Sometimes Multifactor Isn’t Enough
I’m sorry (I’m not sorry), but if you tell me your “Facebook was hacked,” I’m going to know that you clicked on something you shouldn’t (and probably something you wouldn’t want your mom or significant other to know about). So, I wasn’t too surprised when after an acquaintance started out a conversation with “So my Facebook was hacked recently,” that the second line was “I clicked on something I shouldn’t have.” Honesty! Amazing! Normally people have “no idea” why all their friends are being spammed by them or their account is spewing nonsense like “This is the Dallas Cowboys year!” This guy was up front, knowing that it was his fault for this, but the next part of the story is what interested me.
You see, if you’ve been on social media at all in the past decade or so, “hacks” like this are quite common. Getting someone to click a link that then downloads malicious software or surrenders control of your account one way or the other is one of the oldest tricks in the book. The technique is still actively being used, because it still works, but to those of us who have protected our accounts with multifactor authentication (such as requiring a short numerical code that is sent to us in addition to our username and password), stuff like this shouldn’t impact us even if we did stupidly click something we shouldn’t — which is where this story takes a turn.
Turns out, this dude (which I maintain is a gender neutral term btw as dudette and dudess are both dumb sounding) actually had multifactor on his Facebook account! Which, to be honest blew me away as this is a guy whom I wouldn’t be surprised to learn routinely forgets to take the wrapper off his sliced cheese. Here’s how the “hack” progressed: shortly after clicking this link (which I’m going to guess involved an offer for free Mountain Dew flavored cigarettes — I know I know, gross, but you also know how well this would sell in certain parts of the country if it were a real product) he got a message from one of his friends on Facebook saying that they were trying to get back into their account and needed his help (why it wasn’t a red flag that they were messaging him from Facebook saying that they couldn’t get back into Facebook, but I digress). Being the amazing friend that he is, he asked how he could help. It’s simple, said his friend, my phone isn’t working, so I’m going to have Facebook send you my six-digit code to your phone, and then once you get it, just send it to me and I’ll be back in business!
I know. I know.
Surely he didn’t do this.
It sounds more suspicious than one of those meatless burgers (don’t @ me, you and I both know they are mostly chemicals and soy, with a lil bit more chemicals).
But guess what, he did do this.
Satisfied that he did his daily good deed by helping his friend out by sending him the six-digit code, he went about his day. It wasn’t until later that he realized that he could no longer access his Facebook account. Not only that, but his Facebook account didn’t exist anymore. Razed to the ground. Years and years of content, photos, messages, and connections — gone. Turns out, there wasn’t anything of value to the scammer, so he tossed the account.
I’m sure that this just sounds like some story that happens to other people. That you’re not that dumb. That you have all the security protections in place, and that on top of that, you can’t be socially engineered in such a simple manner. Yet schemes like this exist because they work. They don’t have to work on every person, they just need to work enough times to be profitable to those running the scheme. Moats, gators, drawbridges, doors, locks, and other hardware protection systems are pointless if someone asks nicely and you let them in. Maybe you won’t be gamed, but perhaps those you care about will. Education is key, as is that last little bit of good healthy suspicion.