Facebook scours the web for personal information to keep hackers out

Home »Facebook scours the web for personal information to keep hackers out

Facebook scours the web for personal information to keep hackers out

Posted by sciencetech-blog on Monday, October 20, 2014 Label:

comments

Almost three quarters of us use the same password for multiple accounts, meaning if one set of login credentials are stolen they can be used to access a wealth of private data.

To tackle this, and to keep Facebook accounts safe, the social network has begun scouring the web for stolen email addresses and passwords.

It then checks these credentials with those used to access the site, and if it finds a match, warns the affected user their account is at risk.

Facebook has created an automated service that monitors sites for stolen credentials. It checks credentials to see if they match those being used on Facebook, and the site assured users the process is automated, meaning it doesn't know or store a user's actual Facebook password

'The Facebook Security team has always kept a close eye on data breach announcements from other organisations,' said the social network's security engineer, Chris Long.

In a blog post, he explained: 'Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites.

'Unfortunately, it's common for attackers to publicly post the email addresses and passwords they steal on public 'paste' sites.

'Our team wanted to do something to improve this situation, so we built a system dedicated to further securing people's Facebook accounts by actively looking for these public postings, analysing them, and then notifying people when we discover that their credentials have shown up elsewhere on the Internet.'

HUNTING FOR STOLEN FACEBOOK CREDENTIALS

Once Facebook finds a set of stolen credentials, it passes the data into a program that 'parses' it into a standardised format.

Parsing is the process of analysing a string of symbols in computer language.

After the data has been downloaded and 'parsed', an automated system checks it against the Facebook database to see if any of the email addresses and hashed passwords match login information on Facebook.

The site 'hashes' each password using its internal password hashing algorithm.

Hashing takes each user's plain text password and runs it through a one-way mathematical function, to create a unique string of numbers and letters called the hash.

Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes, rather than plain text passwords.

This means if a list is stolen, the plain text passwords can't be obtained easily.

Since Facebook stores passwords securely as hashes, it can't compare a password directly to the database.

Instead, it hashes it, and compares the hashes. If the email and hash combination doesn't match, the site doesn't take any action.

If the email address and hash combination does match, Facebook notifies the user next time they log in.

To do this, the site created an automated service that monitors different 'paste' sites for stolen credentials, and watches for reports of large scale data breaches.

It collects the stolen credentials that have been publicly posted and checks them to see if the stolen email and password combination match the same email and password being used on Facebook.

If it finds a match, Facebook notifies the affected user the next time they log in, and guides them through a process to change their password. An example message is pictured

To protect users, Facebook offers Login Approvals (pictured), which adds an extra layer of security to an account. When enabled, users must enter a code from their phone when logging in from a new browser

FACEBOOK PASSWORDS STOLEN

Last year, security experts uncovered a cache of 2 million stolen passwords to popular sites including Facebook, Google, Twitter and Yahoo.

Researchers at Trustwave's SpiderLabs said they discovered the credentials while investigating a server in the Netherlands that cyber criminals use to control a massive network of hacked computers known as the 'Pony botnet.'

The firm reported its findings to the largest of more than 90,000 websites and internet service providers whose customers' credentials it had found on the server.

Representatives for Facebook and Twitter reset the passwords of affected users.

Mr Long assured users that because this is an automated process, the site doesn't know or store a user's actual Facebook password.

Instead, to check for matches, it takes the email address and password and runs them through the same secure code used to check a password each time a member logs in.

If it finds a match, Facebook notifies the affected user the next time they log in.

It also guides them through a process to change their password.

'This system has worked very well for us in the past,' continued Mr Long.

'But we recognise that preventing stolen credentials is also important.

'The risks are also clear: if you use the same password on lots of websites, an attacker only has to get your password once to be able to access all of those accounts.'

To protect users, Facebook offers Login Approvals, which adds an extra layer of security to an account.

When enabled, users must enter a security code from their phone when logging in from a new browser.

Update Your Browser | Facebook

Turn off or edit this Recipe

sciencetech-blog