If you happen to be the unfortunate victim of someone breaking into your home (and I pray that you never are), the first recourse is pretty much the same around the world – you would put a call in to your local emergency services, i.e. 911 (or 000 as it is over here in Australia).
This would (hopefully) guarantee a member of the local constabulary at your house quick smart to sort out the bad guys. The process is ubiquitous and well known to everyone, right down to your kids, and the beauty is that it can even be kicked off by a third party, for example, your neighbours, if they spot any illegal goings on at your property while you are not there.
But what happens if your property happens to be in the Cloud, and what happens if your property is not your house, but rather your carefully manicured social profile? What is your recourse to action if the bad guys get in there and start creating havoc?
Such a thing happened to my good friend Mark recently. Now, Mark is not your usual run of the mill internet user. He is a former-lawyer-turned-internet-book-author and actually does consulting gigs for web companies, so he actually knows what he is doing on line and is savvy about privacy and security.
As most web consultants do, Mark has built up a strong profile online via the usual services such as LinkedIn, FaceBook, Twitter etc.
So it was a surprise to many of Mark’s friends last week when they started receiving messages from his Facebook account saying that he was in dire trouble in London and needed some cash transferred to him immediately.
Fortunately, one of his friends actually called Mark on his mobile, and found out that he was quite safe and happy in his Sydney pad, and not as it turns out, bereft of his cards and passport on the other side of the world.
Upon immediately trying to log into his Facebook account, Mark found that his password had been changed. When he tried to recover his password, he found that his email address had also been changed, making the task impossible.
Here’s where this post becomes relevant to CloudAve (and thanks for your patience in staying with me thus far).
During Mark’s efforts to regain control of his account, it became clear that Facebook had no clear cut way of handling this particular scenario. Their site does not list any contact information for their administrative offices. No phone numbers, no emails, nothing.
In desperation, Mark posted his dilemma on the Risks Digest newsgroup that he is a member of, and managed to get the email address of Chris Kelly, the privacy manager for Facebook.
To his credit, Mr. Kelly jumped onto the situation quick time, and restored Mark’s account to him. But he was still left without control of his account for approximately 48 hours. Since then Mark has been besieged by over a dozen other people who have had their FB accounts hacked as well, and haven’t had a solution from Facebook as yet.
My main concern here is that with the new promotion of Facebook Connect being your “single sign-on” to a host of other cloud platforms, this could have been a lot worse! What if you used Facebook Connect to sign on to an online accounting system, or your blog? Once the bad guys crack your Facebook password, they can wreak mayhem and destruction on your entire online (and offline) world.
Surely Facebook is capable of tracking the logins to their service, and if the login (a) comes from an IP that is outside the immediate geographic region from the last login and (b) the user immediately changes his/her password and (c) the user ALSO changes their usual email address, then that should send up a red flag that something untoward is going on.
At the very least, a notification should be sent to the account owner on the old email address, and the account could be put into a state of suspension pending confirmation. That is standard operating procedure for a lot of other sites.
It is of concern that Facebook, and indeed most other online services, do not make it easy to report, or otherwise restrict illegal activities. Either by the account owner or related third parties.
I personally have detected at least one attempt to scam money from me on eBay, which I reported immediately via eBay’s standard process posted on their website, but I never heard back from anyone at eBay, and I believe the scammer’s account is still active there.
With trust in online services already low amongst the masses, I really think that the time has come for us to ratify a standard method of reporting and handling security breaches online.
I am not advocating immediate shutting down and deletion of suspect accounts. I am leaning towards a suggestion by Robert Scoble that suspect http://scobleizer.com/2009/01/24/facebook-kicks-off-ifart-author-for-having-too-many-friends/%27%3Ehttp://scobleizer.com/2009/01/24/facebook-kicks-off-ifart-author-for-having-too-many-friends/%3C/a%3E“>accounts be put into a “jail” status, whereby it is still active, but people interacting with it or visiting it are alerted that the account is in “jail” pending further investigation.
This still allows for flexibility whereby accounts that sound suspect whilst still staying within legitimate grounds do not inadvertently get the plug pulled, whilst definite illegal activity is still “red flagged” and anyone on the receiving end is kept on alert.
What do you think? With the proliferation of OpenID and Facebook Connect, should more protection be offered within the Cloud? Should there be a central policing authority that handles suspected breaches? What would the best way to handle accounts that seem ‘hot’?
Update: Upon preliminary investigation, it looks like there is a pattern emerging and that users who share the same email/password on Twitter & Facebook have been affected. It looks like someone has a list of Twitter login info, and is using that information to hack into Facebook (and possibly other services). No official confirmation or denial on this as yet – this is purely speculation, but somehow we’re not entirely surprised…
- Wake Up People, It’s More than Just Your Twitter Password
- Kanye West blames Gmail hijack for bisexual porn hoax
(Guest post by Devan Sabaratnam)