Hacked on Facebook

One of the first things you learn in my line of work is that nothing on a network is safe. If you really care about privacy you should not be online, because anything and everything is searchable, and downloadable even “private pages”

Today I got a call from a friend who alerted me to someone logged into my facebook account and asking him for money via chat. The story was that Tina and I were in London and we were mugged at gunpoint. The police were not helpful and we were stranded without cash, but had a passport so we could accept Western Union. The amount he asked for $600. My phone started ringing off the hook with concerned friends, some of them falling for it, and others were just merely alerting me to the hilarity of the proposition.

Here’s how it could happen:

1) jerk uses one of several methods to obtain your password, or finds a machine that you were previously logged into.

2) jerk registers a very similar email address to the one you are using with gmail or yahoo

3) jerk changes your email address on your facebook account to the one they just registered

4) Jerk issues a password reset request using the new email address.

5) unsuspecting you get a notification of an email address change, but the email address is so close to the one you use that you do not notice and click the link approving it.

6) once this change is made the jerk not only has control of your account, but you can never log in again. the password and email address are now changed.

7) The jerk can continue to chat, message, post on your wall that “you” need money.

I am savvy enough (and lucky enough) to not have approved the email or password change request. I then issued a password change request of my own using my real email address. Once this password is changed I had to log in and log out of facebook. If you do not log out then the jerk can stay logged in to the session for several hours chatting up your friends for money. I then issued one more password change request using my real email address just to be safe (there was a slight chance that the jerk should have issued another change request while I was logging him out).

There is a final rule of safety that I would like to pass along from personal experience. Have at least 3 separate passwords. I know it sounds like a lot, but it can prevent people from taking your identity from you online. For instance, if I had used the same password for my email account that I used for facebook, once the jerk was logged in they could have logged into my gmail account and started emailing people for money making it even more legit of a request.

Use at least one password for social network sites, another pass for email accounts, and yet another for financial accounts.

I hope this help anyone who didn’t know before, and helps anyone who did know but hasn’t taken the precautions.