you're reading...

Facebook: Security

More changes to Facebook and we have some interesting settings available.

Want to be sure that your account is secured? Well, this is a good starting place and should get you going. There are some pretty good options hidden away in the…
Accessing the Security settings
First of all, I’d advise doing this from a decent browser, not a mobile version or an app. Otherwise you may accidentally lock yourself out of the account.
I used Safari on my iPad.
I would also recommend that you log out of all your other connections, whether on your mobile or PC or Laptop, leaving only this connection active and signed in. Consider changing your password as well.
Login as normal to the Facebook website.

If FB haven’t changed the layout again then you’ll need to access the ‘Account’ drop down menu at the top right.

From there select ‘Account Settings’.
The account settings screen now appears. Immediately select the ‘Security’ option on the left.

Yoiks! I’m completely open!
Secure Browsing
You’ve probably all aware by now but there are two main protocols used on the Web: HTTP and HTTPS. The former is the standard and default method information is sent to and from you computer.
The latter is the secured version. The communication is signed and encrypted using a certificate provided by the site but verified by a certificate authority. It means no one can snoop on your Facebook data as it passes across the network. It is a very good idea to enble this feature, especially if you use Facebook on a Laptop or mobile device.
Click ‘Edit’ next to ‘Secure Browsing’ and enable this feature.
Your browser will refresh the page, onto the new HTTPS connection.
Not all communications with Facebook can be sent over HTTPS and some Apps will attempt to disable this setting. Check every so often.
Login Notifications
Excellent feature this. With this enabled you will receive an email or SMS message informing you of any device that logs in to your account. This will give you notice of any breach and also, importantly, send you instructions on what to do if it wasn’t you who made that access.

For SMS notifications you will have had to preregister your mobile number with Facebook. When doing so ensure that it is not visible to ANYONE, not even friends. Trust me on this.
To enable, click ‘Edit’ next to ‘Login notifications’ and select the method(s) you wish and click ‘Save Changes’.
So now you get an email when a device tries to access your account.

Login Approvals
Here you can register all your devices, preventing anything else accessing your account without first entering an authorisation code that is sent to your mobile phone. This is an excellent way of limiting access to your account as it requires physical access to your mobile phone.

You’ll be asked to name the device after entering the code. Then your ‘Recognised Devices’ list will be updated.
Recognised Devices
As implied above, a list of all the devices authorised to access your account.

As you add devices the list gets longer…

…and longer…

…and longer…

Each will have had to go through the same process, including the SMS verification via your mobile phone.
Any device that you don’t recognise you disable by clicking the ‘Remove’ option next to that item.
Active Sessions
Simple enough, a list of all places your account is currently active.

Obviously you can end any session that you don’t recognise.
Final Result:
The overall effect is to dramatically reduce the chance of your Facebook account being accesses without your permission. Of course if someone gains access to one of your authorised devices, these measures won’t help.

Now, at looks a lot better!
The caveats are important though.

  • FB regularly change how security and privacy work
  • Privacy will need to be investigated separately
  • Facebook Apps can, if you let them, disable some of these features
  • Every Browser or Application that accesses your Facebook account might be detected as a different device, even when installed on the same physical device
  • You should check these settings at least every month
  • If you change or lose your mobile number, change the setting he immediately
  • Any session already logged in will continue without having to make the Security Code verification

One last item then…
Deactivate Your Account
Curiously and ominously does exactly what it says on the tin.

Deactivating should not in anyway be considered the same thing as deleting or removing. People will still be able to tab you or invite you to stuff and you can at any point request the account to be reactivated.
Also, it leaves all your shared stuff on Facebook.

Screenshots and notes:

  1. Friendly for iPad- a favourite of mine, login as normal

    Prompt for Security Code

  2. Flipboard for iPad, login as normal

    Prompt for Security Code (note that the mobile number is visible- tut, tut)

  3. Safari on iPhone

  4. Facebook for iPhone app, here you get prompted for a second password which is the code sent to you mobile

    Notice the light change in the notification message

– Posted using BlogPress

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: