I think I’ve had my Facebook account compromised once over the years. That was an unrecognised login from Brazil which at the time Facebook alerted me to. This was before the days of most of their account security features…
I also got a similar warning recently however so i thought it was a good time to spend some time looking at (and enabling) more Facebook security features. For me, the data i transfer on Facebook isn’t actually important or sensitive so I’m pretty relaxed about the whole privacy / social media stuff – my first line of security is my head – I never post something without thinking about it… having said that, I know that in the wrong hands, access to somebody’s personal profiles can be dangerous as they could exploit friends or family or even just monitor your activity over a long period of time to build a picture of your work / life and figure out where you live and when you’re away from home, whether you live alone etc… that’s all a bit far-fetched for some, but it’s remote possibility therefore if you can eliminate the chances of it happening, you should so I’ll share my tips for locking down your Facebook..
Secure Browsing
This encrypts all data transferred between you and Facebook, making it more difficult for men in the middle to intercept and make sense of data being transferred. There’s no good reason why you should have this disabled.
Login Notifications
Facebook can email or text you if it detects a login from a new device… so let’s say you’re on a friend’s computer and want to log in to your Facebook. You can do so but you’ll get an email and / or a push notification to your phone informing you that your Facebook account has been accessed from a new / unknown device. Whilst it might be a bit annoying at first (if you’ve lots of devices and move around a good bit), I think for most people, it makes sense to enable this. It gives you an instant heads up if there is a hacker attempting to access your account.
Login Approvals
This goes one step further than log in notifications and actually asks you to enter a password every time your account is accessed from an unknown browser. So if you only use Firefox or Chrome and suddenly there’s a login attempt from Internet Explorer, then you can only log in using Internet Explorer provided you enter a password which can be generated from the Facebook App (see description of ‘Code Generator’ below) or sent in SMS format to your phone. For an average user, it probably makes sense to enable this as they’ll usually just use one or two browsers at most. If you’re a developer constantly trying to test something with Facebook, then this could slow down workflow a bit.
Code Generator
This is used to generate the password for log in approvals (see above). If you enable this feature, you’ll see the code generator link in the Facebook app. It works the same as any other 2 factor authentication service…
Trusted Contacts
This allows you to nominate 3-5 friends that can potentially give you access to your account if you’ve forgotten your password for some reason. If you contact these people, they each have to a code (which will be generated for them) and when you combine codes from all of your friends, you’ll unlock your account again. It’s a useful way of proving who you are without having to answer security questions that you probably can’t remember the answer to… it’s a bit overkill for me and I guess it’s potentially frustrating if not all of your friends are easily contactable or have died etc… it could get a bit messy… so I don’t use this myself as I think of it more as a novelty kind of security feature.
Recognised Devices
I have 79 recognised devices according to Facebook. Most of them are actually the same device. Back in 2011, things worked a little differently so for a while every time i logged in to Facebook after clearing my browser cache, my device would be detected as a new device, hence the reason the same device (my home) was counted as 60 separate devices.
Active Sessions
I’ve 19 active sessions according to Facebook so i should really start ending them all just to be safe. Most of them I recognise, some of the older ones are probably legitimate but I’ll nuke them just to make sure.
In summary
If you enable all of the above features and somebody still manages to hack in to your account, well I’d just take my hat off to them rather than be angry with them as it’s almost impossible for them to log in without you knowing about it. The days of brute force attempts to crack weak passwords are over… even phishing attempts are somewhat eliminated if you were to enable all of the above. Unfortunately twitter don’t have the same level of security (for all users) and so a strong password becomes more important there as that’s your first and last line of defense. Google have two factor authentication and similar security features to Facebook.