“Single sign-on”: Risk with apps and websites
“Login with Facebook,” “Log in with Google”: Many internet shops, platforms, and apps offer the option of logging in with your social media account, for example. But comfort can also have disadvantages.
Everyday life on the Internet: You surf the Internet and find an offer that you like. However, you must first register with your details. It seems extremely practical if the site operator offers you the option of logging in with another account instead. This could be your social media profile from Facebook or your Google or Amazon account – you could also pay with that straight away. This is also referred to as “single sign-on” in the broadest sense: the user account serves as a master key.
The advantages are obvious: no registration, no need to provide your details, no hassle of creating and remembering another password, and no additional provider to whom you have to trust your account details. But comfort also comes with high risks.
Facebook announced that criminals had stolen the login data of Facebook members with more than 400 apps for Android and iOS. They showed the option “Login with Facebook,” which supposedly allowed you to log in with your Facebook account. However, it was phishing forms that sent the login details and passwords entered directly to the criminals. They were able to take over the Facebook accounts of those affected.
Anyone Who Knows The Key Has Access Anywhere
Using the true “single sign-on” principle is also not without risk. As with a master key to a house, the damage can be particularly great if a “single sign-on” account password is lost. If your password for one user account falls into the wrong hands, third parties will have access not only to your user account but also to all pages with the corresponding login option. This can happen quickly, for example, due to a phishing or hacker attack (see above).
The risk is much higher if a provider does not store your login data in encrypted form. The password thieves could then make online purchases or commit other crimes at your expense. This is comparable to you generally using the same username and password on all websites.
It is, therefore, all the more important that you secure these user accounts particularly well. Above all, be careful when choosing a good password and use a unique password that you do not use for any other user account! You should also secure the account using so-called two-factor authentication. The login or certain actions, such as confirming a payment, are then only possible through a second step in addition to the password – such as entering a PIN, which is sent to your smartphone via SMS or a special app.
Before you provide your cell phone number for such a procedure, you should find out how the provider stores your number and what it does with it according to its data protection declaration.
If a security breach does occur, act particularly quickly :
- Change the account password immediately.
- Check your email account and bank accounts for possible unwanted payment transactions.
- If necessary, file a criminal complaint with the police or public prosecutor.
Providers Can Collect A Lot Of Data From You
Regardless of security, such a “master key procedure” offers additional risks.
By logging in with such a “master key” user account, all information about everything you do on other sites could be collected by the user account provider. They may then receive comprehensive data about your preferences, habits, and shopping behavior and can use this information to create a complete profile. And it’s not just him: Researchers at Princeton University found out when logging into Facebook that, in addition to the actual site operator, third-party providers can also access the public information on the Facebook profile – without the user noticing. This is possible through so-called third-party scripts that the corresponding website contains. They forward the information requested from Facebook to third-party providers.
The data could be used to create profiles of you and your behavior across numerous websites. Advertising can be tailored to your interests, and you may miss out on cheaper offers. Individual pricing is also possible: If you often buy expensive products, online shops could increase the prices specifically for you. The more shops have access to a central database, the more often you could end up paying extra.
Therefore, be aware of this risk and, if in doubt, find out about the provider’s exact data protection conditions before using such an account to log in to other Internet offerings.
Pay Attention To The Influence Of The Social Media Profile.
Another danger is that things happen on your own social media profile that you are not aware of. In order to be able to use the login on another website, a corresponding application (app) is activated on Facebook or Google. Some of them require extensive rights, such as being able to like or post things unnoticed on behalf of the user. The requests are listed when setting up the login.
It is important to read every point and remove individual rights by clicking away small ticks. If this is not possible with requests that you do not want to allow, there is only one thing left: do not use the login for the relevant page and end the setup by clicking “Cancel.”
You can find out which apps are connected to your social media accounts and what rights you have granted them in the settings: these are the corresponding links to Facebook, Google, and Twitter.