Are you safe on Facebook?January 28, 2011: 12:21 PM ET
Mark Zuckerberg's fan page was hacked, scams permeate the news feed, and fake profiles abound. What's Facebook doing about it?
Earlier this week, a hacker hijacked CEO Mark Zuckerberg's fan page, and updated his status with a message that started "Let the hacking begin." The social network also tripped up when, in an attempt to clamp down on fake accounts, it disabled the profiles of two women who shared the same name as Prince William's fiancée, Kate Middleton. (The profiles were later restored.) And hacked accounts continue to inject deceptive updates into the news feed like, "XXXX persons viewed my profile in 2010! ... You can check who viewed your profile here now [insert malicious link]." With incidents like these, some users are bound to ask how they safe they are on Facebook.
With nearly 600 million users spending more than 22.7% of their time on social networks like Facebook – significantly more time than email -- scammers, spammers, and hackers have another, potentially better playground to take advantage of, since users are generally more susceptible. Most Internet users are now wise enough to ignore emails with crazy subject titles from shady-looking senders, but with Facebook, there's a higher level of trust between users since they have to approve one another as "friends" first.
Still, a recent study conducted by anti-malware company Sophos revealed that 67% of social network users had been spammed and 40% of social network users received malware like worms.
"It's really reared its head in the last two to three years," says Sophos analyst Graham Cluley of "social engineering," or psychological tricks used to convince people to compromise their own online security. "Because these links were being shared by friends, people were more likely to click on them than if they arrived out of the blue via email."
Cluley feels Facebook's security measures have a lot of catching up to do, though he questions whether that's even possible -- after all, how big of a "police force" would the company need to protect hundreds of millions of people?
Others believe the security issue hoopla is overblown. "Given Facebook's relative youth and focus on the consumer, it's not all that surprising they stumble with certain pursuits, but I don't see that as a major problem," says Gartner analyst Andrew Walls. The problem may lie more with unrealistic consumer expectations rather than with Facebook. Should a free consumer product be expected to offer the same level of security as an enterprise or major corporation?
Facebook's privacy quest
For its part, the social network says it has devoted an unspecified number of employees across its organization to beef up security. As a baseline, it relies on automated systems that flag suspicious login attempts based on things like device and location. If for instance, you log in from Los Angeles at 10 AM, and someone else tries to log in as you at 2 PM in New York City, Facebook may prompt the latter user to confirm their identity by answering a previously provided security question, filling in a birth date, or identifying a Facebook friend in a photo randomly plucked from your profile. If you try logging in from a computer, tablet or smartphone you've never used to access Facebook before, chances are you'll get a prompt to authorize the device as one of yours – you'll also receive an email confirming the authorization.
Most recently, the social network introduced a browsing option via a secure connection, which should help thwart tools like Firesheep, a Firefox plug-in that basically lets users steal site log-in information. And to raise awareness, it launched the Facebook Security page, which offers tips on how to deal with suspicious messages, profiles, and software. It currently counts more than 3.5 million people as "fans."
"We take the security of people's accounts and information very seriously," said Simon Axten, a Facebook privacy and public policy associate, in a recent statement. "It faces a security challenge that few, if any, other companies, or even governments, have faced -- protecting more than 500 million people on a service that is under constant attack." According to Axten, less than 1% of Facebook users have ever encountered a security issue on the site, a dramatic contrast to the 67% of users Sophos reported had been spammed and 40% who received malware like worms.
What's certain is that Facebook still has its work cut out for it -- 3.5 million fans of Facebook Security is a drop in the bucket compared to the social network's overall user base. And when was the last time you heard about a Gmail account disabled because the handle bore a striking resemblance to a celebrity's? Ultimately, all the security settings in the world are useless if its users aren't aware they're there and know how to use them.
Until all, or at least most, of Facebook's 600 million can say they do, the social network's security will remain an issue every bit as precious as privacy.
Also on Fortune.com: