Facebook Apps Leaking Your Information
A report was recently published claiming that nearly 100,000 Facebook apps have been leaking access codes belonging to millions of users’ profiles. Symantec released the report and said that an app security flaw may have given apps and other third parties access to users’ profiles. Facebook maintains that they have no evidence of this occurring.
In their report, Symantec wrote:
We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties.
These “access tokens” help apps interact with your profile.They are most often used to post updates from the application to your wall. When you add the applications to your profile you, as the Facebook user, is giving the apps access to your information by accepting their conditions. According to the investigation, these tokens were included in URLs sent to the application host and were then sent to advertisers and analytics platforms. If the recipient recognized the codes (meaning they have to be qualified to read and write HTML code), they could gain access to the user’s wall’s and profile.
Facebook Nigerian Scam Costs Victim $300,000+
At this point, we are all pretty used to the classic Nigerian Scam. Someone who is recently wealthy needs your help to gain access to the funds. They will let you keep $1 million if you will simply send them your bank account number so he can transfer $30 million to you. Its a dream come true to most!
What happens when that same scam is used on Facebook by one of your friends, by someone you trust? The results can be disastrous. One woman was scammed out of $366,000 because she felt sorry for the scammer’s sob story. The woman contacted the local authorities after realizing she had been conned by her Facebook “friend”. Police arrested six male suspects in Kepong, all allegedly connected to the Facebook scam: two Nigerians, two Bangladeshis, and two Malaysians. Investigators only managed to recover $5,000 in cash of the victim’s money, although they also seized 18 ATM cards, seven cell phones, and a laptop.
At least in this case the men were apprehended. In most scams of this nature there is no chance of finding the scammers and the money is long gone. Even when one of your Facebook friends asks you for something (money, help, information), your first reaction should be healthy skepticism. Verify that what they are saying is true (call them before sending money). Often times, a thief will take over a friend’s account or create a false account in order to gain your trust and eventually, your money.
How to Change Your Facebook Password
A close friend of mine just had his Facebook account taken over and used for pretty nasty things, so… this is just a quick reminder to change your Facebook password frequently for added security. If you have been a member for years, like most people, and have not ever changed your password, I recommend you do so right now (don’t wait, you’ll never do it later).
On a site like Facebook that houses so much of your personal reputation and information, it is good to keep passwords new and difficult to hack. We see people’s Facebook profiles get hacked every day from clicking on malware and phishing schemes – and once they have your Facebook password, they probably have the same password you use on other accounts. Changing your password frequently, as simple as it sounds, is an easy way to avoid some of the privacy problems posed by Facebook. Once you are logged in, visit your Account Settings Page. On the first page next to Password click change.
Now that you are in your Account Settings, spend a minute clicking around to explore some of your other settings. While changing your password doesn’t solve all of your security issues, it will help you feel a bit safer on the social networking giant!
Facebook Can Use Your Photos in Their Ads Without Permission
Did you know that Facebook can use photos you post on the site in advertisements targeted on the right (advertising) side of your contact’s profile?
Unless you customize your privacy settings, Facebook can share just about anything you post with just about everyone. Using your intellectual property for their financial gain is not a new Facebook issue, but one that should be revisited due to recent Facebook Privacy changes. Here’s the funny part: you gave Facebook the right to use any of your content in any way they see fit when you signed up for your account and didn’t read the user agreement. If you visit the Facebook Statement of Rights page you will see the following:
You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition:
- For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free,
worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.
Facebook Safety: New HTTPS Facebook Settings
Facebook has announced that they will be rolling out a new security feature that will add full HTTPS support to the site. The new secure site uses the same underlying technology that banks use to keep your communications out of the reach of potential hackers. While many people don’t have this feature yet and mine just showed up today, eventually all users should have the capability.
To enable HTTPS, log into your Facebook account and at the top right go into Account -> Account Settings.
Once there, scroll all the way to the bottom and click “change” next to Account Security.
The following screen should pop up. Check the box under Secure Browsing. You can also check “send me an email” (or a text message to your cell phone, which I don’t advise giving to Facebook) so that if someone tries to log into your account from a new computer, Facebook will immediately alert you. This is a good way to find out fast if your account has been hacked.
Facebook rolled out these secure settings to make Facebook seem safer, but like many of their security changes, they are turned off by default. You must go in and manually change the feature to gain the added security.
Facebook Boiling the Privacy Frog (You)
Facebook is preparing to give away your phone number and address to app developers and advertisers.
The frog is officially beginning to boil. Just check out all of the articles swirling around on the internet about Facebook’s latest attempt to release more of your information without your consent. This time they want to give out your phone number and address. They were pretty clear that the reason they want this information is to pass it on to developers of apps such as Farmville and advertisers that want to bolster their profile on you. They released the post late Friday afternoon – so late in fact that many news outlets didn’t pick it up until Monday. Many are accusing Facebook of trying to bury the news.
Here is what was posted:
User Address and Mobile Phone Number
We are now making a user’s address and mobile phone number accessible as part of the User Graph object. Because this is sensitive information, we have created the new user_address and user_mobile_phone permissions. These permissions must be explicitly granted to your application by the user via our standard permissions dialogs.
Although users currently have to give applications permission to access their information, there is a slight addition above to the type of information being shared. Look for “Access my contact information”, with the subtitle “Current Address and Mobile Phone Number” (see image above). If Facebook were actually interested in making their data sharing strategy noticeable, at least they could have bolded the warning rather than the hey-don’t-pay-attention-to-me-faded-gray they used.
WSJ Article Quotes Identity Theft Expert, John Sileo
How To Beat The Online Scammers
(A Wall Street Journal Excerpt by Jennifer Waters)
Your pet’s name is a fraudster’s best friend.
You may think you’re giving up precious little when you tell your Facebook friends that you’re dressing your pooch, Puddles, in your favorite color, red, for brunch at Grandma’s on Sunday. But you’ve actually just opened a Pandora’s box of risks.
The information consumers willingly, and oftentimes unwittingly, unleash on social-media websites sets off a feeding frenzy among fraudsters looking to steal everything from your flat-screen TV to your identity…
Too much information can hurt you in other ways. John Sileo, a Denver-based identify-theft expert, says your online chatter could equip an ex-spouse with ammunition for a court challenge. Future or current employers could have a problem with information about your personal life that they deem inappropriate for a member of their staff, he says. You also could be furnishing a would-be stalker with information about your whereabouts. Click Here to Continue Reading….
Sileo In the Media
Privacy Project Newsletter
Tools and tips for bulletproofing yourself against identity theft, data breach and corporate espionage. Subscribe to the newsletter and get John Sileo's 7 Survival Strategies for Starving Data Spies for FREE!
