With concerns heightened about our data being safe online after the huge breach at eBay caused millions of people around the world to have their personal details exposed to hackers, we should rightly be asking ourselves about how seriously ever major website is taking security. EFTM sat down with Gregg Stefancik on of Facebook’s most senior security engineers to learn more.
As a user of Facebook you wouldn’t know what goes on behind the scenes to continually ensure the site is secure, your data is secure and at the same time ensure the site still performs quickly and responds as you would hope it would.
Rather than hoping things are secure, Facebook uses two very interesting techniques to double-check their defences. The first are “Red Team” exercises. The role of a “Red Team” is to try to gain unauthorised access to Facebook – They look for holes, explore risks and then they sit down with Facebook engineers to work out what can be learned from the exercise. Not entirely uncommon, and in some ways similar to the use of “Ethical Hackers” who are paid by companies to test security defences.
Perhaps more interesting is the $1.5million Facebook paid to “researchers” across the globe in 2013. These researchers have the incentive to report vulnerabilities directly to Facebook who are paying cold hard cash to “white hatters” in return for their efforts. It’s a solid shift from putting up brick walls and when people try to climb over calling the police. By embracing the discovery of vulnerabilities and rewarding their discovery Facebook ensures their protections are solid day-to-day. There have been 687 valid security reports made through the White Hat program, and $20,000 has been paid to researchers here in Australia.
What you probably don’t realise now is that everything you do on Facebook is transmitted security, using the encrypted “https” (which puts that little lock on your browser). Introducing https isn’t as easy as flicking a switch, it results in a reduction in performance so engineers needed to work through that and make the site more efficient at the same time. Encrypted transmission has been default for all users since last year on Facebook, and while you can opt out – you’d be mad to.
If you want to take things really seriously, Facebook has in place the option for “two factor authentication”. This is where you go to a site like Facebook, enter your password and then are required to enter a second unique code. This code might be sent via SMS or using an authentication app. By implementing this, you’re ensuring that even if your password is obtained by an unauthorised person, they can’t log into your account.
It can take a bit of getting used to because of the extra step, and hey, we’re all a bit lazy these days. But the fact is, it’s the best security you can put in place for your personal profile so well worth checking out.
What happens if your email is compromised, and perhaps a hacker uses your email to reset your Facebook password and block access for you to the account. Well that’s where Trusted Contacts comes into play. As Facebook’s Gregg Stefancik points out, it’s not uncommon to give a key to your house to your neighbour – it’s a bummer when you get locked out – so that can be a lifesaver. Imagine doing that on Facebook – pick a few trusted friends, if for some reason you can’t get access to your Facebook account, pick up the phone – call a friend – and have them get in and restore your access.
Because Facebook knows so much about you – love it or hate it – they can use that to help you. If you try to log into your account from a strange country – somewhere Facebook hasn’t got a record of you being before – you’ll be presented with what Facebook calls “Social authentication”. You are shown photos of your friends – and given a multiple choice answer as to who they are. This is the kind of authentication that only you could complete.
When I asked Gregg Stefancik about the eBay breach, and whether or not Facebook had methods of separating data so it was “not like you could just get a single database of all the user information”, for Greg, “Protecting Data is a top security priority”.
Even the Facebook data center’s which are connected to each other via a private network, are a key focus for the security team. They are looking to fully encrypt the links between each data centre. This will mean data is encrypted from the moment it leaves your computer to when it reaches Facebook and when it moves around Facebook.
All of this talks of the security your data is covered by, but none of that should be taken lightly. The information you share on Facebook is shared at your discretion. You choose what to write, you choose where to check in, you choose to share what songs you’re listening to or TV shows you’re watching.
Crucially, you get the choice to share things publicly of privately. When you go to update your status, remember, “Public” means public, anyone “could” see that status. “Friends” means just that, the people you choose to add as friends on Facebook will see it, and them alone – so use those privacy settings wisely.