Hacked?

On Thursday evening, as I was having my dinner, my wife came in to tell me that my Facebook account was hacked and I should change my password. The evidence for this was that some other people that I was already friends with were getting friend requests that appeared to come from me. Now I have been on the other end of this many times, and didn’t give it a lot of thought. Other people getting hacked is not exactly news as far as I am concerned. It sucks for them, but nothing I need to get worked up about. But having it happen to me made me think a little harder.

The first thing that puzzled me is that I have enabled Two-Factor Authentication on my account. I have to enter a code from my phone to log in to Facebook, and I didn’t see any way that someone could get in without me knowing about it. And at the time I was in fact logged in, and how could there be two different logins at the same time?

And the answer is that my account was not hacked at all. What happened was a Facebook Clone scam, something increasingly common. What the scammers do is clone your account by using all of the information Facebook makes public about you. This is not difficult at all. I decided to go through the steps of cloning (without actually doing it, of course) just to illustrate how it is done.

  • First, type in a first name into the Facebook search box, and a list of possible account names pops up. Pick one at random. I used my own account for this exercise.
  • Second, click the link under the Profile photo that says “Photos”
  • Try Photos by this person, or Profile Photos if that is there, as places where you can download their Profile photo. My Profile photo was the very first one I saw there.
  • Then, go back and next to the link to Photos you will a see a link to Friends. Click that, and you will see all of this person’s friends listed.
  • You now have everything you need to create a fake account and send out scam Friend requests.

This approach is the well-known security technique of thinking like an attacker, which is very helpful in making yourself safer.

Public Information

The key to this attack is that Facebook makes public all kinds of information about you. This particular attack is pretty obvious, but there are more insidious ones. If you go to the About link, take a look at what is there. Places you have worked? Places you have lived? Where you went to school? Family Relationships? Your birthday? Suppose you found out someone’s spouse? If they also have a Facebook account, you can get the spouse’s birthday. The point is that these are all the kinds of things that are used for “second question” authentication on other accounts. When you are setting this up for your bank account, you might think no one would know this. But in fact it is all publicly available. We had this exact thing happen in 2012 in the U.S. to a Vice-Presidential Candidate, Sarah Palin, who had her e-mail account hacked because her “second questions” were all things easily discoverable, and some kid looked up the information and get into her account. Of course, you can sometimes pwn yourself. I set up a PIN for an account many years ago and it required 4 digits. I thought I would be clever and picked a date from history (my first degree). It took me a few months to realize that my wife’s birthday matched this date, and change it. As to it being a “duplicate” request, that is not even possible even if someone managed to hack into your account. Once someone is your friend you cannot send another Friend request, period. The software won’t allow it.

Now, if this happens, what can the scammers get out of it? If they can get other people to accept this fake account as being you, maybe they can send them Malware, Russian election misinformation, promote illegal activities, or whatever. The good thing is that these days we have seen this so often that almost no one pays them any attention. But it is all a numbers game, and even a very small percentage of successful scams can be profitable when pursued on a large scale.

What you can do

As to what you can do, not a whole lot. Changing your password won’t do anything here because your account is not hacked in the first place. And I tend to be a little leery of changing passwords willy-nilly, because human nature being what it is, it usually results in passwords that get simpler and more guessable over time, which is why NIST recently came out against the requirement in many places that passwords be changed frequently on a schedule. What you can do is pretty simple. If you see someone you already are friends with send you a friend request, do them a favor and click on the profile (you can always do this before accepting a Friend request. I regularly get friend requests from suspiciously attractive females whom I have never met and who seem to have a serious lack of history.) Click the Timeline, and there is a menu on the right with three dots. Click that to report the profile as a fake profile. Of course, it may already be closed when you try to do this, because Facebook has gotten pretty good at finding and shutting down these clone accounts. And you can always check to see if anyone has cloned your account simply by searching on your name. My name is not unusual, but if I see two accounts with my same profile picture, I know one of them is bogus.

The other thing you can do if you have not done so yet is set up Two-Factor Authentication.

  • Go to your Home Page in Facebook
  • Click the drop-down arrow on the Top Right
  • Select Settings and Privacy
  • Select Settings
  • Select Security and Login
  • Go to the Two-Factor Authentication, and turn it on
  • Set up how you want to do it. I have a Facebook App on my Android phone, and that gives me a code, but you have a few options here.