In 2008, to much fanfare, Facebook introduced a new online platform called Facebook Connect, which was proclaimed as “the” scalable SSO (single sign on) or digital hall pass for the Internet. It has been pitched to companies with a simple proposition: connect to the Facebook platform, and we’ll make it faster and easier for people to use your apps because users are more apt to sign up for new mobile apps and websites if doing so was easier. In one simple click, a Facebook user can log in to any mobile app and website implementing Facebook Connect with their password. It also brought an added measure of security, since users wouldn’t need to create and remember new passwords every time they signed up for a new app. Awesome, where do I sign for this perfect solution right? A technology platform that provides immense convenience and streamlined user experience to your customers and can easily be implemented into your technology stack whether you’re part of a SME or a large enterprise. This “perfect” solution has been adopted by thousands of companies across the global, ranging from SME marketing companies to large enterprises like Airbnb and Uber.
It’s taken 10 years since its inception, but Facebook Connect doesn’t seem so “perfect” after all and perception has changed from an Internet wide single sign on solution to a global single security nightmare.
Over the past few weeks, Facebook announced that first 50 million, then 30 million account entry keys, created via Facebook Connect, had been stolen in the largest hack in the company’s fourteen year history. Since the announcement, companies large and small have been scrambling to determine the possible effects on their customers and networks.
On the surface, 30 million users are barely 3% of Facebook’s total userbase; however, the impact of this hack is exponentially bigger because those stolen entry keys can be used to gain access to so many interconnected mobile apps and websites. Stop for a second and think about how many mobile apps and websites use your Facebook account. If you’ve used all ten digits on your hands, hopefully you get the point. If you don’t have a Facebook account, I applaud you. Stats say you’re over 45 years old, you keep a 2018 equivalent of a Motorola flip phone in your back pocket, but you’re still susceptible to the third party risk thanks to your Facebook loving friends who have your email address, phone number and if they are really organized your home & work address in your contact. Let’s not get into email correspondence, chats, essentially any digital communication between you and your Facebook loving friends. This hack and its fallout underscore the lengths to which Facebook has cemented itself as the identity of the internet, and what happens when the security systems of one company — trusted by so many — fail.
Buried within Facebook's recent admission was a surprising revelation for its business customers: Facebook Workplace, used by 30,000 businesses as of a year ago, customers are impacted. If you’re a small/medium enterprise that initially adopted Slack to improve workplace collaboration and efficiency and migrated to Facebook Workplace, then congratulations your company may be exposed to serious third party risk thanks to Facebook. Let’s try to determine whether this particular nugget of the Facebook hack poses any third party risk your company. Back in 2015, Facebook announced that the Royal Bank of Scotland had signed up to use Workplace beta with the intention to roll it out to 100,000 employees. And when Facebook launched the Workplace product in 2016, it said it already had about 1,000 customers using it. During 2015-16, Facebook Workplace allowed employees to link their Workplace account with their personal Facebook account and a stolen account entry key lets you read the files and posts in a Workplace community, which is the equivalent of reading work email.
Below are some easy ways to determine your SME’s risk exposure:
Yes, that’s Facebook fix to its debacle: force users to log out to invalidate the account entry key/token. Simple enough, an inconvenience to Facebook users, but an even easier “fix”. Let’s review Facebook public timeline of this hack and dig a little deeper:
Based on the sophistication of this particular Facebook hack, it’s easy to surmise that the malicious actors were using this exploit long before September 16th and collecting Facebook Connect access tokens. Here’s what really happened:
Facebook has stated that it can’t pinpoint exactly when the malicious actors established the attack chain to exploit 3 separate vulnerabilities, but the vulnerabilities had existed since July 2017. Yikes…
There’s an obvious problem with instructing Facebook Connect users to simply force a log out to “mitigate” this hack. The reality is that Facebook with all its resources has few to no solutions for its Facebook Connect users despite a soon to be released tool that will help SME, and large enterprises alike, identify which accounts may have been tampered with through Facebook Connect. Facebook's handling of user data has been under scrutiny for the better part of this year so this hack couldn’t have come at a worse time for Facebook. Still reeling from a series of scandals that unfolded in the wake of the 2016 US presidential election, a widespread Russian disinformation campaign leveraged the platform unnoticed, followed by revelations that third-party companies like Cambridge Analytica had collected user data without their knowledge. Facebook already faces multiple federal investigations into its privacy and data-sharing practices, including one probe by the Federal Trade Commission and another conducted by the Securities and Exchange Commission. This hack will ramp up efforts to regulate Facebook and other technology companies through financial penalties, legislative efforts or both. In Europe, Facebook could face a fine totaling as much as $1.63 billion if it's found in violation of General Data Protection Regulation (GDPR), the European Union's sweeping consumer privacy law. GDPR contains a provision that companies can be fined 4% of their annual revenue if they violate the law, which encompasses rules on protecting data and a requirement that regulators must be notified within 72 hours of a breach. Ireland's Data Protection Commission, which oversees Facebook under GDPR, is heading up an investigation into the breach.
Facebook’s platform relies on trust: users trust that their pictures will be seen only by those in their networks, their private messages will be read only by the people to whom they were sent. Facebook may look like a juggernaut now, but social networks have fallen before, and surely this is just another data privacy issue just this year. This particular hack destroys trust, the very ingredient that attracts its users, we’ll know quickly about the damage done to Facebook’s brand and its users desire to continue using the social platform or take its “business” elsewhere.
Facebook Connect is a platform that levels the playing field between SME and large enterprises and streamlined offering to customers. Roughly 80% of SMEs use Facebook for marketing which makes the iconic social media platform the most popular tool for small business marketers in the digital world and beyond. With its rise in popularity, Facebook has also become the largest point of third party risk to SMEs and the recent hack is a testament to this. Not only are SMEs now firmly in the crosshairs of malicious actors, they are fast becoming their favored target because they are often woefully unprepared due to a lack of CapEx/OpEx resources, which translates into little or no cyber security measures in place. With issues like this, they are apt to now go to Google + as a social media network. I mean they’re a well known brand and certainly you can trust Google with security and transparency….right?