NEW YORK – Raise your hand if you’ve had your identity stolen on Facebook.
Wow, that’s a lot of hands!
Now, let’s thin the mob. Raise your hand only if someone lifted private information on your own Facebook page, pretended to be you, befriended your friends, family members and business contacts and pried information out of them as if the “real” you were asking the questions.
Well, still quite a crowd!
Identity theft is a painful experience. Regardless of the extent of the damage, most victims feel totally violated.
Worse, we found, it appears Facebook doesn’t even have the courtesy to respond to subscribers’ complaints when their Facebook account is hacked.
After following all the necessary steps described on a Facebook page to report a fake account, you’ll find that Facebook doesn’t even send an automated e-mail saying, “We are sorry that this has happened to you,” or “Your fake account will be taken down immediately.”
Almost five hours later, the fake account will still be lurking out there, impersonating you and duping your friends.
Facebook’s offenses don’t end there, however.
The social media giant, having neglected to acknowledge your fake account report in the first place, goes into your actual Facebook page -- without your permission – and deletes the warning message that you posted to alert your friends that you’ve been hacked.
Facebook then goes a step further: Anyone who has responded by posting a consoling comment also gets deleted. Facebook – without permission or warning -- erases only comments specific to the latest identity theft on your wall.
Poof! Gone, forever.
Could it be that Facebook doesn’t want anyone to know how easy it is to use its platform to disrupt people’s personal lives?
This isn’t a hypothetical scenario. It happened recently to George Haber, a serial entrepreneur in Silicon Valley who is currently CEO at Cresta Technology Corp. (Santa Clara, Calif.)
On the morning of Feb. 7, a week after Facebook filed an IPO seeking to raise $5 billion, Haber’s wife, who was checking her e-mails in bed -- asked him: “Why did you invite me again on Facebook?”
Haber at first wasn’t alarmed. But he quickly found out that his younger son had already accepted a “friend” he thought was his father. Haber discovered that the impersonator had his picture – the same one on Haber’s real Facebook page. The pseudo-Haber also copied his entire “profile,” from schools to jobs.
Hardly a technology or social networking novice, Haber first sent a message to his doppelganger, asking: “Who are you? Why are you impersonating me?”
Haber reported the fake account to Facebook and asked them to block it – essentially following the procedure described on the Facebook website. Still no response from Facebook. Five hours later, the phony Haber was still out there. From Facebook? Zilch.
Haber says he immediately started sending alerts to his friends; posting a message on his real account, informing his hundreds of friends of the Haber impersonator. Be careful. Messages from “real” friends began pouring in to his page.
Haber kept waiting for the shadow Haber’s page to go down. Nothing happened. “I didn’t even get a ‘ticket item’ from Facebook,” he recalls. “It’s as though my request to Facebook — asking them to block this person — [had] gone into a black hole.”
Six hours later, Fake George finally disappeared from Facebook. Then, the strangest thing of all happened.
“My own message about this identity theft disappeared. Hundreds of my friends’ comments on the same topic disappeared at the same time,” says Haber. “And, of course, I get no message from Facebook telling me something like, ‘Hey, George, we took care of it.’”
Haber is from Romania. He grew up in a Communist state. “I lived through the time when someone tells the government on something or someone. I accepted that then.” He adds, “When this happened to me here in the United States, it really, quite shocked me.”
Most puzzling to Haber, and to me, is why his warning message and his friends’ sympathetic responses about the identity theft disappeared from his Facebook page. This couldn’t have happened unless someone with a clear intent went into Haber’s page to wipe out all mentions of identity theft, presumably to save face at Facebook.
Facebook has not returned our calls or repeated e-mails for comment.
Haber wonders why Facebook seems to be indifferent to preventing fake accounts on its site. “It’s not like they don’t have a technology to stop it in advance,” he notes.
While online impersonation is illegal in California, Facebook doesn’t seem to be interested in tracking down impersonators. Haber says, “It’s not like they can’t track him down. They have their e-mail address; they can trace the IP address. We’d have to assume that it’s just not in their best interest to do so.”
In fact, detecting fraud is against Facebook’s interest. One of the secrets of Facebook’s success is the vast number of members, estimated at more than 845 million worldwide. Facebook’s marketing dollars depend on that number being as big as possible. Facebook would be crazy to go cull the duplications from that whopping stat?
Creative hooliganism. A vending machine in the
Facebook HQ corridor.
Look at the FB business model. Who pays for all the staff, the server farms, and the exorbitant executive salaries? You do, in the form of your private data being sold to advertisers and anyone else who shells out a buck to FB (or LinkedIn, Google+, etc). You put stuff out there, it's gonna get sold to the highest bidder(s). Your hacker could have been a FB employee just jacking up the user count for their IPO.
Anything you put out on the "cloud", expect to get treated in the same way.
People ask me why I am not on FB, and I tell them. Privacy seems to be a thing of the past, both for the end user and the cloud vendors, and it takes something like this for people to wake up.
I've been browsing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my view, if all web owners and bloggers made good content as you did, the internet will be much more useful than ever before.Great post, you have pointed out some good details , I also think this s a very great website.
It is we people who have made FB or such other social networks part of our life .If we all collectively decide then such social networks will get reduced from those millions of members to may be a few thousand hackers who will keep stealing each others' identity.
For companies using Facebook to reach out to their customers this is a serious warning
I have regretted signing up on facebook almost as soon as I did. I am now thinking of dropping it altogether and letting my friends know that I am (so as to avoid "hurt" feelings and future spoofing). If enough people dropped FB then they WOULD sit up and take notice..
That had happened to me too three or four years ago.
No, you can't undo it.
I remember that I received a ton of e-mails from my friends that my facebook page got hacked -- at 9:30p.m. That's when it hit me that my friends are NOT watching TV but they are reading FB pages!
Your last paragraph says it all.
The guys who are developing social networks are operating under the assumption that "the user should have no reason to expect any privacy at all."
We should be all reminded of it; and I wish the social network companies would say it outright. Just like surgeon general's warning on smoking.
This comment is potentially troublesome, but the larger community should be aware of how vulnerable we are around open WiFi hot spots. EETimes, delete this if you think it is harmful.
A programmer has posted "free-ware" that allows anyone to instantly scan surrounding computers in an open WiFi environment and take over another user's Facebook, Twitter etc sessions with just a single click. The link below explains just how easy this is. Software install is easy too. He did it to protest websites that do not provide end-to-end session encryption (HTPPS or SSL) leaving users vulnerable. It is eye-popping. This is not a function of the browser, rather the website.
Home wireless routers with encryption enabled will be safe from this attack. I understand banks are using end-to-end encrypt.
E-t-E encryption puts higher processing loads on site servers, hence their reluctance to add the additional cost for consumer protection.
Join our online Radio Show on Friday 11th July starting at 2:00pm Eastern, when EETimes editor of all things fun and interesting, Max Maxfield, and embedded systems expert, Jack Ganssle, will debate as to just what is, and is not, and embedded system.