FaceBook security – a cautionary tale…

What to do if your hacked and how do you know

Last Friday started out like any other day – until I received an email from Facebook telling me I had associated my account with a new email address.
Alarm bells rang straight away. I tried to login to FaceBook but my details were not accepted.

If you have set up security questions and mobile numbers (you have – haven’t you), you can go to the Facebook Checkpoint – http://facebook.com/checkpoint/
This allowed me to verify I was the rightful account holder and I could reset my password and the associated email address.

What did the miscreant do with his 40 minutes of access to my FaceBook account?

First – He used FaceBook to message my friends that were online saying I was stranded and send money! Luckily I only have 40-ish friends (sad – I know)

Second – He used a copy of my FaceBook address list which he synced with Yahoo to email my contacts direct from the new bogus email address.

Here is a transcript of one of the FaceBook message threads… (names hidden of course)

How are you doing?

FRIEND: heyyy david!
im good mate how you doing?

SCAMMER: Am not good at this moment

SCAMMER: Am presently stuck down in Wales UK with my family as we speak

FRIEND: oh wow

SCAMMER: we are in deep mess

FRIEND: haha
how come?

SCAMMER: My family and I came down here to Wales,United Kingdom, for a short vacation and got mugged at the park of the hotel we stayed, all our cash, credit card and Cell Phone were stolen off us at the GUN POINT

FRIEND: oh shit

SCAMMER: but luckily for us we still have our passports with us but don’t have enough money to sort the bills so we can get out of here

FRIEND: man…
dont you have travel insurance?
have you gone to the embassy?

SCAMMER: We’ve been to the embassy and the police are not helping issues at all and our flight leaves soon, but we’re having problems settling the hotel bills,the hotel manager won’t let us leave until we settle the bills

FRIEND: just give them your insurance details

SCAMMER: i need your help

FRIEND: hahahaha ok very funny
are you with (hidden)

Being an IT guy – how was I hacked?

Whilst I will never know the exact cause, website hacks usually happen due to one of the following reasons.

1. Account password hacked (usually due to insecure password) – this was most likely the cause.
NOTE: I had an 8 character password including a single alpha numeric substitution i.e: I swapped a single letter for a number.

2. Account password used elsewhere and the other site was hacked, they tried the same login details.
This is very common. I had used the password on 2 other “low value” sites so this is possible, but unlikely.

3. Malware installed on machine used to access the FaceBook site.
On PC, this is a big concern. I never access FaceBook on any machine except for machines I own.
As it stands, whilst there are one or two easily spotted trojans for OS X, there are NO remote exploits with key logging or ANY viruses for OS X.

4. Poisoned Adverts.
This is becoming quite common, a javascript embedded in an advert on a website. Some of these poisoned adverts don’t have to be clicked – simply being displayed in a browser window is enough.

So, what can YOU do to protect yourself.

1. Make sure you have recovery questions and a mobile number on Facebook and document them!

2. Turn on secure browsing (HTTPS like a banking website) in > Account Settings > Security

3. Turn on Login Approvals in > Account Settings > Security
This means any new computer you use to access FaceBook needs a one time passcode which is sent via SMS to your mobile.

4. Turn on App Security if you use the FaceBook app on an iPhone or iPad in > Account Settings > Security
Some FaceBook Apps can’t accept security codes – for these you generate a “App Password” to use instead.

5. Use a passphrase (series of separate words) of 12 or more characters with a mix of uppercase, lowercase letters and at least 1 number substitution.

6. Don’t use the same password on multiple sites – especially if they contain sensitive information.

7. If you were hacked, make sure you delete ANY unknown or recently updated authorised apps in > Account Settings > Apps
These can be used to download you address book (like in my case) federate access to IM clients like Meebo.

8. Make sure notifications are turned on in > Account Settings > Notifications
The quicker you get control of your account back, the less damage can be done.

9. If you have been hacked, see the changed email address and contact the provider and get the address shutdown.
Most free providers (which scammers use as throw away addresses) have a “report abuse” link – here are the links I used for Yahoo.