Hackers use SNS as the first step to email, bank account access


DETROIT ― Pam Aughe is never going back.

After a year of using Facebook sporadically to keep up with family and friends ― two or three times a week, she says ― her account was hijacked by a scammer seeking to bilk her friends out of money.

According to the alarming counterfeit messages, Aughe, 41, of Clarkston was stuck in Scotland. Robbed at gunpoint, she needed money wired to Western Union immediately.

Whoever hacked into her Facebook account earlier this year used it to message several of her friends through chat and inbox messages, asking each for money.

As Facebook increasingly becomes the window to the wider Web for more than 500 million users, the security of your Facebook account has never been more important.

Since 2009, 19 million Americans have fallen victim to identity theft at a cost of $93 billion, according to the Better Business Bureau of Eastern Michigan, which co sponsored the study performed by Javelin Strategy and Research.

And Facebook accounts are increasingly being violated as the first step to a wider breach of a user’s identity, security experts say.

“The bad guys will take that log-in and password, and they’ll go to banks, they’ll go to e-mail accounts and start logging in,” says Kevin Haley, director of Symantec Security Response, a top Web security firm.

Facebook, with its often deep personal bonds and inherently comfortable environment, is a fertile ground for exploitation by identity thieves as some users lower their guard, experts say.

“It’s exploiting trust,” says Dave Marcus, director of security research for leading Web security group McAfee Labs. “If you and I are in the same friends list, I’m not going to think twice that you’re sending me something maliciously.”

Aughe’s ordeal ― which she says did not result in any friends losing money ― has nevertheless changed her outlook on the Web. For her, social networking is a thing of her past. Too dangerous, she says.

“It was an easy way to see pictures and keep in contact, but I think I’m just going to have to create something else, because I just don’t feel safe doing it,” she says.

The scamster had also gotten access to Aughe’s e-mail account ― probably because of their similar passwords, she says ― and used it to send more money requests to her contacts. He or she had also changed the passwords of both, locking Aughe out.

In the hours and days that followed, Aughe tried to regain control of her Facebook account but kept running into dead ends.

Facebook uses information like a user’s e-mail, phone number or a security question to verify identity when a password has become compromised.

Without them, it can be hard for the Palo Alto, California-based social network to settle turf wars over the ownership of accounts.

Nearly a month after first contacting Facebook through a form online, Aughe says she finally heard back from a Facebook employee ― Scotty in User Operations, who apologized for the delay and said the social network was busy with the “high contact rates.”

But she had already deleted her account in frustration.

Facebook says it has technology that prevents much of this from happening.

“We have technical systems that operate behind the scenes to flag suspicious behavior and slow it down or block it entirely, and we’re constantly working to improve these,” Facebook spokesman Fred Wolens says.

Those automatic red flags worked for Leah Meray, 32, of Ferndale, Mich., whose account was also compromised earlier this year.

When Facebook noticed someone logging into her account half a world away in Nigeria, the social network contacted her through e-mail and told her the account would be closed until she could provide some specific details.

After she replied with a detailed description of her profile picture, a short list of recent activity on her account and some other details, she was allowed back in.

“Within a day and half, everything was back to normal,” Meray says.

Cases like Meray’s are more the norm and Aughe’s the exception, McAfee’s Marcus says. Facebook, he says, does a good job of keeping the worst of the attacks under wraps.

“There’s a lot that nobody ever really hears about,” Marcus says. “The scams that actually make it to the news are the small minority.”

The best way to protect yourself from an attack like Aughe’s, security experts say, starts with creating a strong, hard-to-guess password.

But passwords can be discovered through malware, which can infect your computer and discover passwords as you type them.

“And then it’s on your machine,” Marcus says. “It’s going to sit there and wait for you to log in to Facebook.”

The best defense against malware is an anti virus program on your computer that runs each day, scrubbing it clean.

Facebook also has site-specific security settings such as the ability to individually approve each computer that is able to log in to that account.

If someone tries to log in from an unapproved computer or mobile device, an e-mail is generated and the account holder has the opportunity to zap the hacker’s session immediately.

For Meray, whose ordeal lasted just more than a day, small security breaches are just a price of admission.

“This is the price you pay for the information that we’re able to extract from the Internet,” Meray says.

By Mark W. Smith

(Detroit Free Press)

(McClatchy-Tribune Information Services)