About two weeks ago my Facebook account was hacked. Before I go any further, I should state upfront that I am not of the mentality that “Facebook is out to get me.” In fact, I think Facebook has done a decent job of trying to be a viable service and business, while remaining one of the strongest social media tools out there. Unfortunately, Facebook still seems to lack in two places: Customer Service and Security Awareness.
What happened the first time?
My wife and I were having a late breakfast at Specialty’s Café & Bakery in Santa Clara when someone accessed my Facebook account. I probably wouldn’t have recognized it right away, but I received two emails. The first was for a Facebook Credits purchase in the amount of $81.10. Those credits were then turned around and used to purchase in-game content for Zynga Texas Hold’em Poker. I received a second email from Zynga that welcomed me to the game.
At first I thought that the FB Credits email was a hoax, but the second email from Zynga set off my internal alarms. I raced back home to access my laptop and get to the bottom of things.
After twenty minutes of digging through support options, I contacted both Zynga and Facebook support. The first response came within 90 minutes from Zynga Customer Support. Apparently not concerned that someone is illegally using my account to access their servers, I am told that because the purchase happened with Facebook, that there is nothing they can do for me. I had hoped they could help me block the account (I don’t use any of their games anyway). No dice.
I had to wait almost a full 24 hours for a response from Facebook Credits Support Center. My original message to them read:
I did not authorize this charge, but I received an email this morning prompting me to check my account. I do not currently have a credit card on file (according to FB Credits) so I’m not sure how this card was used to purchase anything. I do have a card ending in the same four digits, but it is not yet showing with my credit card company (less than 90 minutes since the purchase).
Expecting that I might get help with a fraud claim, or event help researching who might have accessed the account, I was instead given a response from “Clive” that read:
You can view your recent Facebook Credit transactions on the Payments tab of the Account Settings menu. From here you can see all Facebook Credits purchased and view detailed receipts showing items you have purchased with the credits in the last 30 days. To view your recent transactions follow these steps…
The remainder of the email were the four steps to viewing my purchase history. That means I just got the canned response to something I didn’t even ask. I had already been to the purchase history. I know because that’s where I clicked the “View Receipt” link that then allowed me to dispute the charge in the first place.
Adding insult to injury
I felt Facebook’s initial response was dismissive of the situation, so I had a snarky reply:
You didn’t answer one word of my original question. What part of “I did not authorize this charge” did you not read? If you cannot help me with a fraud report, who can?
“Clive” responded to me about an hour later:
We have investigated the matter, and it does not appear to be a case of fraud, but rather a case of a family member or friend accessing this account and making theses charge as there does not appear to be any irregular login patterns indicating a compromised account.
What? That’s it? Because Facebook can’t find “irregular login patterns” my account hasn’t been compromised?
The message actually continues to state that “because this unauthorized charge was made by someone in your household or by someone who is known to you, [Facebook] cannot issue a refund per our terms of purchase.”
After a few more messages back and forth, I was told that if I “dispute these charges with your credit card company or bank, the account that made these charges may become limited and will lose certain functionality.” They insisted that I knew the individual that made these charges, and as a result this was not fraud.
The waiting game begins
Feeling that I was shrugged off as a liar, and that fraud or security was not an issue Facebook wanted to deal with, I turned to the local media. Although I contacted several news outlets, only one decided this issue was worth investigating further. KPIX-TV in San Francisco (CBS5) contacted me, and we have been going back and forth since.
My last message with “Clive” was on April 12th. I’m guessing that my threat to get the Santa Clara Sheriff’s Department involved just silenced the conversation. But then something new happened six days later.
A second compromise
In those six days, I had discovered some new security features of Facebook. These are things that everyone should know, and I’ll make another step-by-step post of securing your Facebook presence in the near future. With the ability to now be notified when someone accesses the account, I received a text message and email at 3:30 the morning of April 18th. This message gave me the IP address (probably spoofed) and location of the login: Chicago.
The key (for me) was that you also have to name the machine logging in. I had uniquely formatted my other logins so that I could easily spot someone that randomly jumps into my account. It was quite obvious that I did not login this time.
I quickly locked the account via a link in the email. I also had my wife view my profile to see if any strange activity was on my wall. Sure enough, they had “Liked” the Zynga Poker page. Similar activity to similar apps. This person also changed my password, I assume to try and lock me out. For what it’s worth, Facebook does have an easy way to lock your account, then steps to verify that it is *you* trying to reset the account. The downside is that you will reset your password twice during this process, and you are not allowed to reuse your old passwords.
Well this apparently was a big step in getting my money back. I forwarded the email to “Clive” who did not reply to me. But apparently, “Lloyd” in Risk Management had enough to reach out:
We have investigated your account and believe it has been compromised. All purchases made while the account was compromised have been refunded to the appropriate source.
Victory is mine!
Yippie! Victory!! Right? Wrong. This means that they had enough to agree with me that I did not make this charge, and did refund my money. However, they still didn’t seem to address who was logging into my account. Even after changing my password (several times actually) and enabling additional security features, someone still managed to gain access to my account.
This means that I have to continue living in fear. I run a small business. I have what’s known as a Facebook page, essentially a storefront on the Facebook platform. You know those little rectangle ads that you ignore on the sidebar? I can get one of those. To do so, I need to have a credit card on file.
That’s right – The same Facebook Credits system that someone hacked into and charged up on my credit card is the same system used for business transactions. That’s how I was compromised in the first place. Two years ago, I added a credit card (before the FB Credits system existed) to pay for a short run advertising of the Bay Area Groom’s Workshop.
I would love to use ads again. Facebook has one of the most powerful targeted advertising systems out there, but if I can’t feel secure in leaving a credit card on file, what am I to do? Even if I purchase a Facebook Credits gift card, it will only limit the damage. Facebook’s payment terms already state that “When you provide a payment source to us, you confirm that you are permitted to use that payment source. You also authorize us to collect and store it, along with other related transaction information.”
How do I know that they won’t just pawn illegal activity off on a family member or someone else that I know again?
What is your experience with Facebook Credits?
Are you using Facebook Credits for anything? Running a business? Using them to enhance your in-app experience? I would love to hear about it. I still have my interview with CBS coming up, and I’m curious if others have had real issues with Facebook’s security.
As mentioned earlier, I’ll be putting together an additional post that provides step-by-step procedures for securing your Facebook account. These are things that I didn’t know about until I was compromised, but because I had enabled them, the second time I was able to put the brakes on it before anything bad happened. Be sure to subscribe to my blog to keep in the loop when I have that post complete.