When you log into Facebook, you could see this this message warning you that a government-backed entity of some sort is trying to get into your account:
This isn’t the site’s first attempt to use its gatekeeping power to address security concerns. Facebook detects malware on your computer and if it finds any, you’re directed to one of several free online scanners — including our free online scanner — to clean your PC before you can log in.
What’s new about this warning is that it suggests a culprit — a government, which could possibly even be your government. It’s remarkable how accepted the idea is that state-backed organizations are carrying out cyber attacks so regularly that there’s a Facebook prompt specifically dedicated to the threat. But it’s indicative of the times we live in.
F-Secure Labs has warned about cyber threats from state-backed actors for years.
“We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” Facebook’s Chief Security Officer Alex Stamos explained in a post announcing the new prompt.
Our Security Advisor Sean Sullivan calls the feature a “good first step.”
“Facebook is widely used among human rights advocates and attorneys,” he told TrustedReviews. “When advocates report being targeted, I suspect that Facebook’s security team is readily able to cross-reference IP addresses which interact with and target various accounts. And so Facebook is then able to draw connections between people that might benefit from such notifications.”
Some in the media have spread some alarm about the feature.
Russia Today — an English-language media outlet sponsored by the Russian government — framed the feature as an attempt to get your phone number. The article features several references to the NSA, alluding to the revelations former contractor Edward Snowden began releasing in 2013. (This is ironic given F-Secure Labs’ recent report on The Dukes, which makes the case that the Russian government is involved with or abetting cyber attacks of its own that extend beyond surveillance into actual espionage.)
So does Facebook just want your phone number?
“The feature doesn’t require a phone number,” Sean told me. “If you have an Android phone, iPhone, or an iPod touch – you can simply use the Facebook app to generate the approval codes.”
The suspicions being raised by non state-sponsored media could be tied to Facebook’s constant efforts to get you to offer it your mobile phone number to activate security features.
Our Chief Research Mikko Hypponen often points out that by pairing your profile with your phone number, websites can unlock a treasure trove of demographic data about you that makes you even more valuable to sell to advertisers. We cannot say for sure that Facebook does this. If you have a spare day or two, you can read through Facebook’s Terms and Policies to find out.
“Both Facebook and Twitter (and other sites) often ask me for my phone number for the sake of ‘security,'” Sean told me. “And while yes, it does offer some security enhancements, in the name of transparency, I wish they also mentioned the other uses.”
Be aware that if you want to use two-factor authentication to secure your account but don’t want to give the site your number, you do have options.
It’s good to be suspicious about sharing your phone number, but it’s also smart to be doubly suspicious when privacy concerns are being stoked by an arm of the Russian government.
In the past few years, Facebook — which used to be constantly ridiculed for its privacy and security concerns — has really stepped up its game in simplifying its privacy settings, preventing spam and controlling the spread of bad links. This is another promising step from a security team that seems eager to both protect its users and to make us all aware of the growing threat of state-backed attacks.
The absence of regulation is what has resulted in the innovation of software we see today.…
September 13, 2017