Protecting Yourself on Facebook: Tips for Morocco
This morning, I got an alarming note from a friend: Moroccans are experiencing phishing and other account defacements on Facebook, similar to what happened last year (and in January) in Tunisia (en Francais). I asked my friend if Moroccans had HTTPS available, and he explained, “yes, but the problem is Internet illiteracy.” Thus, we decided to quickly publish a few tips for activists using Facebook in Morocco (the piece will be available in French shortly). If you have any suggestions to add, please leave a comment and I’ll incorporate them.
1. Choose a strong password.
The easiest way for someone to gain unwanted access to your account is by figuring out your password. A strong password is a combination of uppercase and lowercase letters, plus numbers and symbols. The password should not contain things that are easy to guess, such as your name, a pet’s name, your city, or your school. It should be at least 8 characters long. There are precious few resources on creating a strong “mot de passe” but here is a good English source.
2. Use HTTPS.
Facebook recently rolled out HTTPS to all of its users, including in Morocco, but that selection is not default. To turn on HTTPS, go to “Account” in the upper-right corner of Facebook, then select “Account Settings.” Click “Account Security” (3rd from bottom) and check the boxes that say “Secure browsing (https)” and “When a new computer or device logs into this account.” The first will provide you with encryption, the second will send you an email when someone else has logged into your account.
HTTPS Everywhere is a great tool that works with Firefox and encrypts your communications with lots of major websites.
3. Be cautious of Facebook’s increased security choices.
Facebook allows you to increase your security in three ways: By adding a secondary email address,adding a mobile phone to confirm login, and by adding a security question. The first option is great. The second two come with problems: First, if you add a mobile phone to confirm your account login, you must also be cautious about your mobile’s whereabouts. If your mobile is stolen, it may be possible for someone to use that information to gain access to your account.
The second concern is the security question: Though security questions are a good thing and can help to prevent others from gaining access to your account, you must be careful to choose an answer that no one else knows. For example, if the question is “what is the last name of your first grade teacher?” you would be safer giving a fake answer that only you know. If you give the genuine answer, any of your first grade classmates could potentially gain access. And never give an answer that is public information.
Have tips to add? Leave a comment.
Tweet
18.02.2011samira
Thank you!
But sending your username/pass combo over https is no fix. The authentication cookies for pages viewed after that go over plain http. I recommend https-everywhere!
https://www.eff.org/https-everywhere
18.02.2011Jillian
Good point, Samira…though I was unaware of the first part…can you share anything that confirms that?
I’ll add the excellent HTTPS Everywhere to my suggestions.
18.02.2011J.D. Hollis
Don’t reuse your password for other services. If you only have one password, then someone can gain access to everything.
18.02.2011samira
Sorry Jill. I’d have to walk you through too much crypto and IP to explain how that works.
After log in, authentication cookies are sent unencrypted everytime you view a new page. It’s not an easy exploit…but when you control ISPs, man-in-the-middle attacks are quite easy.
Anyway…attacks are very violent at the moment from the ultranationalists muslims attacking the mostly secular organizers. There’s currently a higher risk of being targeted by “Allah, alwatan, almalik” vigilantes than by the government.
I wish women would come out en masse Sunday. That’s our only hope to avoid violence from breaking out!
18.02.2011Jillian
No no, I understand the tech behind it, I was under the impression that that was only an issue when other pages were NOT encrypted (and with Facebook, that isn’t the case; HTTPS is not log-in only).
I’ve heard that as well – that the ultranationalists are the bigger threat. Scary.
20.02.2011Reda
The Moroccan community can carry on their conversation at this cool Moroccan Twitter like portal called http://www.bergag.net – It is really a good plan-B in case Facebook shuts down our Accounts. They did that before.. Please spread the word. Thank you.
-Reda
2.03.2011Chris Blow
Thanks for this important line of argumentation and advocacy. I think this is an extremely malnourished aspect of online activism. It seems clear now that there are threats to all participants on the network, not matter what country you are working in. So, thank you for addressing the phishing issue.
Unfortunately I have to disagree that the reference on creating a secure password is a very good one — the technique of using numbers to replace letters is not good, especially if the password is based on the username as the example shows.
Also I would be interested to know if you think there are perhaps more fundamental concerns with government access to ISP data. If the ISP is compromised then HTTPS is suddenly a minor concern by comparison, right? I think this implies activist ultimately will have to take much more sophisticated approaches to digital security and privacy, far more than just protecting themselves at the point of login.
12.10.2011anila
Hi,
Jill please help me out.. my Facebook account is locked & the security question u know
What was the last name of your first grade teacher???please tell what’s the correct answer of this question… help me :(
thank you
12.10.2011anila
i m waiting for your reply