Are you a Facebook users? Because if you are, you have likely noticed a significant number of changes to the platform during recent months. The user interface has had a massive overhaul. The way you interact in groups has changed, with tagging of posts and "featured" posts now available. Facebook has become heavily intertwined with other social media sites, like Instagram (both platforms owned by Meta). Public pages are now being treated as though they were profiles of their own. And the list goes on.
All of these changes are things that you can see; they're on the surface. But it's the stuff that's under the hood that can open up our accounts to external attacks if we're not careful.
Today, I'm going to highlight some of the security features hiding in the backend of the site (the parts that we don't often dive into) and show you some of the things that you might want to do to protect your accounts.
General Internet Security
In general, internet security falls into one of three categories: site settings, personal security practices, and the things we post.
Personal security practices includes things link the number of emails we might have to manage this mess, how we manage our passwords, our browser choices, that kind of thing. Using a virus checker with an internet security firewall component on your computer is part of that. They are all things that are in our control to an extent. And many of us have picked up the message that we need to do something about it.
I will write an updated posts on my recommendations on this front, but if you want to get some insight into my recommendations, just check out the range of posts on this site in the We Let Them In series or over on the Black Wolf Editor's Blog under the Hidden Traps series.
Anything that falls into the category of the things we post can also be affectionately classified as "user is an idiot". The number of times I've seen friends and family post things like new cars with their license plate number or share photos of post with their postal address, or my personal favorite hidden trap... used the GPS tracking features and posted about their holiday while away... Don't get my wrong, I love seeing those photos, but your contents insurance may be null-and-void because of those posts. (And I'm adding that subject to the list for another future post.)
But it's the site settings that seem to catch us out every time—because most hacking of accounts is a result of the site settings used.
So, let's dive into the nature of the current site settings on Facebook.
Please note that this post applies to the site settings as they were in October/November 2022. Some of these settings will still be around whenever it is you are reading this post, but some settings will have no doubt changed.
The Hidden Security Setting
Let's start with the one setting that is hidden from view that is directly connected to whether others are allowed to download your private contact details or not. It's a setting that mysteriously appeared on the scene in 2018 during the Zuckerberg congressional hearings.
Just as the hearings had started, there was a massive security breach that was discovered related to "downloading your account information". If you went to download your account, you were getting ALL of the contact information from others, including those who don't use the platform.
There were two mechanisms at play here. First, users of Facebook were syncing their contacts on their phones to Facebook. It's a default setting when you install the app, and you have to tell it NOT to do it. But if you had done it by mistake, there were ways to clean it out. I talked you through the steps of doing this over in this post here. It's an old post, but the steps still apply. (And I have done what I can to update that post to reflect the current interfaces.)
But there was another security setting that randomly appeared one day that wasn't there when the hearing started. Facebook will say that it did exist, but I was watching those security settings like a hawk back then, because every day some new setting would show up. I swear that the developers were doing this so dear sweet Zuck could honestly testify that the settings to do certain things were present on the site—never mind that they had only been added the day before… but I digress.
The setting in question is NOT under Security and login where you would think it would be. Nope, it's under Account settings.
Open up your Settings for Facebook and select Account settings. Ensure that you are on the General tab. Then select the Edit button next to your contact email address. And right there is a special little security setting that when turned on will "allow friends to include [your] email address in Download your information." And guess what, peeps… It's turned ON by default.
Go to your Account settings and select the Edit next to your email address. An extra toggle security setting will be revealed.
Go turn it off NOW! No one needs to have access to your email address unless you specifically give it to them. And if you are like me, you have a significant number of "friends" that you have never met and don't know from a bar of soap. That is just one of the many ways hackers are getting into accounts. Once they have your email address, they are one step closer to getting in.
The security risks hidden in Security and login
There are a few wonderful security risks hiding under the Security and login settings too. And all of them are easy to fix.
Under Apps and websites, you will find a list of various websites and apps that you have granted access to your Facebook account over the years. I go in and clean it out on a regular basis, but even I find things that shouldn't be there when I do my systems checks. The last time I cleaned this out—as I was writing this post—I found app connections that had been sitting there that showed connections dating back to 2014, and I thought they had been deleted long ago, but nope… (Persistent little buggers!)
Under the Business integrations tab, ensure that you check the apps there too. Somehow Twitter had been connected to my Facebook, and again, I thought I had severed those connections years ago. (I still have Twitter and I do use it, but I don't like my Twitter talking to Facebook.)
But under the Security and login sub-menu is a whole bunch of potential security risks.
Check logged in devices.
Do you have any devices sitting in that list that you no longer use? I did. Zap to the iPad connection.
Password: How old is it?
Have you changed your Facebook password in recent times? How often do you change your passwords?
Look, peeps, I get it. I'm just as guilty here. It's such a pain in the ass to change passwords all the time. But sometimes, you just need to suck it up and do it!
Two-factor authentication (2FA)
Use it! Simple as that. The number of hacking attempts that could have been averted by a simple additional login step… Just use it!
And if you are avoiding using 2FA because you fear the need of having to put in a code every time you log in… Let me put those fears to rest right now.
If you use the Save your login information setting, then you only need to use the 2FA codes whenever you log on to a new device… or clear your cookies on your browser… or tell Facebook to log out of all devices and have to log back in again… or change your password…
Basically, the 2FA prevents anyone from logging into your account without your knowledge. So bloody well use the thing!
And if it's not already turned on, turn ON the Get alerts about unrecognised logins setting. You want an email or some other alert whenever someone is hacking in.
Take the steps to protect your personal accounts!
Security risks hiding under Privacy
Time to head on over to the Privacy tab under your account settings. We have a range of settings here to play with, and this is all connected to who can see your posts and who can contact you… and how they can find you.
Go through each of the sub-menus one by one and ensure that you are happy with the settings. But the ones that I would flip off would be as follows:
On the Privacy sub-menu:
- Who can see your friends lists? Only me
- Who can look you up using the email address you provided? Only me
- Who can look you up using the phone number you provided? Only me
- Do you want search engines outside Facebook to link to your profile? No
I don't care how "trustworthy" your friends are, it is no one's business except yours who it is you chose to associate with online. And do you really want random strangers who just happen to have your email or phone number finding you on Facebook?
As for the search engine things… This setting only impacts private profiles, not public pages. Your public pages will still be indexed in a Google search. And with all the recent changes that Facebook brought in with regards to pages… Trust me, you want Google to index your page, not your profile.
All of the other settings found under Settings::Privacy come down to personal preferences. As long as you're comfortable with the settings, then you're all good.
"Trusted Friends" has disappeared
Once upon a time, we could nominate "trusted friends" who could help us get back into our accounts if we were ever locked out. Umm… yeah… That feature is no longer supported. I have no idea what happened to the information that was stored in those settings, because they have vanished into the internet ether.
I haven't noted any other settings disappearing or suddenly appearing, but I have noticed that the settings for Facebook pages have all MOVED and changed around. I'm still getting my head around those changes. So… I guess I'll be putting together a post on how I would recommend that you manage your Facebook pages under the new system—after I figure it out myself. (That particular post will likely go over on the Black Wolf Editor's Blog, because Pages is something that writers and other public figures use. It's not something that your typical Facebook user uses.)
But for the moment, you have homework to do. Go log in to your Facebook accounts and go through your account settings. Lock down those private accounts!