Here's Why Using Facebook's One Click Login Is a Terrible Idea
There are certain tenets that are universally accepted and considered good practices by almost anyone who knows anything about online security. Don't go to suspicious sites is a good one – it minimizes the risks of cyber-attacks. Don't download suspicious files – that one protects users from any malware that they may otherwise download. Don't open suspicious emails and follow the instructions inside – that one pretty much serves the same purpose, as the previous ones. After all, suspicious unsolicited emails are not to be trusted.
Well, as it turns out, almost never. It turns out that, while most respectable and reliable companies are not in the habit of sending unsolicited emails from domains other than their own, Facebook is not most companies and is more than happy to do so.
We're, of course, talking about the infamous ”One Click” login feature, that was enabled through emails sent by Facebook itself. Online security experts speculate that this is a calculated move on Facebook's part, aimed at increasing user retention and bringing disinterested users back to the fold. Whatever the reason for the ”One Click login” campaign may be, it drew some scalding criticism from online security experts, one even saying that ”It's almost as if it was designed by someone with no real security training.”
In light of this, a warning seems to be in order - suspicious emails should be avoided. Phishing scams are a very real threat – and just because one company's official emails look suspicious, that doesn't mean that all emails from that claim to originate from that company are safe.
In the case of Facebook, data breaches have allowed hackers to get their hands on the Facebook details of millions of its users to date. As one prominent security researcher put it ”These emails go against all of the best practices we in the security industry have for years tried to instill in companies”. As long as Facebook continues to format its emails in such a manner, there's no reliable way for users to quickly tell the actual legitimate Facebook emails from the fakes and the phishing attempts. So what should users do about this?
The solution to the conundrum is rather simple – users should continue to treat their online correspondence with all due scrutiny and make sure they take all the necessary precautions to avoid phishing attacks.
Definite red flags that you can use to spot potential phishing emails
- The sender's email address is wrong/inconsistent. If an email claims to be contacting you from E-bay, but the e-mail address from which the message originated doesn't say ”firstname.lastname@example.org”, just as any other message you've ever received from E-bay, then you are most likely the target of a phishing attempt.
- The user's email address is wrong. If a message you received features personal information that the company that allegedly sent it should have at hand, and apparently got wrong, or if it features any information that the user didn't give to the company, said the message is probably a scam.
- The message starts with a greeting that's too generic. Companies rarely, if ever, start their emails with ”Dear customer”, or anything of the sort. Even automated bots and notification systems are designed to start emails they send to you with a greeting and a clear indication if which particular user they are addressing – such as user ID, account name or some other detail. If such a means of identification is missing, the emails in question is probably a phishing ploy.
- The Message includes s suspicious links. If the message contains odd links, then the chances are that the message is designed to dupe the user in one way or another.
- The Message includes unusual and suspicious content. If the message appears significantly different from all other messages that you have received from the company, then it is most likely fraudulent. Keep an eye out for things such as inexplicably broken grammar, the message being formatted in a different manner than usual, or written in an unusual font.
- The message requires you to give up personal information. You should be extra wary of any message that outright tells you to divulge sensitive information of any type. Messages may ask you for anything, from account passwords to credit card numbers. Do not give anything away.
- The message is unsolicited. This is probably the biggest red flag that you should note - if you receive an unsolicited message, seemingly at random; you should treat it with a healthy dose of suspicion.
It's easy to see why users would be suspicious about the ”One Click login” that Facebook sent out. They were right to be and should continue to be vigilant for potential phishing attempts in the future.