Facebook Security

Tim Naehrings Girl

Well-Known Member
Lifetime Member
SoSH Member
Aug 13, 2004
2,890
Tavares, Florida
Someone hacked into my facebook yesterday and managed to spend $150 in charges to my paypal account. I reported it to facebook and paypal, cancelled my paypal agreement with facebook, opened ae oan investigation and changed all passwords. Today I just get an email that I requested to have my password changed AND to have payments turned back on. I am now totally freaking out and not sure what to do next.
 

bosoxsue

Well-Known Member
Lifetime Member
SoSH Member
Aug 16, 2001
1,774
Maybe work from the other end and contact the bank associated with the PayPal account and put a freeze on any transactions? It's unsettling that your password changes didn't help.
 

TSC

SoSH's Doug Neidermeyer
SoSH Member
Oct 25, 2007
12,280
Between here and everywhere.
May want to also be proactive and change ALL of your passwords to anything that may have links to your banking information. If you use the same password/email combination across multiple platforms you may be setting yourself up for this to happen again and again.
 

RIFan

Member
SoSH Member
Jul 19, 2005
3,087
Rhode Island
Plus a malware check if you're using a PC. They might be capturing your keystroke data if they are able to keep up with password changes.
 

Caspir

Member
SoSH Member
Jul 16, 2005
6,886
Set up two factor auth as well so your password isn't the only thing needed to login.
This is only partly effective and in some cases, it doesn't apply. I just read an article that talks about how we grant so many app permissions within our social media accounts that we are vulnerable to a lot of nefarious stuff that doesn't require two factor authentication since the tokens created provide vulnerabilities that can be exploited. I can't find the longer form piece I read, but PM had something on it after the Twitter/Swastika hack: http://www.popularmechanics.com/technology/security/a25686/account-security-check-your-permissions/
 

johnmd20

mad dog
Lifetime Member
SoSH Member
Dec 30, 2003
61,996
New York City
This is only partly effective and in some cases, it doesn't apply. I just read an article that talks about how we grant so many app permissions within our social media accounts that we are vulnerable to a lot of nefarious stuff that doesn't require two factor authentication since the tokens created provide vulnerabilities that can be exploited. I can't find the longer form piece I read, but PM had something on it after the Twitter/Swastika hack: http://www.popularmechanics.com/technology/security/a25686/account-security-check-your-permissions/
But, the reality is, most people have their banking information connected to their Email and with two factor email set up, nefarious actions against you are much less likely.

Telling someone two factor auth isn't effective is irresponsible. Everyone should absolutely use two factor for their email, at least. Then, obviously taking everything else on a case by case basis.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,893
Alexandria, VA
Plus a malware check if you're using a PC. They might be capturing your keystroke data if they are able to keep up with password changes.
Yeah. In the meantime, change your passwords from another machine (a friend's or something).

Why would you link PayPal to Facebook? (Curiousity, not judgement)
 

wibi

Member
SoSH Member
Jul 15, 2005
11,839
Yeah. In the meantime, change your passwords from another machine (a friend's or something).

Why would you link PayPal to Facebook? (Curiousity, not judgement)
If you played games and paid for them I could see linking paypal to FB for easy payment
 

Dollar

Member
SoSH Member
May 5, 2006
11,086
Why would you link PayPal to Facebook? (Curiousity, not judgement)
This was my first question, and a quick search didn't bring up any results that show it's even possible to link PayPal and Facebook (maybe I'm just not seeing it).

Could it be that this was just an email phishing attempt using a fake "You have paid $$$ on PayPal using Facebook" email to get you to enter your info in response?

edit: nevermind. I see that it's possible if you purchase ads on Facebook to add Paypal to your account. Maybe buying games/apps lets you do it as well.
 

Tim Naehrings Girl

Well-Known Member
Lifetime Member
SoSH Member
Aug 13, 2004
2,890
Tavares, Florida
Since I posted this I realized that my email was hacked as well and all emails from the month of March were deleted. I called AOL and got them all recovered. In those emails were about 100 from Walmart saying orders had been placed and then another saying each order had been cancelled. I never thought I would say this but thank God for Walmart because they stopped every single one.
 

Caspir

Member
SoSH Member
Jul 16, 2005
6,886
Telling someone two factor auth isn't effective is irresponsible. Everyone should absolutely use two factor for their email, at least. Then, obviously taking everything else on a case by case basis.
Since I didn't say 2FA isn't effective, I'm not sure why you feel the need to be aggressively dickish by calling me irresponsible, but I hope it gave your day purpose and meaning. What I said is accurate. 2FA is not some sort of panacea that makes your private info safe because in some cases - like app permissions - it isn't even applicable. It is also vulnerable to theft since most people with 2FA download an app on their cellphones, which are then lost or stolen and give access to two factor codes for the same accounts you want to protect. Never mind the pitfalls of email or SMS authentication codes that some services rely on.

I agree with the larger point that people need to use two factor authentication as a first step because it is one of the easiest ways to protect your email, your banking info etc from thieves, but a lot of people think downloading Google Authenticator on their phones means they're impervious to hackers. That isn't true, and it isn't irresponsible to say so.
 

Caspir

Member
SoSH Member
Jul 16, 2005
6,886
Since I posted this I realized that my email was hacked as well and all emails from the month of March were deleted. I called AOL and got them all recovered. In those emails were about 100 from Walmart saying orders had been placed and then another saying each order had been cancelled. I never thought I would say this but thank God for Walmart because they stopped every single one.
I can't believe your financial institution didn't call you when they had a rash of charges cancelled like that. That's crazy, but glad you figured it out!
 

Tim Naehrings Girl

Well-Known Member
Lifetime Member
SoSH Member
Aug 13, 2004
2,890
Tavares, Florida
I can't believe your financial institution didn't call you when they had a rash of charges cancelled like that. That's crazy, but glad you figured it out!
The cards weren't associated with me. They were all random visa numbers that must have been stolen from other places but they weren't mine. In all this the only money I am out is the $150 in paypal charges that will be refunded. I realize it could have been MUCH worse, but I am trying to make sure it never happens again.
 

Monbo Jumbo

Hates the crockpot
Lifetime Member
SoSH Member
Dec 5, 2003
25,231
the other Athens
You are probably right but it is the interface that I am most comfortable with. I have a gmail account but I hate it. I have to look around to find a good one. Any suggestions?
I'm a gmail guy, so no help there, other than to suggest that gmail is very configurable, with folders and all, so perhaps you can set it up to your liking if you dig deeper into its features.

On the larger question of stopping card fraud - I have a paypal debit card. They send me an email, usually immediately, anytime the card is used. Often, if I use that card at a restaurant, I will receive the email from paypal before the waitperson makes it back to my table with the slip to sign. More card issuers should do that (maybe they do.)
 

johnmd20

mad dog
Lifetime Member
SoSH Member
Dec 30, 2003
61,996
New York City
Since I didn't say 2FA isn't effective, I'm not sure why you feel the need to be aggressively dickish by calling me irresponsible, but I hope it gave your day purpose and meaning. What I said is accurate. 2FA is not some sort of panacea that makes your private info safe because in some cases - like app permissions - it isn't even applicable. It is also vulnerable to theft since most people with 2FA download an app on their cellphones, which are then lost or stolen and give access to two factor codes for the same accounts you want to protect. Never mind the pitfalls of email or SMS authentication codes that some services rely on.

I agree with the larger point that people need to use two factor authentication as a first step because it is one of the easiest ways to protect your email, your banking info etc from thieves, but a lot of people think downloading Google Authenticator on their phones means they're impervious to hackers. That isn't true, and it isn't irresponsible to say so.
I said it was irresponsible advice. And it is. Everything has a pitfall, especially if devices literally get stolen from you. But the reality is, it is extremely difficult to break two factor authentication, unless it's an actual targeted theft. And those are pretty unlikely.

I wasn't even remotely dickish. But I'm not sure why you feel the need to be aggressively victimized by calling me dickish, but I hope it gave your day purpose and meaning.
 

Spelunker

Member
SoSH Member
Jul 17, 2005
11,862
I said it was irresponsible advice. And it is. Everything has a pitfall, especially if devices literally get stolen from you. But the reality is, it is extremely difficult to break two factor authentication, unless it's an actual targeted theft. And those are pretty unlikely.

I wasn't even remotely dickish. But I'm not sure why you feel the need to be aggressively victimized by calling me dickish, but I hope it gave your day purpose and meaning.
Did he advise him to *not* use 2FA? I didn't read it that way at all. He seems to be saying that it's not a set-it-and-forget-it fix that covers anything. I didn't see any advice there at all, actually, more of a warning that 2FA isn't enough, and to be wary of a false sense of security.
 

saintnick912

GINO!
Lifetime Member
SoSH Member
Oct 30, 2004
4,968
Somerville, MA
I wasn't suggesting that 2FA was an end-all solution to this, but when I saw that someone was trying to change her settings and reset her password again, I thought that it may be advisable to enable it and prevent a vector (just knowing passwords) from being able to lock her out of her own account.
 

the1andonly3003

New Member
Jul 15, 2005
4,371
Chicago
how often do you change your personal passwords? at work, I am forced to change passwords quarterly, not sure if that is going overboard for personal accounts
 

canderson

Mr. Brightside
SoSH Member
Jul 16, 2005
39,431
Harrisburg, Pa.
I'm sorry.

My identity was stolen in November and they opened 9 credit cards, three bank accounts and bought a boat. It is a miserable experience that makes you feel dirty.

WalMart for me has been the absolute worst to deal with as they refuse to agre with credit bureaus it was fraud despite the police reports. WM can go bankrupt tomorrow and I'd literally cry from happiness.
 

Tim Naehrings Girl

Well-Known Member
Lifetime Member
SoSH Member
Aug 13, 2004
2,890
Tavares, Florida
Oh wow, I'm sorry, that is awful. What a nightmare!! I am very lucky that so far this has only cost $150 which hopefully I will get back. I do agree that it makes me feel very dirty and in a strange way violated.
 

Nick Kaufman

protector of human kind from spoilers
Lifetime Member
SoSH Member
Aug 2, 2003
13,410
A Lost Time
You are probably right but it is the interface that I am most comfortable with. I have a gmail account but I hate it. I have to look around to find a good one. Any suggestions?
Try installing outlook on your computer and connecting the gmail and aol addresses with it. I do have to say, that even with all the outlook filters, I get an obscene number of spam on my aol mail while nothing goes through gmail.