Facebook's Security Mess

Last week I was sitting in my office working away on a client's iPhone app when my iPhone's text message bell alert rang. I picked up my phone to see my daughter's text message: "Free iPad event?" After an exchange, I learned that my Facebook account had sent her an event request with a link to a rogue quiz site that was offering quizzes for the amazingly low price of $19.99 a month. I also started getting emails from other friends who were getting the invitation from me. So, I got mad.

First, I deleted the event. Then, I posted to my wall about it. And then, I went on the warpath.

You see, I am very careful about my Facebook account. While I explore aspects of Facebook as part of my research for clients, I am aware of the dangers and am diligent in working through the possible issues. But, I got caught. So, I went looking for the source of the issue.

The first thing I learned is that I am not alone. There is even a Facebook group that has grown up to oppose it. But, no one seemed to know how it was done, so I began to investigate.

Given the invitation text and the targets, I figured out that it had to have come from an application with access to my account. I dug through my entire list of applications, eliminating many that were either old or that I don't use. But, it's important to understand that Facebook makes this process far more painful than it needs to be. If only Facebook would make a note on the wall posts, event invites, and other items noting what application was used to create it, we could track down the reprobates who build these cheap cheats. Twitter even does it:

So Twitter, with its informal nature, trumps Facebook in one of the most important aspects of security: transparency.

In my next few posts, I'll outline what you can do to scrub your Facebook account in a way that will make it much more hardened against this kind of attack. However, with the limited transparency of Facebook's system right now, there is only so much you can do.

How Safe are You?

It was the late '70s in a suburban Michigan neighborhood when I first felt it. I had bought my ten-speed bike--a beautiful brown Schwinn Varsity with tape-wrapped drop handlebars--back when no one had ever seen one. People would stop and ask, "Why do your handlebars go down?" That bike was special to me. I used it on my paper routes for years and rode it everywhere. But it was gone.

Someone had come into our garage and left with it.

I felt violated. If my garage wasn't safe, what was? It churned my emotions for a while, and I still remember those feelings.

Today, thieves don't have to break in to your garage. They can break into your computer. If they did, what would they find? Do you know?

I do, and now you can, too.

Identity Finder, created by the company of the same name, scans your PC, Mac, or enterprise systems for telltale content like credit card numbers, passwords, social security numbers, and more. I'm willing to bet that it will find content that you forgot. For example, remember that time you emailed your social security number? What about that friend who sent you their VISA card number for your trip?

Identity Finder will find them and remind you.

These scans show you the files where the content is found. The application also shows you a browse view of the file with the content highlighted. It let's you decide what to do with the information it finds, including allowing you to encrypt and archive the report.

In my case, between the first and second times I ran Identity Finder on my Mac, I had packaged information for my bookkeeper, including my credit card statements. Those files had my credit card numbers in them. I had been careful when getting them to her, but I had left them on my system unencrypted! And I had forgotten. Identity Finder reminded me.

There are, of course, a few imperfections. The application displayed some of the file previews with the entire file highlighted so it was difficult to determine what it had found. It took me a little bit of time to figure out what to do with files where multiple triggers had fired. But, these are small limitations, and I can still unequivocally recommend Identity Finder as protection against leaving your personal identity information just sitting on your computer storage.

What have you left laying around that a black hat could steal?

Identity Finder is an excellent way to find out.