Facebook rolls out several security enhancements

Facebook has announced several initiatives designed to better protect its users, including improved content scanning, and the introduction of anti-cross site scripting and clickjacking technology.

The Facebook Security team announced the news in a blog post on Thursday, revealing that the social networking company had partnered with safe web surfing tool Web of Trust to improve its scanning of malicious or spam links.

Facebook has also improved its defences to "detect clickjacking of the Facebook Like button and to block links to known clickjacking pages".

Another major addition to Facebook's security measures is cross site scripting protection.

"Spammers take advantage of another browser weakness by asking people to copy and paste malicious code into their address bar, which then causes the browser to take actions on those people's behalf, including posting status updates with phony links and sending spam messages to all friends," the blog post said.

"Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it's a bad idea."

The final security enhancement is a two-factor authentication system called Login Approvals which requires users to enter a code sent to their mobile phone if they try to log in to their Facebook account from a new or unrecognised device.

"If we see a log-in attempt from a device you haven't saved, you'll be notified on your next log-in and asked to verify the attempt," wrote the Facebook Security team.

"If you don't recognise this log-in, you'll be able to change your password in the knowledge that, while someone else may have known your log-in credentials, he or she was unable to access your account or cause any harm."

Security experts welcomed the news, but argued that Facebook needs to go further to protect its customers.

Paul Ducklin, head of technology in Asia Pacific for Sophos, argued that Facebook has yet to address application security by vetting developers, implement the HTTPS protocol for all pages or follow a privacy-by-default principle.

"This latest announcement is a welcome sign, since some of the new security features prevent or actively discourage you from doing certain things on the Facebook network," he said.

"Let's hope that everyone at Facebook has accepted that reduced traffic from safer users will almost certainly give the company higher value in the long term."