Facebook has announced that it has started to warn users if it believes their accounts have been targeted in state-sponsored attacks.
Users who Facebook believes could be at risk will see a warning message similar to the following:
Please Secure Your Accounts Now
[Name], we believe your Facebook account and your other online accounts may be the target of attacks from state-sponsored actors. Turning on Login Approvals will help keep others from logging Into your Facebook account. Whenever your account is accessed from a new device or browser, we’ll send a security code to your phone so that only you can log in. We recommend you also take steps to secure the accounts you use on other services. Learn more.
Facebook appears to be using the warning as an opportunity to recommend that at-risk users enable Login Approvals, a system which asks for a special security code to be entered everytime an attempt is made to log into an account from a new computer/web browser/mobile phone.
My personal recommendation is that *every* Facebook user would be wise to enable Login Approvals, regardless of whether your communications are likely to be of interest to intelligence agencies.
Facebook’s Chief Security Officer Alex Stamos explains that the company will not be sharing, for understandable reasons, its methodologies for determining if a Facebook account might be subject to attack, but is saying that it will only be displayed if it has a high degree of confidence that something suspicious is going on:
“It’s important to understand that this warning is not related to any compromise of Facebook’s platform or systems and that having an account compromised in this manner may indicate that your computer or mobile device has been infected with malware. Ideally, people who see this message should take care to rebuild or replace these systems if possible.”
“We plan to use this warning only in situations where the evidence strongly supports our conclusion.”
Facebook’s move follows in the footsteps of the likes of Google, which in 2012 announced that it would begin to display security warnings when it believed accounts of, for instance, Gmail users had been compromised by state-sponsored attackers.
Facebook should be applauded for introducing an additional warning like this, but really those who are using Facebook for sensitive communications should perhaps already be asking themselves whether they are doing things the right way.
Interesting times. I wonder which states they are most likely to report on.
Whilst its true people who are using facebook for sensitive communications are doing it wrong hijacking a facebook account could be a very useful intelligence gathering exercise by a state entity. It could be that someone is connected to someone they are targeting and by hijacking a friend they get a lot more detail.
Not just another ploy to gain access to your mobile so they can spam you 24/7 no matter where you are? How about since they know of the attempts they simply block those and be done with it? What, and miss an opportunity to double ad displays?
They are *not forcing* you to do *this*[1] and seeing as how they *have* forced users to do many *other things* that are questionable (if not worse), your theory fails because they would have already forced it.
But besides that: You clearly have no experience as an administrator, especially one who considers security. If only it were as easy as to block attempts in such a way. What if it is the user? Account lockouts[2] can be abused to deny service to the user (and yes, it would be and has been done). And IP is no indication, either, because of roaming (etc.). This isn't an instance where they can use ingress filtering in such a way because of how many people use Facebook. There are other things to consider, too.
[1] Besides, I really doubt they have a contract with carriers worldwide, in which case, they won't have this everywhere, which also breaks your theory.
[2] Not to say they don’t have any use, but they can be (and are) abused – and for something like Facebook, it would definitely lead to problems because of their user base (they would lock themselves out, thus inducing withdrawal effects… because so many are addicted to it and their virtual friends).
"…those who are using Facebook for sensitive communications should perhaps already be asking themselves whether they are doing things the right way."
Huh? …you mean, there are actually people who use Facebook for sensitive communications?
Wow.
Yes. People are woefully ignorant, naive and it is worse than that (comes down to stupidity, doesn't it?). Surely you must know this.
Don't be shocked. Expect it. Nothing should surprise you. Think of people using the well known (hence insecure) technique of sharing an email password (which would be insecure already), and then writing drafts (but not sending) so that they can correspond with their lover (or another kind of partner) safely. Except it isn't safe. But if it makes them feel better and safer – and it does – that's all it takes to make them consider it. It's at their risk.
Perhaps the ability to be shocked at the persistent and apparently inexhaustible stupidity of some of my fellow humanoids is my last defense against the final plunge into consummate cynicism.
Facebook's "Login Approval" is their sleazy way of getting your cell phone number…nothing more.
Yahoo is doing the same by eliminating passwords altogether requiring a text message to access your account.
They want your cell # so they can ID you.
Using phone number instead of password is *very* different from 2FA. That's what the 2 stands for, you see? It's more than one layer, in this case it is two instead of one. Yes, Yahoo's idea is really stupid but it has nothing to do with wanting your mobile phone number so they can do .. what .. ever they do with your email?
Edit: In other words, your claim is mostly speculation (or more like an assumption) if not outright libel, neither of which is helpful.