1. Full SSL browsing enforced and mandatory for everyone. This is already available in Facebook via the privacy settings. This way, all users can make sure nobody is snooping in on their
conversations, even if they’re browsing Facebook through an untrusted internet connection,
and render attack tools such as Firesheep completely useless.
2. Two-factor authentication for all users with compatible mobile devices.Banks are offering e-tokens for their customers to safely accessing their online banking accounts, but in a world
where social networking sites are more important than ever, users should have the same technology available for protecting their Facebook accounts as well. This was enabled by Google not so long ago with a relatively simple mobile application. This way, an attacker would have to compromise two devices to get access to a Facebook account.
3. A clear line between trusted and untrusted Facebook apps. Malicious Facebook apps are being analyzed and reported by researchers on a daily basis – so it would be terrific if Facebook would manually check and approve all incoming applications to make sure no malicious app gets on to an user’s profile. As this task would probably be impossible, an idea would be to have an
ever increasing list of trusted/approved applications that a regular user can add to his profile. If the user wants to use an application that is not trusted, he should be able to run it in some sort of
“profile sandbox”, so that any malicious activity would not affect other users.
4. Tighten up the “recommended” privacy controls. Currently, the Facebook recommended privacy settings allow “everyone” to access your status, photos, and posts, your bio and favorite
quotations and see your family and relationships, while your “friends of friends” only have access to the photos and videos you’re tagged in, religious and political views plus your birthday.
It is too easy for an attacker to become the friend of a friend of someone and get all the data they need to reset a password for a webmail account.
5. Permanently deleting your account should permanently delete your account -- but it doesn’t. “Copies of some material (photos, notes, etc.) may remain in our servers for technical
reasons, but this material is disassociated from any personal identifiers and completely inaccessible to other people using Facebook”. This needs to be fixed as it is a major privacy and security risk even for people who have removed their Facebook identity.
6. Commit to keeping children safe by taking parental control to a whole new level. Parents should be able to setup limited access accounts for their children, as subaccounts
under their main Facebook presence. The limited sub-accounts could automatically be turned into full accounts once the child reaches the age of consent.
7. Educate your users. Yes, the page at facebook.com/security is a good.