by , on 01 November 2011
Last week Facebook published a fascinating info-graphic on its security and anti-spam measures, as well as the size of the Facebook account hijacking phenomenon.
The most interesting piece of information was the percentage of hijacked Facebook logins: 0.06 % of the 1 billion daily logins are compromised. 600,000 illicit logins add a dark hue to the Facebook security picture and it’s bound to turn account hijacking into the top security concern of the platform..
But the figure may be misleading.While there’s no denying that account highjacking is a pervasive social network plague, it’s too early to give up hope. The details of this story, such as the fact that logins are not synonymous with accounts here, helps us keep our feet firmly on the ground.
Time for some math. Facebook has about 800 million active users, half of whom log on every day. This would account for 2.5 logins/user, on average. However, it’s not clear what the info-graphic’s authors understand by one login. This may refer to a new session (the user logged out, then logged in to his/her account) or to account accessing after a period of inactivity (the user accesses the account at different times during the day, without ever logging out).
Some users stay logged in all day on the same device. That’s one day, one session and login for each. Other people may access Facebook several times from multiple devices though, and we may assume that each access counts as a login. As this entails a small unique user/ account login tracking problem, the actual fake login figure may well be smaller.
Account hijacking methods and detection routines further impact this figure. First, hijacking detection algorithms have a threshold, which means that several fake logins must take place in order for a block action to be triggered.
Second, accounts are often hijacked by means of one or more fishy apps. Each such application may access the same account from multiple web locations, since scammers use compromised servers and compromised servers may well be taken down and replaced.
Third, scammers exchange compromised accounts on black markets, which easily explains why there may be multiple fake logins on the same compromised account.
Fourth, false positives are difficult to keep track of. In other words, users will sometimes be asked to reset their passwords as a precaution, even if nothing wrong actually happened to their account.
Bottom line: statistics must be taken with a grain of salt. There is no perfect detection algorithm and the number of detected hijacked accounts may differ from that of actual and unique instances of hijacking. From this point of view, an estimate of duplicate logins on the same hijacked account helps us better understand how account hijacking happens and how it can be prevented.