In our last episode, Debbie’s Facebook account had been hijacked. She would receive random notes from her friends telling her that they suspected that her account had been hacked, but everything looked fine. Then, the cybercriminal opened a chat to me from her account typing, “… still stuck in London.” Since, at that very moment, Debbie was standing next to me, it was pretty obvious we had a problem.
We immediately walked over to Debbie’s computer, to find her Facebook account gone. Had the hackers actually stolen her entire account? Within seconds, she received a “real world” email that looked like it was from Facebook. It said:
Our systems indicate that your Facebook account has been compromised by cybercriminals attempting to impersonate you. These criminals often will try to trick your friends into sending them money by claiming that you are stuck in a far away location and need assistance. It is possible that your email account was compromised as well. As such, we have sent this email to all email accounts recently associated with your account. Obtaining access to a victim’s email is one of the primary ways these cybercriminals have been operating. Please change the passwords to any email addresses associated with your account.
There was some additional information in the email with links to webpages that were not helpful without access to Debbie’s account. Curiously, the email ended with this request:
In order to regain control of your Facebook account reply to this email with the answer to your security question: What was the name of your first pet?
Audrina User Operations
You want me to email you what? Is it not the first rule of Internet security that you never email anyone personal information about an account? Why would a real security person ask for this in an email? They should have pointed us to a link inside of Facebook where Debbie could enter the information directly into her profile. How could this email be from Facebook Security?
Erring on the side of caution, we replied to the email as follows:
This is from a person I believe is posing as a member of your security team. She’s asking for me to answer a security question that I’m not going to answer. I believe this is the same person who hacked into my Facebook acct. I have not heard from anyone at FB since the first email. I cannot log onto or even get onto FB at this point.
I’d like to know why I’m being targeted twice and what you’re going to do about this?
A couple of days later Debbie received the following:
You do not need access to your Facebook account to contact us. We have suspended the account until we can prove ownership. I understand that you are skeptical of our correspondence, but please be assured that you are dealing with a legitimate Facebook representative. If you would like us to reevaluate the status of your account, please reply with the requested information. We appreciate your cooperation.
Audrina’s email address is “firstname.lastname@example.org” we dubbed her The Facebook Ninja.
Over the course of the following week, after a draft copy of Cloud Life Chronicles Part I started circulating around the blogosphere, Debbie was contacted by a different Facebook staffer (who asked her to pick a new security question and give the answer — all using email). It was impossible to tell who was a hacker and who worked for Facebook. The email headers were cryptic; the email address had a “plus” sign in it (not an illegal character, but highly unusual).
Was Audrina stuck in London asking Debbie’s friends for money? Is there an Audrina? We’ll never know.
Several days later, when Debbie regained control of her account, her profile picture was changed. This freaked her out. How did a different picture become her profile picture? Her Facebook friends didn’t believe that she was the real Debbie. It took the better part of this week to get everyone settled down.
For Debbie, Facebook is different now. I’m not seeing as many updates from her in my news feed, no pictures were uploaded and far fewer wall posts. Is she gun shy? Obviously. Will she get ever regain trust in the integrity of her Facebook account? Time will tell.
For me, this episode brought several interesting issues into focus.
1) If you have an active user-base that is the size of a large country, does it need a government? I grew up in a town (that had a government) that was in a county (that had a government) that was in a State (that had a government) that was in a country (that had a government). There were four levels of government all overseeing my hometown. Facebook has more than 200 million active users; who represents me?
2) Is Facebook improperly designed? This is a loaded question. Facebook is awesome. Security issues aside, when Facebook is functioning as designed, the experience is wonderful. I am really thinking about the deeper design issues. Facebook offers me a place to put my photos and stuff for free, they give me free disc space for my database of friends and store my internal-to-Facebook faux emails. Does that make sense? Should I have a way to back up my stuff? Should I have a way to keep my stuff on my computer and only share it with my Facebook friends? Should Facebook be more of a replicated version of my local database as opposed to a cloud-based application?
3) Would I pay for a better version of Facebook? Would you? If so, how much? Is there a frequent flyer program or a paid premium version of Facebook in our future? If I had a better security experience or a set of features that let me back-up the things I have on Facebook, would I be willing to subscribe?
4) What does the next Facebook look like? All the buzz is about Twitter right now. Facebook is making public relations noises that are eerie echoes of missives published by MySpace as Facebook was starting to eat MySpace’s lunch.
I wanted to ask Audrina, the Facebook ninja some of these questions, but alas, like all good stealthy warriors, she vanished into thin air. She may be gone, but the questions remain. How big is too big? How quickly will we move on to the next new, new thing? Will Debbie ever embrace life in the Facebook cloud again?