Facebook one-time password feature a risk

A new Facebook feature that claims to give users an additional method to keep their account secure  could actually lead to more security issues, security outlet Sophos has warned.

The one-time password feature, launched yesterday, is supposed to keep users safer when they are accessing the site on computers in public places such as hotels, cafes or airports. It works by giving users the opportunity to request to receive a temporary password by SMS message – which expires after 20 minutes.

However, Graham Cluley, senior technology consultant at Sophos, warns that Facebook’s one-time password feature could in fact result in further security concerns.

He said: “If you believe a computer might not be secure in the first place, why would you use it to access personal accounts such as Facebook?

“A temporary password may stop keylogging spyware giving cybercriminals a permanent backdoor into your account, but it doesn’t stop malware from spying on your activities online and seeing what’s happening on your screen.”

He also pointed out the dangers if someone gained access to the mobile phone containing the SMS with the code.

“If someone else can gain access to your phone and send a text message, your Facebook account will be unlocked.”

He recommended that users never visit websites like Facebook from computers that may not be running adequate anti-virus software or security patches.  

“If you don’t trust the PC, don’t use it to access Facebook – even if you do have a temporary password,” he said.

“Instead, wait until you have access to a trusted PC, rather than risking sharing your personal information with unknown others.  There’s a real danger that the one-time-password system will be viewed as a green light by Facebook users to access their accounts from unsafe PCs.”