‘Get the dislike button!’ ‘OMG this girl KILLED herself after her dad posted on her wall!’ What do these comments have in common? They are two of the scams we see making the rounds on Facebook in an attempt to get you to click on and install a bad application. The Facebook con popping up everywhere this week is the ‘total profile views’ ruse. It’s another version of the ‘See who viewed your profile’ trick that makes its way around the social network and plays to the user’s ego and desire for information about who is checking out their Facebook page.
Unfortunately, as is the typically the case with these scam applications, allowing the application to access your profile will only lead you to a fraudulent survey which earns a commission for the spammer. Not only will you be left still wanting to know who is visiting your profile, you’ve also just shared your information with the shady character who developed the fake application. Does that make you uncomfortable? It should, say security professionals.
The process of developing applications on Facebook still needs a lot of improvement, according to security and privacy advocates. In fact, earlier this month, Facebook decided to temporarily disable a controversial feature that allowed application developers and third-party web sites to access the mobile phone numbers and addresses of certain users. The feature had sparked criticism among privacy and security advocates who cautioned the ability to gather such personal details from users opened up more doors for potential abuse, such SMS spamming, or possibly even identity theft.
In a recent report, security firm Sophos noted Facebook has a major problem in the form of its app system.
“Any user can create an application, with a wide range of powers to interact with data stored on user pages and cross-site messaging systems, and these applications, like survey scams, can then be installed and run on any users’ page.”
In its statement, however, Facebook responded to the Sophos report, stating: “We have built extensive controls into the product, so that now when you add an application it only gets access to very limited data and the user must approve each additional type of data,” said Facebook. “We make sure that we act swiftly to remove/sanction potentially bad applications before they gain access to data, and involve law enforcement and file civil actions if there is a problem.”
Is that enough? Many security experts say no. Here are four tips from two security and privacy advocates on improving the Facebook application development process to make it safer for users.
Walled Garden approach
In its report, Sophos recommends a “walled garden” approach; a strategy that Apple uses in its app store.
“This refers to a closed or exclusive set of information services provided for users, in contrast to allowing open access to applications and content,” the report states. “This is the way the Apple App Store operates, with applications requiring official approval before they can be uploaded to the site and shared with other users. It has proven effective in protecting users from maliciously crafted applications. Facebook users responding to a (legitimate) survey also approve of this approach. “
Bethan Cantrell, Senior Privacy Consultant for DLI Design Laboratory, agrees.
“Who is the app developer?” said Cantrell “Their account is verified with a mobile phone number or a credit card, sure, but do they have any felony convictions for fraud? Are they a bright sixteen year old with a lot of free time and little to no interest in the correct storage and usage of customer data? “
Give users more control
Another option, according to Sophos, would be to give those users with security concerns the option to secure their own page, allowing only vetted applications to run.
“This second approach would only protect the more aware and cautious of users, who may be less likely to fall for the scammers social engineering tricks anyway,” said Sophos in its report. “It wouldn’t do much to reduce the spam flooding from less secure users, and a full-spectrum control system is preferable.”
Of course, notes the report, even official vetted and approved applications can’t be entirely trusted, with the occasional slip allowing applications that harvest user data to make it onto the verified lists.
A rating system
Cantrell suggests the ability to rate app developers, so users can see their reputation on the same screen where app permissions are granted. In other words, before you grant access to an application, the rating system would let you know how that developer ranks, whether they have a previous history, and any infractions they may have from their past.
“Ebay offers reputation information on the seller of a $6 dollar book, shouldn’t we have something similar for our private information?” asks Cantrell.
Require an auditable privacy statement
“Most app developers may just want to share their cool quiz or game, but does the app developer have the sophistication to understand what kind of overhead goes along with storing that kind and quantity of sensitive information?” said Cantrell. “Do they understand data security and how to implement it?”
An auditable privacy statement, for which Facebook officials require developers to verify that they are able to maintain data security and follow privacy laws, would go a long way, she said.