Facebook Beefs Up Security After Zuck Hack

By Tim Bradshaw, Financial Times

Facebook is to offer its users greater security when they log in, after the social network’s founder, Mark Zuckerberg, and French President Nicolas Sarkozy suffered hacking attacks.

From Wednesday, users will be able to turn on an “https” secure connection, a form of browser security usually found in online banking services and at the check-out on e-commerce sites.

The new security features will be eagerly awaited by dissidents in countries where governments have been cracking down on internet use, such as Egypt. In Tunisia before the recent revolution, the state intercepted protesters’ Facebook login details and locked them out of their accounts.

Last year, Facebook suffered a security scare when a browser add-on called “Firesheep” allowed people to capture others’ login details over unsecured WiFi networks.

Earlier this week, an unidentified hacker broke into Mr Sarkozy’s Facebook page and wrote a message, littered with spelling and grammar errors, that he planned to step down at the next election.

The French president made light of the break-in, later writing on the site: “My Facebook account has been hacked tonight, perhaps to remind me that no system is foolproof. I will take the lesson of writing and spelling, but disagree with the conclusions.”

Last night, Mr Zuckerberg, Facebook chief executive, also found he had fallen victim to a similar attack. A message that appeared on his fan page read:

“Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Prize winner Muhammad Yunus described it? What do you think? #hackercup2011.”

The apparent criticism of Facebook’s recent $1bn fundraising through Goldman Sachs was swiftly deleted, but not before being spotted by the TechCrunch blog and attracting hundreds of comments.

(UPDATE – Facebook commented: “A bug enabled status postings by unauthorized people on a handful of public Pages. The bug has been fixed.”)

Facebook said that it was introducing https connections across the site as part of international “Data Privacy Day” later this week, rather than in response to the recent attacks.

Users will have to opt into using the extra security, through their account settings.

“You should consider enabling this option if you frequently use Facebook from public internet access points found at coffee shops, airports, libraries or schools,” wrote Alex Rice, a Facebook security engineer, on the company blog.

“We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer https as a default whenever you are using Facebook sometime in the future.”

Mr Rice warned that turning on https would slow down page loading and could break third-party applications.

Facebook is also introducing a new way to distinguish between human users and automated attempts to log in, which can be used in hacking attacks.

Instead of the common “captcha” box which asks users to write the distorted letters they see in an image, Facebook users will be asked to identify a friend displayed in a selection of photos.

“Hackers halfway across the world might know your password, but they don’t know who your friends are,” Mr Rice said.