[FAKE] When Your Friend is Not Your Friend
Are you getting Facebook friend requests from people who are already your Facebook friends? Are friends complaining they are getting new friend requests from you that you didn’t send? Here's what is going on, and what you can do about it…
Why Can't We Be Friends?
Your Facebook feed is overrun with people saying "DON'T ACCEPT FRIEND REQUESTS FROM ME!" What's the deal with that? The good news is, no one’s Facebook account has been hacked. There is no need to change your password; in fact, changing your password won’t do any good.
The bad news is that Facebook’s internal system was hacked. The bad guys got away with the “access tokens” of 50 million users. That’s “only” 2.5% of Facebook’s 2 billion users. But every affected user’s friends are also affected, and the average user has 339 friends; so, 339 x 50 million = 1.695 billion users may be affected. Some reports put the breach at 90 million users, so the math isn't good any way you look at it.
What is an access token? The access token is a unique string of characters that is stored on a user’s device and in Facebook’s internal databases. The token allows you to close a browser tab or the Facebook app, and open it later without having to log in again. Think of it like a digital hand stamp or wristband that lets you get back into a venue after leaving.
Armed with your access token and data stolen from your public profile, a bad guy can create a fake account that looks enough like yours to fool lots of people.
But the fake account has no friends, so it is able to send friend requests to people who are already your friends, as well as to total strangers, That is what is happening to millions of Facebook users.
If you accept a bogus friend request, the fake account has access to all of YOUR friends by default. It can repeat its bogus friend requests and gather more and more victim-friends. Other scams take advantage of this feature too. To stop this poaching of your friends, change your privacy settings to that your friends list is visible only to you.
So far, nothing terribly bad has happened as a result of this security breach. Most likely, the fake accounts will be used to send spam to victims, or set them up for a phishing attack. But a bogus friend can easily send you malware or malicious links, instead. You're much more likely to click or respond to a link if it seems to be from a trusted friend.
If you get a friend request, search for the sender’s name. You may get several hits. If you are already friends with one of the hits, you can be sure the friend request is bogus. In my experience, most of the bogus friend requests have no profile picture, so that's noe red flag. Delete the friend request and report the sending account. Facebook normally takes only about 15 minutes to delete reported fake accounts. It may take longer during the current crisis.
If your friends start saying they are getting new friend requests from you, tell them the requests are not from you and should be deleted and reported. Sending a link to this article may help explain things.
Facebook is busy deactivating all those millions of stolen access tokens. That task may be finished by the time you read this. But the danger does not end even then. Fake accounts that have already acquired victim-friends will put them to use until the fake accounts are reported and deleted. Many fake accounts will survive for months or even lie dormant for years before being called to serve their dark overlords.
This mess resulted from the eternal conflict between convenience and security. If you had not told Facebook to “save this browser” when you logged in, there would be no access token to steal. (No hand stamp, no re-entry.) But then you would have to enter a username and password every time you visited Facebook. Pro Tip: Google Chrome or a third-party password manager such as Dashlane can do that for you!
So log out of Facebook and log back in, but this time darken the button that says “do NOT save browser.” This will deactivate any existing access token and ensure no new one is created. (Facebook may have removed the "save browser" option in the wake of this breach, because I don't see it on the login screen today.)
Also enable two-factor authentication for Facebook log-ins, and wherever else you can. Then no one who does not have your phone can use your access token. I urge you to use a third-party authentication app such as Google Authenticator rather than receiving authentication codes via text message. Text messages were never designed to be secure and have been intercepted to steal authentication codes. Dedicated authentication apps use encryption to thwart eavesdroppers.
A genuine friend of mine has complained, “I thought social networking was supposed to make our lives easier?” I replied, “No, it’s supposed to connect us to more people. Everyone knows that the more people you have in your life, the more problems you have.” This is why some people regularly go through their lists of friends and followers, deleting those they don’t immediately recognize.
Maybe it's time to tighten up your Facebook security, and trim your "friend" list as well. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 8 Oct 2018
|For Fun: Buy Bob a Snickers.|
[WOW] 32,003 Router Vulnerabilities Found
The Top Twenty
[BROWSER WARS] Vivaldi 2.0 Takes on Chrome
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [FAKE] When Your Friend is Not Your Friend (Posted: 8 Oct 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved