Facebook is launching a new security measure that is clearly a response to the recent threats caused by numerous rogue applications that have spread virally across the social network. According to news from the Facebook Developers blog, all application developers must now verify their Facebook account by either confirming a mobile phone number or adding a credit card to their account.
The new procedure aims to cut down on the number of rogue applications created by hackers and spammers by forcing developers to share personally identifiable information. Unfortunately, say multiple security researchers, verification alone is not enough to stop these malicious apps.
Rogue Apps on Facebook
Last week, we began to wonder if Facebook needed to implement its own anti-malware service after an especially busy weekend where thousands of user accounts were compromised by rogue applications promising tantalizing videos to anyone who was willing to click here. Not surprisingly, many did just that, and ended up on an off-site Web page where malware was installed on their PCs.
On May 15, security firm AVG reported its anti-malware service had blocked more than 30,000 rogue Facebook applications – a number so large, the company’s chief researcher officer, Roger Thompson, called it “stunning.”
But will the new verification measures actually make dangerous applications a thing of the past? Probably not. Adept spammers will quickly figure out how to bypass the security procedures using stolen credit cards or disposable mobile phones.
Security Researchers Response: It’s Not Enough
We asked several security researchers what they thought about the new procedures and none believed the new program was anywhere near strong enough to thwart the onslaught of rogue apps on Facebook.
According to security expert Graham Cluley of Sophos, cybercriminals won’t find that bypassing the measures will be very difficult at all, and will likely use stolen credit cards and pay-as-you-go throwaway mobile phone numbers to get their apps verified. He encourages Facebook to do more than the new measures. “As these applications are being made available to an estimated 500 million users, Facebook would be doing its users a real service if they put in place stronger controls over application developers,” Cluley says. “After all, what legitimate application developer is going to complain?”
Rik Ferguson, senior security advisor at Trend Micro, calls the new program a small step in the right direction, but also feels better application approval methods are in order. “Facebook will find themselves playing the same old game of whack-a-mole unless they institute some form of application approvals process as is already the case on competitor networks,” he warns, again reiterating that neither of the new measures are enough to stop real criminals.
Security Evangelist Ryan Naraine of Kaspersky, agrees, saying the only way Facebook can really fix things is to “implement some form of code signing or code inspections when the app is submitted.” However, Naraine admits the new program is at least “a step in the right direction.”