Facebook Users: Raise Your Mallets
Rik Ferguson, 10/06/2010, posted in "Analysis"
As Solutions Architect for Trend Micro, Rik Ferguson interacts with CIOs from a wide variety of blue chip enterprises, government institutions, law enforcement organizations. Recognized as an industry ...more info
As Solutions Architect for Trend Micro, Rik Ferguson interacts with CIOs from a wide variety of blue chip enterprises, government institutions, law enforcement organizations. Recognized as an industry thought leader and analyst, Rik is regularly quoted by the press on issues surrounding Information Security, Cybercrime and technology futures. With over fifteen years experience in the IT Industry with companies such as EDS, McAfee and Xerox Rik’s broad experience enables him to have a clear insight into the challenges and issues facings businesses today. ...less info
Niket Biswas posted an entry in the Facebook Developers blog yesterday entitled “Confirming Developer Accounts“. It seems that they are asking application developers to attach either a mobile telephone phone number or a credit card to their Facebook account. The telephone number is verified by way of a validation code sent by SMS, the credit card number is not verified in any two way fashion, in fact Facebook explicitly state that they do not even make a token charge to the card. In their own words;
“We’re taking this step to preserve the integrity of Facebook Platform, ensuring that every application is associated with a valid and real Facebook account.”
There are a couple of glaring problems with this… Firstly, what guarantees are there that any Facebook account is “valid and real” in the first place? Secondly, proving access to a credit card or mobile phone is a whole different thing to proving ownership. So if criminals or scammers, who we must assume have ready access to disposable mobile numbers and/or stolen credit cards, attach some of these bogus credentials to an already bogus account where does that leave us?
Well, with the proposed “Confirmed Developer Accounts”; it leaves us with a fake “confirmed” profile which is once again free to post any application content they choose, and it leaves Facebook incident handlers continuning to play Whac-a-Mole with the scammers.
If Facebook really want to turn around the security situation when it comes to malicious or (being charitable) rogue content, then the only effective option open to them is an application approval process such as the ones already in place over on MySpace or on the Apple App Store.
The effort that Facebook incident handlers currently put in to tracking down and suspending the ever increasing volume of rogue apps would surely be better channeled into stopping them from appearing in the first place. This is something I first suggested back in February 2009 when two rogue apps in a week was considered shocking (how times change). At the time Mr Zuckerberg was very quick to dismiss my proposal, but with these first steps perhaps we can live in hope.
Subscribe via RSS or via email
