Slashdot Mirror
Facebook Introduces One-Time Passwords
angry tapir writes "Worried about logging into Facebook from a strange computer? There's now a way to get into the popular social network without entering your regular Facebook password. It's called a temporary password. To use it, users must list their mobile phone numbers with their Facebook accounts. They can then text a number from their phones and Facebook sends back a temporary password that is good for 20 minutes. The service will be available worldwide in the next few weeks."
Now can we please get one-time credit card authorisation?
867-5309 will give you a password of "Jenny"
Stupidity only gets you so far, then you've gotta try
i am sure that there is no chance that they were scraping around for an excuse to collect cell phone numbers from their users. adding that very unique information to their already massive database on every user will make it much more valuable. as i tell my friends, it's just a pyramid scheme. you get a free website with communication tools bolted on and they get to know everything about you and will sell it to whoever they want.
Yet another way for a big Internet organization to collect phone numbers.
Slashdot, fix the reply notifications... You won't get away with it...
Wouldn't stealing your phone also give them loads of other personal information? And the first thing you think of is they will have your facebook account?
Starmen.net
but that limited password better come with limited privledges to protect the account from getting jacked.
With sufficiently complex spyware, an untrusted computer could do much damage even with a temporary access: Install applications, scrape your email, change your real password... this is only secure if the temporary access is severely restricted in what it can do with the account.
I think this is a step in the right direction, assuming spoofing is difficult or impossible for these SMS messages (anyone care to weigh in there?). Still, my personal policy is to never login to a system which contains somewhat sensitive data from a computer that I don't fully control or whose controller I don't fully trust. Their solution seems like a workaround, while users could just stop any potential privacy violation at the source and opt not to provide their credentials via others' machines.
Please tell me I'm not the only one who sees this.
What if someone else uses your cellular phone, or worse, someone uses your cellular phone while you aren't aware of it? That's practically like giving anyone free access to your account.
I think the facebook geniuses are confusing the one-time-pass with the one-time-pad ... particularly in this case, they are two very different things, specifically because the pad is requires that the key be exchanged *securely*.
I wonder what happens if someone steals your phone (or just if a roommate picks it up).... can they then get into your Facebook account by requesting a one-time password?
I'm sure they've thought of this trivial case... but I wonder how they're going to handle it.
Now nobody will ever know what you post on Facebook from an untrusted computer! Wait..
This is a substitute for a clever sig that fits within the maximum number of characters.
Umm, the whole point of this login system is not to use your original password at all. Avoid keyloggers/malware on computers you don't know/trust.
if your phone is being stolen you have security problems other than facebook.
Typically this type of login requires both the one time passwords AND your normal passwords.
No, the goal is that you can use this 1-time password on a non-trusted computer and it would not be useful if keylogged. Requiring you to also type your normal password makes no sense in this context.
get hurt.
Hand over your cell phone and tell me your Facebook email.
I'm not a lawyer, but I play one on the Internet. Blog
Now can we please get one-time credit card authorization?
You mean like my Discover More Credit Card offers me?
You have the option of re-using the same one for a retailer or just continually requesting a new one if your dealings with them are infrequent or shady.
My work here is dung.
"Man in the Mobile"
Smartphone variant already set to harvest OTP.
Hurry! I need my password to I can login and complain about my miserable life and post pictures from the bar celebrating my miserable life!
Whatever did people do before facebook? Oh yeah, they actually talked to people face-to-face and spent 'quality time' in full 3-D social interaction.
He who knows best knows how little he knows. - Thomas Jefferson
What if you had to text your regular password to facebook to get a one time pass.
You are entitled to your own opinions, not your own facts.
What if you had to text your regular password to facebook to get a one time pass.
Then you would have to delete your text history every time you use this feature.
I have it disabled on all 5 of my family phones. COST!
Never trust a man wearing a coat and tie!
What if you have to prepend the first character of your password to the temporary one.
Doesn't help the malware all that much, if you're the kind who cares enough about security to use this and have a good password.
Got a better idea?
I barely have time left for my Serious Business on /.!!
For whatever reason though, there are still tons of sites out there that do not support verified by visa/mastercard.
I seem to remember some sites using Verified by Visa and then abandoning it. Perhaps they found that shoppers were abandoning their shopping carts after having set up VBV before and then forgetting their VBV username and password.
This is why my phone has a PIN on it and can be remotely wiped. Actually this isn't why. I'm a lot more worried about the banking app, my address book, my calendar and probably a dozen other things... This is a nice tangential benefit to having a PIN and remote wipe on my phone. Seriously though. You think the first thing someone is going to do on stealing your phone is see if they can use it to get into your Facebook account?
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
When people want more security on their facebook, they usually mean protection from Facebook and other corporations - not passwords themselves.
How about fixing the lack of privacy instead?
Or you could do like I did recently and just delete your facebook account. Problem solved. Added bonus: they don't have my cell number and can't automatically opt-me-in when they roll out their new FaceText feature.
If you're not paying for it, you're not the customer, you're the product.
all my phones are $4.88 from Dollar General or the local FYE
BREW phones like these tend not to have a wide variety of applications because the BREW application development process has substantial entry barriers against small developers. It's even more expensive than the iPhone developer program. So you'd end up carrying two phones, each with its own service plan: a smartphone to run apps and a dumbphone for anonymity.
Because Facebook's version of privacy is like McDonald's version of nutrition. It's not part of their formula.
Reply to That ||
Finally! Now when I am traveling around the world - which I do quite a bit, I can securely access my facebook account. That is, so long as my phone works where ever I am, and ummm, oh yeah! I need to buy a phone too.
Whatever did people do before facebook? Oh yeah, they actually talked to people face-to-face and spent 'quality time' in full 3-D social interaction.
There were also fewer people with whom to interact, meaning less chance of finding somebody in the same town who shares some specific interest with you.
their $29.99 500 minute plan
Because I use fewer than a tenth of that many minutes per month, I pay Virgin Mobile about $5 per month. COST!
And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.
This message brought to you by FACEBOOK... Hungry? Try McDonald's new double Big Mac extra value meal only 4.99 at participating McDonald's
Your temporary password is:
[message part 1/2]
What they really need to do is add RSA Encryption to the account, then create an app for iPhone to get the key from. they could also create a dongle that people buy from for $6.95 and that way their accounts will be encrypted, and issue is solved. This is pretty much what Blizzard did with their WoW accounts.
Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
The amount of piracy has little to do with how often people go to the movies. You pirate a movie because you are bored or procrastinating and don't know what else to do. You go to a movie theatre for the sake of going there: It is an excuse to see your friends, eat somewhere nice, etc... Or just generally get out of the house.
Piracy could theoretically have impact on movie renting, etc... If there was a decent legal service to compete with piracy. (IE: a service to which you could log on, pay a couple of euros and get to watch the movie in good resolution... I doubt I would be bothered to fire up bittorrent just to save a few euros. But as far as I know, such services aren't available here)
You don't want this feature...don't use it? Simple concept, no? Facebook already has other mobile features (ie, notification via text) if you choose to signup for them.
Has to be said I have met new people in my town via the likes of Facebook and Twitter, one less than 5 minutes walk from my house.
Yeah, I had a sig once; I got bored of it.
It is not quite the same as RSA's SecurID but it's good. I would like to see a system similar to this for all high-security web access services starting with my bank. Presently, I have just account/password plus "security question/answer" as authentication. Linking the account to a mobile phone is a great option in addition to the standard log-in.
1. Grab the phone from your drunk friend
2. Get a temporary password
3. Do nasty stuff with his account, including posting pictures of him in this particular moment
But nobody's gonna do that... right?
And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.
How? It's a serious question. I had my phone number listed already, never saw any drawbacks. Of course, it can be abused, mostly by users, but that's when "don't be stupid" kicks in - don't befriend random people you know nothing about, adjust your privacy settings, etc. So how is Facebook going to abuse this information?
And facebook gets your cellphone number. Good thing that fb is a reputable company ran by people of high integrity who would never abuse that information.
So use a Google Voice number, which includes text messaging for free.
"And -- Your phone number?" "What?" "I need your phone number." "Why?" "The computer won't let me finish without a phone number." "OK... 3." "3... what?" "Just 3. It's a very old number, been in the family for generations."
My Citibank credit cards offer this. I go online and I can get a temporary number and use that just fine.
There's always the option of not putting sensitive information out there for the world to see on Facebook, and there is always DON'T USE THE SAME PASSWORD FOR SOCIAL NETWORKING AS IMPORTANT LOGINS. But hey that is too simple, I think I'll just give Facebook another piece of information about me that can be exploited...
Be carefull putting your mobile number in Facebook. I currently work for one of the worlds largest mobile telecoms as a CSR, and we just had a bit of training where we learned that your cell phone bill can be charged by a 3rd party game if you click and play the wrong one. Every day I remove "mobile download" 3-rd party charges because there is little obvious warning about playing some game will add a 9.99 monthly subscription because they where able to retrieve your cell phone via FB.
It's just getting worse, I wish there was a better way to educate people. Not because I care about people, but because I'm tired of having to remove the subscriptions ten times a day every day lol.
Maybe we DID take the blue pill. You wouldn't remember anyway.
The scary Facebook lack of privacy is highly exaggerated. I've had my number listed on my profile page for over two years now. I don't do anything out of the ordinary other than keep my info private to my friends only. Amazingly, nothing bad has happened because I listed a phone number on my page that I actually want people to have.
Ideally Facebook has your real password in a hash and doesn't know what it actually is. Meaning they shouldn't be able to know the first character to be able to combine it with the temporary one. If they do know your password, they're doing it wrong.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
Are you sure? There might be someone from a small planet somewhere in the vicinity of Betelgeuse.
The Tao of math: The numbers you can count are not the real numbers.
You think so. But in reality your phone has been added to a big botnet which tries to break the nuclear codes and start a global thermonuclear war. :-)
The Tao of math: The numbers you can count are not the real numbers.
OH! I found the solution to contamination too! Don't be so needy of cars and electricity!!!
Cunt.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Since facebook does not ever come into scrutiny for your private information, I think that giving them your name, address, birthdate, current living city, and now phone number is a great idea. Now all we need to do is give them our credit card numbers and we will be set. For a website that ensures your data stays private, would could go wrong?
The world is how you make it
you can't chargeback a merchant if it was done via 3DS
Then I guess that's one strike against Nintendo.
But seriously, is it even legal to forbid disputing a charge on grounds of item not received, not as described, defect in materials or workmanship, or other grounds listed in the credit card contract aside from use of stolen credentials?
There are two ways to do it properly - you could SMS people a password, but that screws with people like me who don't always carry their cellphone around
And with people who primarily use a landline.
I can't say for sure for these one time CC #'s, but the difference in fees for "regular credit card" vs "gift card" can be up to 100%. That means 2.5% in fees to the merchant for regular, 5% for gift card. This is to cover the perceived change of fraud. Transactions where the card is swiped vs. ones where the number is punch in manually will have different fees as well.
Of course, the merchant can just decide to deny any card that causes them higher fees. That's probably what Blizzard was doing to you.
Hollow words will burn and hollow men will burn.
Why does VISA not do the same thing, really I mean, to avoid fraud and all of that, you could use this same principle with every
account, gmail, hotmail, VISA, banking, etc....if I am smart enough to link a cell phone number to my facebook account, now it has become a norm or standard in every user's life (100 million accounts???), so now we can sway the banks and CC companies, to do the same....finally some good coming out of FB for once....hope they keep it up, and help push tech further ahead like Google does....
Giving the fantastic privacy discipline of FB.
While that is correct , it's not the whole picture : When our ancestors moved to colder areas ( like Sweden ) , they adapted to the colder climate , and as such , their evolution followed a different path .
So while everyone has a common ancestry , everyone has followed a different evolutionary path .
The result is that today's Swedes will be more resistant to cold than today's Africans . And offcourse , today's Africans will be more resistant to heat than today's Swedes .
Slipping shoelaces ?
Heh. Too bad for them my phone only has chess and tic-tac-toe installed. :-)