School of Phish: Why Facebook Connect is a bad lesson.

In How-to, Tech Consulting by Steve WilkinsonLeave a Comment

For years, I’ve been counseling people to be careful about falling for phishing attempts while on the Internet (or, really in any social situation). Phishing is when some nefarious character masquerades as a trusted entity and attempts to extract information from you. For example, you might get redirected to a website that looks exactly like a site you want to login to, but when you do, you’re really passing that information to the criminal, as the site is a fake. (1)Note: This can get much more complex than this, with URL spoofing or redirection to a legitimate site, but with an overlaid ‘pop-up’ which requests information, etc. But it doesn’t have to be on the Internet. For example, you get a phone call from your bank saying there is a problem with your account and they need to verify you are their customer (but it isn’t really the bank calling… and please don’t trust the caller ID!).

No matter how legitimate these attempts may seem, you are putting yourself in danger. I’ve always told people that if they feel it was legitimate, to go directly to that trusted source, on their own, and check. So, don’t follow a link to a site you need to log into; enter the URL (or use a bookmark you created) to get there, and log in. If this message was legitimate, it should be available for you. Likewise, call your bank directly at the public phone number you find on their marketing material and inquire about the problem. (2)And if that was actually a legitimate call you received, and they asked for account information, talk to the highest level person you can and COMPLAIN, COMPLAIN, COMPLAIN!

Recently, it seems all this hard work in training people not to become identity theft victims has been derailed by single sign-on systems like Facebook’s popular Facebook Connect. (Others as well, like Twitter, WordPress, Yahoo, etc.) This has been around for some time, but recently (the last month or two), it is appearing just about everywhere. News sites and blogs I’ve been following (and commenting on) for years suddenly are asking for my Facebook credentials. Worse yet, many have replaced other methods of logging in with one or more of these systems as the ONLY login method.

For the naive (or lazy) user, this seems like bliss. All you now have to do is remember your Facebook user name and password and you are good to go all over the Net. The IT tech (who has often had to worry about security) – as well as amateur social engineer – in me screams, “Danger! Danger!” (3)The conspiracy theorist in me is also quite concerned about Facebook having all this additional information about everywhere I comment on things around the Internet! Is it really a good idea to be training people to enter their Facebook credentials into dialog boxes that popup on sites that aren’t Facebook? Doesn’t this play right into the hands of the phishers? I certainly think so.

Oh sure, there are some ways to be reasonably sure (4)But not necessarily certain it is actually Facebook you are giving this data to if you are a bit tech savvy and paying close attention. However, even for the tech savvy, the paying close attention part is often neglected, especially as we become more socially trained in this manner. The public, it seems, is already quite confused about how these systems work. The dangers are also more than just phishing if you use public or shared computers.

What can you do to protect yourself? First, I’d say to avoid these single sign-on services when possible. It’s actually a good thing to have a unique account and (strong) password for different sites and purposes. Use a good password manager (I like PasswordWallet). Second, check the URL of any kind of popup or login window you are using. Be careful of misspelled URLs or tricky attempts ex: (notice in this example, facebook is just a sub-site of Third, at least with Facebook’s system, if you are already logged into Facebook to begin with, you should only get an ‘authorize’ message, and not have to login separately. (5)Ultimately, I don’t really like this ‘authorizing’ access to Facebook either.

I don’t want to place the blame solely on Facebook. As I mentioned above, there are many others involved in promoting this type of login. WordPress, for example, has a fairly horrible system in this regard which doesn’t seem to allow you to log directly in without AGAIN logging into another site to comment. This means you either submit to possible abuse or don’t comment. That said, I think Facebook is going to be the largest popularizer of this trend – and given their history of playing fast and loose with user’s privacy (and arguably security) – they are likely to be the most dangerous player in the game.

Update: Saturday, September 3, 2016

Aside from the above advice to login directly to whatever social network you need to use to leave a comment on a 3rd party site (i.e.: login to Facebook, then load or refresh the page, and you should be already authenticated), a comment system that has become quite popular is Disqus (pronounced like the word discuss).

The advantage of Disqus is that you can leave comments across many types of blog and news systems with one universal account. But, it is an account with the sole purpose of leaving a comment. This means that if someone does happen to break into your account through a phishing attempt, they won’t be able to hijack one of your social media accounts. (And, it’s quite good at remembering your login, so you don’t have a browser window open and logged into Disqus to be recognized by other blogs you visit.)

Once you’ve logged in, you should be able to just leave a comment at any blog supporting it. And, best of all, it has a great notification system when you get a reply, which puts you right back to the proper spot to continue the conversation (this is something almost no other system does well).

Typically, I’ve preferred to setup an account on each individual news site (it’s a bit more of a pain with individual blogs), but seeing that WordPress has a pretty poor commenting system, I’d certainly recommend Disqus to any blog owner, and really enjoy using it to keep in the conversation loop. In fact, we’ll be switching this blog to Disqus soon.

Image credit: phishing by Richzendy