How to Secure Your Facebook Login with a Security Key to Avoid Scams and Hacks
Pinterest Stumbleupon Whatsapp
Advertisement

Those who fail to pay attention are often the first to succumb to new hacks and scams — and if you regularly use Facebook, which is more likely than not, then you may need to start paying more attention.

This is especially true if you prefer mobile to desktop.

How to Secure Your Facebook Login with a Security Key to Avoid Scams and Hacks global web traffic mobile phones
Image Credit: Statista

Scammers, having noted that mobile traffic is now greater than PC traffic on a worldwide scale, are starting to adapt their techniques to take advantage of mobile users. And seeing as how mobile devices tend to be less protected than PCs, this is a winning move for them.

Keep reading to learn more about how this new scamming technique works, what to look out for, and how you can stay secure going forward.

How the Facebook Login Scam Works

The scam uses a technique called URL padding. A typical URL is composed of three parts:

  1. A domain (required)
    http://facebook.com/photo.php?fbid=123456
  2. A subdomain (optional)
    http://m.facebook.com/photo.php?fbid=123456
  3. A path (optional)
    http://m.facebook.com/photo.php?fbid=123456

As a mobile user, you’ve no doubt seen m.facebook.com in your browser’s address bar while using Facebook. This is the subdomain + domain combination that shows you’re on the mobile version of Facebook’s site. When you see it, you feel safe.

URL padding is when a scammer creates a subdomain on an entirely different domain to impersonate some site, and “pads” the subdomain with innocuous characters to make users think they’re on the actual site.

Here’s an example URL from PhishLabs:

http://m.facebook.com----------------validate----step1.rickytaylk.com/sign_in.html

Visiting the site presents you with an exact replica of the actual mobile version of Facebook’s homepage, asking you to enter your credentials so you can log in. A knowledgeable-but-inattentive user might glance at the URL, see m.facebook.com, consider the coast clear, and sign in.

Once you enter your credentials, the game is over. The site will present an inconspicuous error (e.g. password mismatch) but the damage will already be done: they’ve stored your username and password, and can now access your real Facebook account or use those credentials to try to break into your other accounts: Gmail, Amazon, PayPal, banks, etc.

Keen readers will note that the actual domain of this suspicious URL is rickytaylk.com and it has three nested subdomains under it:

  1. com----------------validate----step1
  2. facebook
  3. m

You’d probably see it as an obviously scammy URL if you were to encounter it on a PC, but here’s what a mobile user would see:

How to Secure Your Facebook Login with a Security Key to Avoid Scams and Hacks mobile facebook url padding scam

Padded URLs can be sent through all kinds of communication methods: email, text messages, messenger apps, and more.

The sad thing is, fake URLs are nothing new. Earlier this year, an exploit was discovered in Chrome (and other Chromium-based browsers) where URLs could be modified New Scam Shows Why You Should Never Click on Links in Emails New Scam Shows Why You Should Never Click on Links in Emails Email phishers are at it again -- there's a new exploit in modern browsers that can trick you into visiting fake and harmful sites. Here's how to avoid it. Read More to appear as other URLs. Fortunately, the bug was patched before scammers could go to town with it but shows that trusting a URL is nothing but foolish.

How to Secure Your Facebook Account

The only way to guard against a padded URL is to learn how to spot phishing messages How to Spot a Phishing Email How to Spot a Phishing Email Catching a phishing email is tough! Scammers pose as PayPal or Amazon, trying to steal your password and credit card information, are their deception is almost perfect. We show you how to spot the fraud. Read More , and more importantly, only visit sensitive websites by typing domains directly into your browser’s URL bar.

It’s a minor inconvenience, but worthwhile. I do it all the time, especially when checking bank accounts and using e-commerce sites. Over time it’ll be second nature and your rate of being scammed will plummet.

What if you’ve already fallen for it? Or what if someone, by some other means, gets their hands on your Facebook login credentials? Here are a few extra things you can do to stay secure.

Use Unique Passwords

One of the worst password mistakes is using the same password for all of your accounts.

You know how most services require an email to sign up? Well, if you’re like most people, you use the same email address for all services. In that case, if someone figures out your password for one account, then they now inadvertently have access to all of your accounts.

By using a separate password for every account and never repeating them, you can limit the damage considerably. Don’t think you can keep all of those passwords straight in your head? Start using a password manager You Need to Start Using a Password Manager Right Now You Need to Start Using a Password Manager Right Now By now, everyone should be using a password manager. In fact, not using a password manager put you at greater risk of being hacked! Read More and you’ll never have to worry about passwords again.

Use Login Approvals and Codes

Perhaps the best thing you can do for your Facebook security is to enable two-step verification. With two-step verification enabled, you can add extra layers of protection with Login Approvals and Code Generator.

With Login Approvals, Facebook sends an SMS text message to your phone whenever someone tries logging in to it. The text message contains a numeric code that must be entered to grant access. Even if someone has your password, they won’t be able to log in if they don’t have your phone as well.

Code Generator is a similar feature that exists in the Facebook mobile app. The app itself generates a code that must be entered to log into Facebook from another device. It’s a good alternative when you don’t have an internet connection or SMS texting.

Use U2F Security Keys

A U2F security key is a physical device that resembles a USB flash drive. Instead of tying two-step verification to your phone (as with Login Approvals and Code Generator), you confirm logins by plugging the U2F key into the device you’re logging in with.

Facebook isn’t the only site that supports U2F — others include Gmail, YouTube, WordPress, GitHub, and the list is growing — but you’ll need to use Chrome or Opera for it to work.

Thetis U2F Security Key is an affordable one that you can grab off Amazon (you only need one key per person), but there are more expensive ones with more features. For example, the YubiKey NEO supports NFC so you can just tap it (good for smartphones and tablets).

YubiKey NEO YubiKey NEO Two-factor authentication made easy for hundreds of services Buy Now At Amazon $50.00

Note: Be careful when using Login Approvals, Code Generator, and U2F security keys. If you ever lose your second-step authenticator (i.e. your phone or U2F key), account recovery can be a nightmare How to Recover Your Facebook Account When You Can No Longer Log In How to Recover Your Facebook Account When You Can No Longer Log In Did you forget your password and can no longer log in? Or was your account hacked? Here's how you can recover your Facebook account. Read More .

More Tips for Avoiding Scams on the Web

URL padding is just the latest in the history of Facebook flaws and breaches. For utmost safety, learn how to recognize a Facebook scam How To Identify A Facebook Scam Before It's Too Late How To Identify A Facebook Scam Before It's Too Late Read More and know what to do if your Facebook account is hacked 4 Things to Do Immediately When Your Facebook Account Is Hacked 4 Things to Do Immediately When Your Facebook Account Is Hacked Having your Facebook account hacked is a nightmare. A stranger now has access to all your personal information and could harass your friends and followers. Here's what you can do to contain the damage. Read More .

Malware is a big risk too, so stay on top of preventing and removing Facebook malware and viruses How to Prevent & Remove Facebook Malware or Virus How to Prevent & Remove Facebook Malware or Virus Facebook malware is a threat, but you don't have to worry about it if you follow this advice. Here's how to avoid the nasty side of Facebook. Read More .

Have you encountered URL padding on Facebook? How do you keep your Facebook account secure? Share with us in a comment below!

Image Credit: Brian A Jackson via Shutterstock.com

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Hacknerds
    September 24, 2017 at 2:51 pm

    If you know you're at a risk of been hacked why can't you get a pro hacker or for any other hacking services on 513 437 0263.

  2. Archer Jackson
    July 27, 2017 at 5:29 pm

    Thanks to my father who informed me about this website, this website is really awesome.

  3. Latisha Schonell
    July 27, 2017 at 4:23 pm

    I quite like reading a post that will make men and women think. Also, many thanks for allowing me to comment!

  4. Doc
    July 26, 2017 at 8:25 pm

    I've also seen these "padded" URLs in the "from:" field of spam emails.