If you're dumb enough to be on Facebook...
...then you deserve what you get.
A bank account-raiding worm has started spreading on Facebook, stealing login credentials as it creeps across the site, security researchers have revealed. Evidence recovered from a command-and-control server used to coordinate the evolving Ramnit worm confirms that the malware has already stolen 45,000 Facebook passwords and …
why is it every time there is a news item that involves facebook, the inevitable "If you're dumb enough to be on Facebook..."
Facebook is the perfect medium to keep in contact with the less than perfect technical savvy relatives.
Facebook is no different to the rest of the internet, only post whatever your happy with the whole of the world seeing.. forget privacy settings... assume they can be or are breached....
<quote>
Facebook is the perfect medium to keep in contact with the less than perfect technical savvy relatives.
</quote>
Oh, Really???
I manage to keep in touch with my "less than perfect technical savvy relatives" via such time honored (but definitely un-whizzy) mechanisms as e-mail and that ol' stand-by, the telephone. Works...perfectly.
Being on Facebook? So now people are labelled dumb because of their hobby? (I know, I know; YHBT).
No, there is a real but different problem to address here; people who use their Facebook credentials to authorize themselves on other websites. That is what I'd describe as something to seriously reconsider.
Because while it may make it easier on you (one authorization to be used on dozens of websites) the risk factor also increases tremendously. Because if something ever goes awry with that single authorization you're not (temporarily?) losing access to one website, but many of them.
Not to mention that this aspect is most likely also what makes it so appealing to try and get into ones social media account. Its not only the social media contents which is at risk here.
Yet I get a feeling that most people don't even realize this hidden risk. Heck; how many of them would actually change their passwords on a regular basis (and I don't mean changing "p4ssw0rD2" into "p4ssw0rD3").
How do you get past a two-factor authorization? Simple. Wait until an action needing the second factor is given, then alter the details behind the scenes. The bank gets the request the malware wants and sends out the second factor request. Depending on the variant, either the user enters the second factor thinking it's for their action when it's really for the malware or a mobile extension of the malware (perhaps orchestrated by alterations made by the PC variant) snags the factor off your phone. Either way, the malware now has clearance to do its dirty work.
If Facebook were to convert all URLs posted on wall messages to ones that are first loaded and checked by Facebook then they would be able to intercept any that link to malware infected sites.
Perhaps Facebook could team up with Google to share the processing and network load thereby doubling our security?