True Story Yesterday, I logged into Facebook. I usually never use my account there (I am not a Facebook fan), but once in a while I’ll spend some time on it. For the first time, after entering my credentials, a “security” page appeared stating that unusual activities have been witnessed on my account. I then had to answer some questions, choose the names of some tagged friends, and reset my password. I have no idea what happened or how my account got compromised. The only hint was that “someone logged on yesterday from a location somewhere in the US.” I almost never log onto that account, so how did it happen? I use a Mac, I am phishing-aware, I have the most recent updates for my browser / OS, I never enter credentials when not needed, I don’t install / download stuff I don’t “know,” I don’t have any Facebook apps installed, etc. But still, it looks as though someone managed to hack my account (which also happened early this year with my Hotmail account: it was used to send spam to friends). I mean, really, how? (Well, I have some rough ideas – I’m not totally clueless!) What bothers me is not that it happened but the awareness that it can happen, even though I don’t do unusual things with my computer and I am pretty aware about security. Now, for the really scary part… This is nothing against Facebook. It started as a small startup and grew into a very successful company with a nice product. It basically thrives on innovation, product-wise and technologically-wise, and leverages Web 2.0 capabilities to achieve that. We’re all aware of the recent security complaints against Facebook; that’s not new. But, this morning I read something that really frightened me: Facebook is planning to expand its Credits offerings by adding to its virtual currency platform and therefore plans to basically expand the points of contact between virtual money and real money 12. This is really a no-no to me because it would attract interest from cybercriminals. Think about it: a huge community platform whose information is controlled by a single company that now has the capability to serve as a money-transfer / exchange source through a high number of channels. I remember talking to a colleague a while ago and I stated something like, “It’s going to be easier for Facebook to handle their security issues [than for systems like WHOIS, for example] because it’s able to have control and make decisions about its system itself. It doesn’t rely on multiple big entities agreeing with each other and deciding what to do.” Well, I was somewhat wrong there. What scares me now in light of this news is that their innovation efforts will collide directly with their security and therefore make it (and similar sites) much more interesting targets for fraud and cybercrime. And there is no way that Facebook alone can stay ahead in the security race when it’s up against motivated cybercriminals. A coin always has two-sides. To take this one step further, yesterday I read the Organized Cybercrime blog by Deeptiman Jugessur, and I find Facebook’s plans are even more frightening if you consider the Big Picture. The core idea is that cybercrime is not a standalone entity; it is linked by nature to other types of crime and crime-related activities. For example, a potential consequence of requiring domain name registrars to enforce accreditation agreements that involve identification would be an escalation of the use of fake IDs 5. As I write this, some countries are modifying their legislation to enforce identity-related verifications when it comes to domain registration (e.g., for .ru and .cn domains) 34, so there seems to be a genuine desire to move forward. On the other hand, since cybercriminals need access to valid domain names – to host phishing sites, for example – criminals in these countries will simply join forces with another crime department. Nothing is really isolated these days, and the high volume of online interactions by nameless, faceless business-oriented entities with often conflicting goals does not align with strict and global enforcement of security. References (1) Another Payment Option is Available for Facebook Credits: Plastic Jungle’s Gift Card Exchange (2) Facebook: We Want to Integrate 200 Credits Payment Options Worldwide (3) To fight scammers, Russia cracks down on .ru domain (4) In response to new rules, GoDaddy to stop registering domain names in China, (5) The Future of Passports and Money Movement in the Underground Economy, Team Cymru, April 2010
Trackback from your site.