Thursday, January 21, 2010
AT&T, Facebook mixup makes case for much tighter authentication tracking
Here’s an interesting mixup: over this past weekend, some AT&T smartphone users found themselves logged on to other people’s Facebook accounts.
Ars Technica has an interesting discussion (here) by IIjitsch von Beijnum on how this might have happened, here, and it seems both AT&T and Facebook have some explaining to do AT&T has a text statement here). Some of the problem is that websites do a lot of user authentication themselves before throwing web pages at users. In communications between two companies, there may be a “catching proxy” that doesn’t check the cookies closely. Ars likes the practice of Amazon, demanding reverification before a purchase (which I noticed they started about six months ago).
Peter Eckersley at Electronic Frontier Foundation adds some more suggestions, including the idea that Facebook and other social networking sites use https for everything (that would be a big help on wireless security, too). The article is “Some lessons from the AT&T/Facebook Switcheroo”, link here.
All of this reminds me of the discussion of how to prevent email sender spoofing, which seems to have lost traction in security discussions these days; it was a hot topic five years ago.