Are You Practicing Safe Facebook?

Wednesday, April 20th, 2011 at 3:33 PM by   

About two weeks ago my Facebook account was hacked. Before I go any further, I should state upfront that I am not of the mentality that “Facebook is out to get me.” In fact, I think Facebook has done a decent job of trying to be a viable service and business, while remaining one of the strongest social media tools out there. Unfortunately, Facebook still seems to lack in two places: Customer Service and Security Awareness.

What happened the first time?

Facebook Login ScreenMy wife and I were having a late breakfast at Specialty’s Café & Bakery in Santa Clara when someone accessed my Facebook account. I probably wouldn’t have recognized it right away, but I received two emails. The first was for a Facebook Credits purchase in the amount of $81.10. Those credits were then turned around and used to purchase in-game content for Zynga Texas Hold’em Poker. I received a second email from Zynga that welcomed me to the game.

At first I thought that the FB Credits email was a hoax, but the second email from Zynga set off my internal alarms. I raced back home to access my laptop and get to the bottom of things.

Nobody cares

After twenty minutes of digging through support options, I contacted both Zynga and Facebook support. The first response came within 90 minutes from Zynga Customer Support. Apparently not concerned that someone is illegally using my account to access their servers, I am told that because the purchase happened with Facebook, that there is nothing they can do for me. I had hoped they could help me block the account (I don’t use any of their games anyway). No dice.

I had to wait almost a full 24 hours for a response from Facebook Credits Support Center.  My original message to them read:

I did not authorize this charge, but I received an email this morning prompting me to check my account. I do not currently have a credit card on file (according to FB Credits) so I’m not sure how this card was used to purchase anything. I do have a card ending in the same four digits, but it is not yet showing with my credit card company (less than 90 minutes since the purchase).

Expecting that I might get help with a fraud claim, or event help researching who might have accessed the account, I was instead given a response from “Clive” that read:

You can view your recent Facebook Credit transactions on the Payments tab of the Account Settings menu. From here you can see all Facebook Credits purchased and view detailed receipts showing items you have purchased with the credits in the last 30 days. To view your recent transactions follow these steps…

The remainder of the email were the four steps to viewing my purchase history. That means I just got the canned response to something I didn’t even ask. I had already been to the purchase history. I know because that’s where I clicked the “View Receipt” link that then allowed me to dispute the charge in the first place.

Facebook Credits Screen

Example of the Facebook Recent Purchases screen

Adding insult to injury

I felt Facebook’s initial response was dismissive of the situation, so I had a snarky reply:

You didn’t answer one word of my original question. What part of “I did not authorize this charge” did you not read?  If you cannot help me with a fraud report, who can?

“Clive” responded to me about an hour later:

We have investigated the matter, and it does not appear to be a case of fraud, but rather a case of a family member or friend accessing this account and making theses charge as there does not appear to be any irregular login patterns indicating a compromised account.

What? That’s it? Because Facebook can’t find “irregular login patterns” my account hasn’t been compromised?

The message actually continues to state that “because this unauthorized charge was made by someone in your household or by someone who is known to you, [Facebook] cannot issue a refund per our terms of purchase.”

After a few more messages back and forth, I was told that if I “dispute these charges with your credit card company or bank, the account that made these charges may become limited and will lose certain functionality.” They insisted that I knew the individual that made these charges, and as a result this was not fraud.

The waiting game begins

Feeling that I was shrugged off as a liar, and that fraud or security was not an issue Facebook wanted to deal with, I turned to the local media.  Although I contacted several news outlets, only one decided this issue was worth investigating further. KPIX-TV in San Francisco (CBS5) contacted me, and we have been going back and forth since.

My last message with “Clive” was on April 12th. I’m guessing that my threat to get the Santa Clara Sheriff’s Department involved just silenced the conversation. But then something new happened six days later.

A second compromise

In those six days, I had discovered some new security features of Facebook. These are things that everyone should know, and I’ll make another step-by-step post of securing your Facebook presence in the near future. With the ability to now be notified when someone accesses the account, I received a text message and email at 3:30 the morning of April 18th. This message gave me the IP address (probably spoofed) and location of the login: Chicago.

The key (for me) was that you also have to name the machine logging in. I had uniquely formatted my other logins so that I could easily spot someone that randomly jumps into my account. It was quite obvious that I did not login this time.

I quickly locked the account via a link in the email. I also had my wife view my profile to see if any strange activity was on my wall. Sure enough, they had “Liked” the Zynga Poker page. Similar activity to similar apps. This person also changed my password, I assume to try and lock me out. For what it’s worth, Facebook does have an easy way to lock your account, then steps to verify that it is *you* trying to reset the account. The downside is that you will reset your password twice during this process, and you are not allowed to reuse your old passwords.

Well this apparently was a big step in getting my money back. I forwarded the email to “Clive” who did not reply to me.  But apparently, “Lloyd” in Risk Management had enough to reach out:

We have investigated your account and believe it has been compromised. All purchases made while the account was compromised have been refunded to the appropriate source.

Victory is mine!

Yippie! Victory!! Right? Wrong. This means that they had enough to agree with me that I did not make this charge, and did refund my money. However, they still didn’t seem to address who was logging into my account. Even after changing my password (several times actually) and enabling additional security features, someone still managed to gain access to my account.

This means that I have to continue living in fear. I run a small business. I have what’s known as a Facebook page, essentially a storefront on the Facebook platform. You know those little rectangle ads that you ignore on the sidebar? I can get one of those. To do so, I need to have a credit card on file.

That’s right – The same Facebook Credits system that someone hacked into and charged up on my credit card is the same system used for business transactions. That’s how I was compromised in the first place. Two years ago, I added a credit card (before the FB Credits system existed) to pay for a short run advertising of the Bay Area Groom’s Workshop.

I would love to use ads again. Facebook has one of the most powerful targeted advertising systems out there, but if I can’t feel secure in leaving a credit card on file, what am I to do? Even if I purchase a Facebook Credits gift card, it will only limit the damage. Facebook’s payment terms already state that “When you provide a payment source to us, you confirm that you are permitted to use that payment source. You also authorize us to collect and store it, along with other related transaction information.”

How do I know that they won’t just pawn illegal activity off on a family member or someone else that I know again?

What is your experience with Facebook Credits?

Are you using Facebook Credits for anything? Running a business? Using them to enhance your in-app experience? I would love to hear about it. I still have my interview with CBS coming up, and I’m curious if others have had real issues with Facebook’s security.

As mentioned earlier, I’ll be putting together an additional post that provides step-by-step procedures for securing your Facebook account.  These are things that I didn’t know about until I was compromised, but because I had enabled them, the second time I was able to put the brakes on it before anything bad happened.  Be sure to subscribe to my blog to keep in the loop when I have that post complete.

  • Thank you for sharing this. I also got a FB notice that my account had been accessed by a different state (I can’t remember which one at the moment, but definitely one I had never set foot in, and at a time when I was here in CA). Since I had no credit card on file a thief couldn’t do much with that but, this post is a chilling warning. Looking forward to your second post on security measures. 🙂

  • I’m hoping to have it up here by the start of next week! 🙂

  • Pingback: Safegaurd Your Facebook Experience - DJ Jason Spencer Entertainment - San Jose, Santa Cruz, Monterey Bay Area Wedding DJs()

  • Lauranupponen

    Hey Jason, just wanted let you know that this same exact thing happened to me recently (a few weeks ago and then this morning) The credit card they say is under my name isn’t real (I called Discover and confirmed there is no credit card under my social or name) Last time it was a fake Visa card.  I did however put an alert on my social and changed all my privacy settings as per your advice.  Have you received any more information from the Facebook staff?  “Clive” responded to me the exact same way and then disappeared.  However since the credit cards aren’t real, I don’t know if I should keep pursuing contacting Facebook, because it’s not actually affecting my funds. I also checked my credit reports and nothing has been applied for under my name. But thanks for blogging about this, and I’d be interested in any other information you can provide!

  • I actually didn’t hear anything else from them, but I ultimately did get my credit card and Facebook to admit that I didn’t make the charges. Because I got the credit twice, that resulted in a double credit and a bigger headache.

    I would keep a record of contact with Facebook, mostly in case the card numbers – while not yours – might be real. The last thing you want is a lawsuit for fraud against you. I changed my password and didn’t log into Facebook for about a week from any of my regular computers. At the end of that week, I changed it again and have not seen any issues since. I do keep the logon notifications active though, as well as the https browsing.