14 DAY TRIAL // Some security experts point out that Facebook's new one-time password feature, touted as a safe log in alternative on public computers, can be abused in several ways to actually compromise accounts.
The feature works only for users located in US and involves associating a mobile phone number with a Facebook account, then using it to send an "otp" SMS message to 32665.
This action will trigger the generation of an one-time password, which will also be returned via SMS and expires after 20 minutes if it's not used.
The solution treats computers as if they were compromised with keyloggers, so even if the OTP password would be captured during log in, attackers wouldn't be able to use it, because it only works once.
However, Graham Cluley, a senior technology consultant at Sophos, notes that logging in from an insecure computer poses many other risks in addition to keyloggers.
For example, some information stealing trojans come with the ability to take screenshots or abuse accounts in real time, as their owners are authenticated.
There's nothing an OTP can do about that, except give users a false sense of security. According to Mr. Cluley, it's better not to log in from insecure computers at all.
Then, there's a problem with having this power on mobile phones, which are easily misplaced and often easily accessible by others.
What would stop a jealous lover or a work colleague from generating OTPs with your phone when you're not looking and accessing personal Facebook messages?
Phone passwords is one answer, but these are more common on smartphones than on more traditional mobile phones; and even smartphone owners often fail to use them.
And what if someone compromises your regular password in a different way – say by installing malware on your home computer – and then abuses this feature to get a backdoor into your account.
An attacker could replace your phone number with one of their own without you noticing. This would allow them to get back in even if you later change the password.
"Maybe next time you're in a cybercafe or sitting in front of an unknown computer you should just wait until you're on a PC that you're more confident has been kept up-to-date with anti-virus software and security patches," Graham Cluley advises.