, but it is looking for programs that do things like track your web browsing. Here are some free anti-spyware software that I have used: