Assessing Facebook’s Vulnerabilities and Recommendations

Assessing Facebook’s Vulnerabilities and Recommendations

The digital evolution exemplifies a systemic dynamic that presents significant risks across all societal domains. The transformations in the information and communication technology (ICT) provides new opportunities to enhance social interaction and business transactions. Big companies, such as Google, Twitter, Amazon, and Alibaba, have adopted big data technology, which is centered on machine learning and artificial intelligence (AI). According to Wang, White, and Cheng (2015), big data technology is based on three core concepts of velocity, volume, and veracity. The interaction of the three elements allows for conveying and storing multi-dimensional information.

Security vulnerabilities are among the main challenges associated with ICT technologies. As noted by Scholz, Czichos, Parycek, and Lampoltshammer (2019), organizations are currently concerned with maintaining their customer’s data privacy. A critical requirement of ICT-based organizations is to establish risk management strategies to avert the vulnerabilities. Notably, these strategies acknowledge the importance of technological advancements and policies to ensure that the company’s culture and structure address the vulnerability challenge. The social media industry is vast and among the most affected sectors by vulnerabilities.

This paper examines three vulnerabilities in Facebook’s data security policies. It also recommends three improvement strategies for data security policies. Other aspects included in the research are risk analysis, recovery plan, and organizational impacts.

Vulnerabilities in Facebook’s Policies

Facebook builds services and technologies to foster connection among people and communities. The social media also assists businesses to grow. To ensure safety and quality of services, Facebook is guided by terms of services and several policies such as data, privacy, information security, user data access, contract, whistleblower, and harassment. However, there still exists vulnerabilities in the policies which are examined in this section.

Vulnerability in User’s Data Access Policy: Account Authentication

Facebook’s user’s data access policy is concerned with restricting access to sensitive information without authorization. The organization recognizes the importance of securing users’ information. Dimensions in this policy include keeping passwords secure and authentication process (Isaak & Hanna, 2018). To authenticate one’s account, Facebook requires the user to enter the correct password and answer security questions during account recovery. Facebook masks people’s passwords to hide their visibility.

The main vulnerability in Facebooks’ user’s data access policy is the authentication process. According to Isaak and Hanna (2018), Facebook’s failure to secure the authentication of millions of accounts resulted in their illegal access during the Cambridge Analytica scandal. Although the organization has implemented profound interventions such as multiple-step verification, there are still challenges, especially in accessing the account from different devices. After the 2018 incidence, where 50 million accounts were exposed, Facebook logged out millions of others due to their vulnerability (Matsakis & Lapowsky, 2018).

The use of SMS on Facebook is a second verification approach to the account ownership besides the password. The verification strategy is vital for users accessing their accounts using multiple systems such as computers and mobile phones. According to Cool et al. (2015), SMS verification is simple to use, where a code is sent to the user’s phone assigned for verification. Facebook requests for confirmation before allowing the user’s access to the account.

In 2013, Facebook rewarded Jack Whitten with $20000 for identifying the flaw related to SMS verification (Fokes & Li, 2014). The vulnerability entailed the hacker having the ability to modify the data in the user’s profile identification field. The hacker could link with the individual’s account, and rather than the SMS verification being sent to the user, it would go to the attacker. At this point, it would be easy to reset the password for the account to belong to the hacker.

Vulnerability in Data Policy: Information Disclosure to Marketers and Third Parties

Facebook’s data policy entails the information processed by the organization to support its features and products such as Messenger and Instagram. The organization is required to access and use information about the user before providing these products (Facebook, 2019a). The company gathers communications, content, and other data provided by the individual during the signing and sharing activities. Facebook also collects data about pages, people, accounts, and groups the user access.

The vulnerability in data policy is centered on how the organization uses the collects information. As described in the data policy, Facebook uses the gathered information to personalize and enhance its products, measurement of other business services, and innovating for social good. The collected information is shared with other organizations, including marketers and third-party integrations (Facebook, 2019a). Sharing the users’ information with third parties exposes the accounts to hackers, especially for malicious third-party organizations.

There is a profound relationship between Facebook and other organizations such as Apple and Samsung. These firms have several groups, which individuals can access and join. Interested individuals demonstrate their interest in the brand, and Facebook’s data policy allows the companies to access the users’ information for realistic activities (Tso & Parikh, 2018). In data mining, the marketers have access to user’s information for sentiment analysis. The sharing of information presents an opportunity for attackers to access one’s data.

The marketing strategy of using Facebook involves establishing links to the organization and demographic targeting. Among the marketing strategies are hosting contests on the social media platform. The use of third-party applications for these activities presents a loophole for attackers who may be using fake accounts. According to Watson (2019), users linking to these accounts expose their data to hackers.

Vulnerability in Facebook’s Platform Policy: Puppets Nets and Sybil Attacks

Facebook’s platform policy involves building quality products, giving people control, and data protection. In building quality products, Facebook prohibits the creation of fake accounts and directs people to create applications that are easy to navigate and stable (Facebook, 2019b). Third-party accounts should also comply with community standards and follow Facebook’s advertising policies. The organization also prohibits deception, surprises, and confusing people.

In platform policy, privacy measures, Facebook requires third-party organizations to obtain consent from users before publishing any content. It is also essential for organizations to use the publishing permissions to assist people in sharing their content rather than sending personalized messages from the application. Platform policy works with other regulations including data, privacy, and user control to ensure security in users’ information. Facebook’s platform policy directs that third-parties using cookies and web beacons should abide by the company’s general policies and terms of condition.

Vulnerability in platform policies includes puppets nets and Sybil attacks. Puppet nets are world wide web vulnerabilities. In a webpage with different links hosted at other domains, the attacker can develop particular pages with links to the victim’s web. When the user visits such a page, the attacker can download vast information from the user’s account (Alqubaiti, 2016). In Facebook, this vulnerability is demonstrated by creating several accounts similar to those of the target user. When the individual accesses the account, the information is replicated, and the attacker can download the user’s data.

Sybil attacks are demonstrated in peer-to-peer models such as Facebook. In this attack, the system is prompted to decide to the adversary’s benefit based on biased or false information under different identities. In a Sybil attack, the hacker does not steal an identity. Instead, the attacker develops several profiles that can be used to launch spam and malicious messages (Fokes & Li, 2014). An example of a Sybil attack on Facebook is during the voting process. The adversary creates several identities that can be used to alter the majority opinion in the poll.

Risk Analysis

Social media is a vast industry that plays a significant role in community social lives and daily activities. The benefits of social media include connecting people, sharing news, and marketing for businesses. Alongside these benefits are adverse risks, which are based on the people’s information in the sites. According to Alqubaiti (2016), the web imposes the security vulnerability of social media sites. This is reflected in people’s activities, such as sharing and posting images, information, and videos, which may violate security and privacy protocols.

Facebook, as the foremost social media, has more than 1.3 billion users (Nyoni & Velempini, 2018). The site functions by connecting people according to their shared interests and backgrounds. Every user is required to sign up for the site using personal information such as name, contacts, and professionalism. The data is in the public domain and can be accessed by anyone. Based on the type of data shared by people, there is a possibility of the attacker to gather and use the information for malicious activities.

Facebook’s risks in data security from the three vulnerabilities in the platform, user access, and data policies demonstrates the persistent risk of exposure of the user’s information for malicious activities. The company’s security policies, on the other hand reflect on its relentlessness in securing the social platform from attackers using mitigation strategies to its infrastructure (Waldman, 2016). Previous data security issues of the organization demonstrate the need for strengthening its policies.

Facebook is still vulnerable in its data security policies. In 2018, Cambridge Analytica established a loophole that third parties exploited to harvest data. Facebook still shares its information with third-party organizations. The Application Programming Interface (API) loophole allowed Cambridge Analytica to shape the presidential elections (Isaak & Hanna, 2018). The effects of these security vulnerabilities are reflected in exposing the individuals’ accounts and obtaining other information that can be used for hacking other platforms such as mobile banking.

Recovery Plan

Facebook’s recovery plan is centered on its policies and strategies according to the specific vulnerability. For instance, the bugs in the September 2018 security breach were successfully patched. Facebook also logged out more than 90 million accounts that were vulnerable (Barton, Wingerson, Barzilay, & Tabor, 2019). Previous recovery strategies include improving the security and authorization process. Facebook’s 0Auth 2.0 is used for authorization and authentication (Rahman, Huang, Madhyastha, & Faloutsos, 2015). In 2011, Facebook and FTC settled a legal case that involved deceiving users’ regarding the privacy of its platform.

Facebook has implemented different security approaches. These include encrypting the transfer and storage of data, using passwords, and storing the data on secure systems. According to Fokes and li (2014), the company is devising interventions to address data issues and maintain the rising demand for security. A previous data security initiative was Presto in 2012 that allows the system to function at the petabyte scale. Presto is an SQL query engine supporting ANSI SQL. However, Facebook is still vulnerable to security issues, which can be categorized into the system, user, and third party.

Organizational Impacts

The impacts of data security include loss of revenue, damaging the brand’s reputation, losing intellectual property, and exposing the user’s data. Facebook has spent vast resources in securing its data through research. The organization’s reputation in 2018 was affected after exposure, and several people closed their accounts. Through the disclosure of the users’ data, critical issues include malicious activities such as defamation.

Facebook currently faces significant organizational risks from privacy rules set by various regions such as the European Union. The general data protection regulations are aimed at preventing a recurrence of the Cambridge Analytical scandal (Goodman & Flaxman, 2017). The impacts of a security breach are two-fold. Users terminate their accounts and Facebook has lost vast revenues in its security prevention measures. Facebook also faces stiff competition from other social media sites such as Twitter due to security concerns.

Security breaches for Facebook are related to other issues, including crime. Fake accounts, puppets nets, and Sybils are used for identity theft, defamation, sexual abuse, and kidnappings. For instance, fake account users send friend requests and establish trust from real account users based on the type of information and interests (Krombholz, Merkl, & Weippl, 2012). Hackers use this information to access the individual’s other platforms such as mobile banking. In a Sybil attack, its impacts include malicious messages and spam messages. An example of a Sybil attack on Facebook is during the voting process. The adversary creates several identities that can be used to alter the majority opinion in the poll.

Recommendations

The recommendations for addressing the vulnerabilities mentioned above are based on the specific risk. Notably, as companies are implementing advanced technologies such as big data, attackers are establishing more ways for their actions. As a result of historical security issues, Facebook has implemented various security protocols. The following recommendations profoundly address the vulnerabilities and security concerns identified above concerning the different Facebook’s policies.

Recommendation One: Improve Authentication

Facebook should improve its authentication approach. During the authentication process, the information is sent to the user’s preferred device or mail. Facebook needs to enhance its identification strategy of the user before sending the verification code (Irshad & Soomro, 2018). In the current approach, sending authentication information to the user is impaired by the attacker having access to the user’s email. Also, attackers may link the verification process to their devices.

Facebook needs to integrate finger, voice, or facial recognition approaches in authenticating accounts and their access. The use of biometric recognition technology in most industries is currently aimed at addressing public safety and fraud issues. According to Normalini and Ramayah (2017), the use of biometrics in various sectors, such as banking, addresses security concerns. In this technology, the organization has a database of its users’ biometrics, which can be used during the signing-in procedure.

The use of biometrics averts both system and user-based vulnerabilities. For instance, attackers have established ways to navigate the SMS, email, and security questions verifications (Fokes & Li, 2014). The challenges of puppets nets and Sybil are prevalent due to a lack of proper authentication approaches. The use of biometrics addresses these issues by registering the user’s facial, voice, or fingerprint data and using it for future log in. In the attacker attempts to log in using other approaches, the user should be notified and requested to verify the location and access device.

Recommendation Two: Improving Awareness on Access and Privacy Issues

Facebook’s vulnerabilities are influenced by either the user or the flaws in the system. Facebook should implement education policies to both its employees and users about security risks and mitigation approaches. The vulnerability in third-party applications is based on the numerous vendors hosting the remote sites and using them to access the user’s information (Wisniewski, Knijinenburg, & Lipford, 2017). Although it is the role of Facebook to ensure the link with safe applications, the user also plays a significant role in avoiding clicking the links to threatening applications.

Facebook awareness policy should involve the reporting culture and a survey to evaluate the user’s understanding of the security issues and their mitigation. Facebook may eliminate fake accounts, puppet nets, and Sybil, but more are created. Users should, therefore, report any suspicious activities involving their accounts (Rahman et al., 2015). Through regular surveys, the organization can establish areas of insufficient knowledge and factor the information in developing security protocols and awareness programs.

Recommendation Three: Strict Information Disclosure Regulations

Facebook alias with other companies and releases information for various purposes, such as marketing. For instance, a company that is conducting a competition may request access to the user’s data for rewarding and recognition purposes. Although the organization has current policies of addressing security concerns related to the disclosure of users’ information, it should renew the regulations for a better working relationship. Past security issues such as Cambridge Analytica demonstrate the potential threats in Facebook’s interaction with other organizations.

Third-party organizations that have access to Facebook’s data should be made accountable in case of any future security-related issues. Facebook should review its data, privacy, and platform policies based on access and exposure of the users’ information. The agreement should be bound by law and allow Facebook to disconnect the relationship with a particular organization or database in case there are fears of security issues (Mosteller & Podder, 2017). Strict measures, such as limited access and use of users’ information prevents unauthorized access and use of the shared data.

Conclusion

Digital transformation presents both opportunities and risks for social media organizations. Opportunities include enhancing social interaction, sharing news, and marketing, while weaknesses include vulnerability to users’ information. Facebook, as the foremost social media organization, has faced vulnerability issues in the past, such as Cambridge Analytica and the 2018 exposure of 50 million accounts. Despite the organization having practical policy approaches, there are needs for other strategies to address potential vulnerabilities that affect the user’s information.

Facebook vulnerabilities are related to platform, data, and user access and control policies. These vulnerabilities include authentication, information disclosure to marketers and third parties, puppets nets, and Sybil attacks. To address these vulnerabilities, Facebook needs to enhance its authentication process, establish strict information sharing, and emphasize on data security awareness.

References

Alqubaiti, Z. Y. (2016). The Paradox of Social Media Security: A Study of IT Students’ Perceptions versus Behavior on Using Facebook. Retrieved December 5, 2019, from https://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=1003&context=msit_etd

Barton, K. S., Wingerson, A., Barzilay, J. R., & Tabor, H. K. (2019). “Before Facebook and before social media… we did not know anybody else that had this”: parent perspectives on internet and social media use during the pediatric clinical genetic testing process. Journal of community genetics, 10(3), 375-383.

Cool, C. T., Claravall, M. C., Hall, J. L., Taketani, K., Zepeda, J. P., Gehner, M., & Lawe-Davies, O. (2015). Social media as a risk communication tool following Typhoon Haiyan. Western Pacific surveillance and response journal: WPSAR, 6 (Supply 1), 86.

Facebook (2019a). Facebook Investor Relations. Retrieved December 5, 2019, from https://investor.fb.com/corporate-governance/code-of-conduct/default.aspx

Facebook (2019b). Facebook Platform Policy. Retrieved November 5, 2019, from https://developers.facebook.com/policy/

Fokes, E., & Li, L. (2014, October). A survey of security vulnerabilities in social networking media: the case of Facebook. In Proceedings of the 3rd annual conference on research in information technology (pp. 57-62). ACM.

Goodman, B., & Flaxman, S. (2017). European Union regulations on algorithmic decision-making and a “right to explanation”. AI Magazine, 38(3), 50-57.

Irshad, S., & Soomro, T. R. (2018). Identity Theft and Social Media. International Journal of Computer Science and Network Security, 18(1), 43-55.

Isaak, J., & Hanna, M. J. (2018). User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection. Computer, 51(8), 56-59.

Krombholz, K., Merkl, D., & Weippl, E. (2012). Fake identities in social media: A case study on the sustainability of the Facebook business model. Journal of Service Science Research, 4(2), 175-212.

Matsakis, L. & Lapowsky, I. (2018). Everything we know about Facebook’s massive security breach. Retrieved December 5, 2019, from https://www.wired.com/story/facebook-security-breach-50-million-accounts/

Mosteller, J., & Poddar, A. (2017). To share and protect: Using regulatory focus theory to examine the privacy paradox of consumers’ social media engagement and online privacy protection behaviors. Journal of Interactive Marketing, 39, 27-38.

Normalini, M. K., & Ramayah, T. (2017). Trust in internet banking in Malaysia and the moderating influence of perceived effectiveness of biometrics technology on perceived privacy and security. Journal of Management Sciences, 4(1), 3-26.

Nyoni, P., & Velempini, M. (2018). Privacy and user awareness on Facebook. South African Journal of Science, 114(5-6), 1-5.

Rahman, S., Huang, T. K., Madhyastha, H. V., & Faloutsos, M. (2015). Detecting malicious Facebook applications. IEEE/ACM transactions on networking, 24(2), 773-787.

Scholz, R. W., Czichos, R., Parycek, P., & Lampoltshammer, T. J. (2019). The organizational vulnerability of digital threats: A first validation of an assessment method. European Journal of Operational Research. Doi: 10.1016/j.ejor.2019.09.020

Tso, H. H., & Parikh, J. R. (2018). Leveraging Facebook to brand radiology. Journal of the American College of Radiology, 15(7), 1027-1032.

Waldman, A. E. (2016). Privacy, Sharing, and Trust: The Facebook Study. Case W. Res. L. Rev., 67, 193.

Wang, X., White, L., & Chen, X. (2015). Big data research for the knowledge economy: past, present, and future. Industrial Management & Data Systems, 115(9).

Watson, H. J. (2019). Update Tutorial: Big Data Analytics: Concepts, Technology, and Applications. Communications of the Association for Information Systems, 44(1), 21.

Wisniewski, P. J., Knijnenburg, B. P., & Lipford, H. R. (2017). Making privacy personal: Profiling social network users to inform privacy education and nudging. International Journal of Human-Computer Studies, 98, 95-108.