[FAKE] When Your Friend is Not Your Friend

Category: Facebook , Facebook

Are you getting Facebook friend requests from people who are already your Facebook friends? Are friends complaining they are getting new friend requests from you that you didn’t send? Here's what is going on, and what you can do about it…

Why Can't We Be Friends?

Your Facebook feed is overrun with people saying "DON'T ACCEPT FRIEND REQUESTS FROM ME!" What's the deal with that? The good news is, no one’s Facebook account has been hacked. There is no need to change your password; in fact, changing your password won’t do any good.

The bad news is that Facebook’s internal system was hacked. The bad guys got away with the “access tokens” of 50 million users. That’s “only” 2.5% of Facebook’s 2 billion users. But every affected user’s friends are also affected, and the average user has 339 friends; so, 339 x 50 million = 1.695 billion users may be affected. Some reports put the breach at 90 million users, so the math isn't good any way you look at it.

What is an access token? The access token is a unique string of characters that is stored on a user’s device and in Facebook’s internal databases. The token allows you to close a browser tab or the Facebook app, and open it later without having to log in again. Think of it like a digital hand stamp or wristband that lets you get back into a venue after leaving.

Fake friends on Facebook?

Armed with your access token and data stolen from your public profile, a bad guy can create a fake account that looks enough like yours to fool lots of people.

But the fake account has no friends, so it is able to send friend requests to people who are already your friends, as well as to total strangers, That is what is happening to millions of Facebook users.

If you accept a bogus friend request, the fake account has access to all of YOUR friends by default. It can repeat its bogus friend requests and gather more and more victim-friends. Other scams take advantage of this feature too. To stop this poaching of your friends, change your privacy settings to that your friends list is visible only to you.

So far, nothing terribly bad has happened as a result of this security breach. Most likely, the fake accounts will be used to send spam to victims, or set them up for a phishing attack. But a bogus friend can easily send you malware or malicious links, instead. You're much more likely to click or respond to a link if it seems to be from a trusted friend.

If you get a friend request, search for the sender’s name. You may get several hits. If you are already friends with one of the hits, you can be sure the friend request is bogus. In my experience, most of the bogus friend requests have no profile picture, so that's noe red flag. Delete the friend request and report the sending account. Facebook normally takes only about 15 minutes to delete reported fake accounts. It may take longer during the current crisis.

If your friends start saying they are getting new friend requests from you, tell them the requests are not from you and should be deleted and reported. Sending a link to this article may help explain things.

Facebook is busy deactivating all those millions of stolen access tokens. That task may be finished by the time you read this. But the danger does not end even then. Fake accounts that have already acquired victim-friends will put them to use until the fake accounts are reported and deleted. Many fake accounts will survive for months or even lie dormant for years before being called to serve their dark overlords.

This mess resulted from the eternal conflict between convenience and security. If you had not told Facebook to “save this browser” when you logged in, there would be no access token to steal. (No hand stamp, no re-entry.) But then you would have to enter a username and password every time you visited Facebook. Pro Tip: Google Chrome or a third-party password manager such as Dashlane can do that for you!

So log out of Facebook and log back in, but this time darken the button that says “do NOT save browser.” This will deactivate any existing access token and ensure no new one is created. (Facebook may have removed the "save browser" option in the wake of this breach, because I don't see it on the login screen today.)

Also enable two-factor authentication for Facebook log-ins, and wherever else you can. Then no one who does not have your phone can use your access token. I urge you to use a third-party authentication app such as Google Authenticator rather than receiving authentication codes via text message. Text messages were never designed to be secure and have been intercepted to steal authentication codes. Dedicated authentication apps use encryption to thwart eavesdroppers.

A genuine friend of mine has complained, “I thought social networking was supposed to make our lives easier?” I replied, “No, it’s supposed to connect us to more people. Everyone knows that the more people you have in your life, the more problems you have.” This is why some people regularly go through their lists of friends and followers, deleting those they don’t immediately recognize.

Maybe it's time to tighten up your Facebook security, and trim your "friend" list as well. Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 8 Oct 2018

For Fun: Buy Bob a Snickers.

Prev Article:
[WOW] 32,003 Router Vulnerabilities Found

The Top Twenty
Next Article:
[BROWSER WARS] Vivaldi 2.0 Takes on Chrome

Most recent comments on "[FAKE] When Your Friend is Not Your Friend"

Posted by:

08 Oct 2018

According to Snopes.com this is a hoax - been around for many years.

EDITOR'S NOTE: Definitely not a hoax.

Posted by:

Mac 'n' Cheese
08 Oct 2018

Bob, perhaps it's time for an article about Google Authenticator:

* Will it replace ALL text-authentication systems (your bank, your online backup system, your web hosting account, Facebook?) or only Google accounts?

* How does it work?

* Why is it better?

Give it the famous Rankin in-depth treatment!

Mac 'n' Cheese

Posted by:

08 Oct 2018

"According to Snopes.com this is a hoax - been around for many years."
Bob: I looked around Snopes for comments on THIS issue and found other facebook items but not this one.
Can you post the link you feel is about this?

Posted by:

08 Oct 2018

I just received a message from a real? friend that he got a friend request from me. BTW, Messenger is worse than Facebook when it comes to this crud. Wish Facebook hadn't permanently attached it to our accounts, liked it better when it was an option.

Anyway, I spent an hour going through & cleaning out my Facebook account and found a lot of questionable "activity". Like logins from states, I haven't been to in years and tons of companies who's Ads I've clicked...not. In short, some active house cleaning is the order of the day for Facebook users. I do it about every 6 months. And I did go back to the old-fashioned login with username and a new password on my home computers nd mobile devices. I also locked down more access points as I now had the option to do so.

Posted by:

Michael Brose
08 Oct 2018

I was only on Facebook for a short time when I saw through all of the hoo - ha that made up most of it. No one cares when I let the dog out except the dog, and what I'm doing today only means something to me. There are only three things I don't like about Facebook: HACK, HACK, and HACK.

Posted by:

08 Oct 2018

Hello Bob
Thank you for another revealing article. Is anyone wondering why we are reading about this from Bob and not from Facebook? Silly question, FB don't give a tinker's cuss about their clients just so long as they can sell your details to snake oil advertisers....
They cannot use my details because I don't post them, and in the obligatory fields I lie.

Posted by:

Paul T
08 Oct 2018

Is "[FAKE]" the best lead word for an article regarding "fake" contacts coming from the internet?

EDITOR'S NOTE: Well, I obviously thought so. :-)

Posted by:

Ken H
08 Oct 2018

BOB SCHIIFFMANN & bill, try to pay attention! The hoax you seem to be referring to is that "your account has been hacked" post that has been circulating. Bob clearly states that it is Facebook, not "your account" that has been hacked.

Posted by:

Bob Stromberg
08 Oct 2018

I for one am finally beginning to get some understanding of what a "security token" is based on this article.

I posted a link to this article on my FB page (natch!)

Thank you, Mr. Rankin!

Posted by:

D Williams
08 Oct 2018

While we may not feel any harm has yet occurred, I've seen reports of groups using "bot farms" utilizing fake accounts to propagate controversial/divisive posts with a degree of legitimacy, in order to undermine targeted groups (i.e. political parties, protest groups, even governments (local or otherwise)), with the intent of getting large numbers of people who would otherwise be of a particular opinion to doubt or even change that opinion.

If a "friend" feels a certain way about an issue according to their posts, does it not possibly make you reconsider your views, even for a little bit, before reconsidering your friendship? The groups using these fake accounts certainly believe you will. It's quite ingenious and terrifying.

So although we may think our *personal* damage is nil or limited, the actual damage is much more far-reaching and concerning, in my opinion.

Posted by:

09 Oct 2018

I shared this on my Facebook so that others will become more aware of this problem.

Posted by:

Stuart Berg
09 Oct 2018

Your "339 x 50 million = 1.695 billion" affected users is not statistically correct. It is only correct if none of the 339 friends for each of the 50 million affected users overlap. That can't be true. I'm sure it's a very large number, but it's definitely NOT as many as "1.695 billion".

EDITOR'S NOTE: I checked, and none of them overlap. :-)

Posted by:

14 Oct 2018

The internet has become a "swamp" similar to the one that President Trump has been referring to. It seems like it needs a serious "dredging"; if not a full "drainage".
[ummmm... wait!] Is a 'swamp' worst than a "sh*thole"?
Almost need a bio-hazard suite to get any meaningful use out of it.

Posted by:

Quaid J. Surti
18 Oct 2018

Very interesting article as usual.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- [FAKE] When Your Friend is Not Your Friend (Posted: 8 Oct 2018)
Source: https://askbobrankin.com/fake_when_your_friend_is_not_your_friend.html
Copyright © 2005 - Bob Rankin - All Rights Reserved