Facebook's Automated Security Fails to Impress

Facebook's new, automated security offering is almost, but not quite, a joke. Business users who consider Facebook "part of their job" should be aware of the significant limitations.

Here's the deal: If Facebook has noticed suspicious activity on your account, probably because you provided your log-on information to a phisher, Facebook will suspend your account. When you try next to login, Facebook gives you its equivalent of the treatment given someone on the TSA's "No Fly" list.

After you prove that you really are who you tell Facebook you are, you'll be asked to change your password and get a bit of a stern message about doing better in the future. Facebook has been using this procedure for months.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Facebook's new, automated security offering is almost, but not quite, a joke. Business users who consider Facebook "part of their job" should be aware of the significant limitations.

Here's the deal: If Facebook has noticed suspicious activity on your account, probably because you provided your log-on information to a phisher, Facebook will suspend your account. When you try next to login, Facebook gives you its equivalent of the treatment given someone on the TSA's "No Fly" list.

After you prove that you really are who you tell Facebook you are, you'll be asked to change your password and get a bit of a stern message about doing better in the future. Facebook has been using this procedure for months.

What's new is that once you are back in Facebook's good graces, the service will run a security scan, using a special McAfee tool, to remove any Facebook malware from your computer. The bet here is that people who respond to phishing attacks may have picked up malware or viruses along the way.

Facebook does not know in advance whether users' computers are infected. I was happy to find out that, no, Facebook wasn't secretly doing scans of its members' machines.

The McAfee scan will remove Facebook-specific threats and then offer users a free, six-month subscription to its McAfee Internet Security service, valued at $35. You must give a credit card number to get the "free subscription." McAfee will automatically charge you for ongoing service when the free subscription ends if you don't cancel in advance.

Any FB user that "friends" McAfee is eligible for the "free" software, not just those Facebook has identified as security threats.

Here are my concerns:

• Many of us check into FB from multiple computers, some at the office, some portable, some at other people's offices or homes. Just because my account was hacked, doesn't mean the PC I am using is a threat.
• Most business users already have security software installed. There is always a chance that it and the automatic McAfee scan that Facebook initiates will clash. McAfee says this shouldn't happen, but...
• The promotion doesn't really solve problems. Maybe the new McAfee customers will be less likely to have Facebook issues in the future, but maybe not. Phishers are very cleaver and while McAfee promises anti-phishing protection, I wonder how well it protects against a Facebook attack.
• The good side of this is that maybe it will convince people who don't already have protection to get some, albeit at McAfee prices. Facebook should also provide its members access to lower-cost or free security options.
• Facebook could be doing much more to head-off problems by watching links posted on the site for connections with known phishers and then removing them and issuing a warning. And there are a variety of other scams that FB users might run into on the service.

McAfee and Facebook have gotten way too much publicity for doing something that, in the scheme of things, isn't all that significant. I hope this isn't all Facebook will do to improve its members' security.