And the evidence keeps mounting! The Daily Beast reported that Facebook was telling users they had to provide the passwords to their external e-mail account to validate their FB accounts and keep using them:
Once FB got caught, (er, asked about the practice), they responded as follows:
"In a statement emailed to The Daily Beast after this story published, Facebook reiterated its claim it doesn’t store the email passwords. But the company also announced it will end the practice altogether.
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” Facebook wrote."
Please read the full article linked above to be reminded of just how egregiously FB has acted just in the recent past.
Hmmm, I wonder if FB has any CISSPs working for them?
If so, I wonder if working for FB constitutes a violation of the (ISC)2 ethical guidelines?
"Hmmm, I wonder if FB has any CISSPs working for them?"
Oh, yeah, they have, here's the proof :
Wow, I almost couldn't believe that until I read several news articles online.
It's like someone planning a heist, while already standing trial for burglary...
This was one of the articles. A closing statement from a Facebook spokesperson went like this: -
'That said, we understand the password verification option isn't the best way to go about this, so we are going to stop offering it.'
What they've conveniently refrained from saying is: -
'Those who have already provided passwords are strongly advised to change them, as Facebook won't accept responsibility for any compromise that may result directly / indirectly from this.
Anyone who thought Facebook couldn't sink any lower has seriously underestimated them...
I almost couldn't believe this until I read the article. Over the past few years, I have had several conversations with the proverbial "family member of a friend" who was hacked through social engineering by being asked to confirm their email address, password, ssn, phone number, date of birth, astrology sign, blood type, credit card information, VIN of their car, mother's maiden name, etc. to confirm their FB identity. Of course, when I hear these stories, I sadly shake my head at the lack of security awareness that is available to the public. How does a busy mother of 3 who is trying to check in on Facebook ever realize that she is in danger? Who is going to tell her? Who is responsible?
To those of us in the security realm, we would recognize these requests immediately as phishing, and dismiss them. In this case though, FB seems to have taken a page from their scammers and is asking for information from their users that they have no right to ask for.
Aside from the obvious, that FB is one of the least secure ways to ever store/share information, how is the public to know? Whether or not FB tightens their security before their eventual demise is yet to be seen, but in the meantime, perhaps there should a FB Security Awareness community providing security outreach services to the public to inform them?
How does a busy mother of 3 who is trying to check in on Facebook ever realize that she is in danger? Who is going to tell her? Who is responsible?
There are multiple parties, each falling into a role with its own responsibility:
As a Service User, I'd want to ensure that I'm careful about what I avail of, since my primary concern is the impact this will have on me, and not the other parties.
Whether or not FB tightens their security before their eventual demise is yet to be seen, but in the meantime, perhaps there should a FB Security Awareness community providing security outreach services to the public to inform them?
Awareness is obviously the key here, although imparting it can be challenging. A campaign shouldn't be focused on FaceBook itself --- else people might assume it's biased --- but on IT Security risks and their impacts, with references to Facebook.
Facebook was telling users they had to provide the passwords to their external e-mail account to validate their FB accounts and keep using them:
This incident reminds me of a situation about a decade ago involving a hosting provider. I had started using this provider about five years earlier. They were great, of course, then they ended up getting bought up by a competitor who hadn't a clue, but plenty of money. I forget the exact situation but they had some sort of breach and ended up locking out all the accounts with a "weak" passwords. So when I called them up, I ask "Well, I how do you know what my password is?" and the guy proceeds to tell me that he has a form in which he types my username and it spits back my password. So needless to say they became my former hosting provider the next day.
Here's the thing, there is nothing proprietary to the value Facebook might offer its users. There are dozens of ways we can stay in touch with people we care about - most of them probably more substantive and personal than FB. Hence, where FB and the folks who have sunk billions into it are counting for their survival is how it can leverage that user base. While we can dress it up however we want, the FB business plan inherently exploits its user base.