It is often neither security loopholes nor password cracking that allow people access our private information on Facebook without our approval. It’s actually our own human nature: the trust of a friend’s name.
Don't add just any person as a friend
Whether you like Facebook or not, the truth remains that Facebook is one of the best mainstream websites around when it comes to providing options with which you can protect your privacy. Every time anyone discovers a new method for hacking private information, the guys at Facebook patch it the next day. What their security engineers cannot do though is teach the users to tell a social engineer apart from a friend.
And that’s why you need to be aware of this: the easiest way to hack Facebook today is by borrowing a chapter from psychology class. Hackers are not hacking as programmers anymore, they’re hacking as social engineers.
Huh?
Using Social Engineering to Hack Facebook
The hacker wearing his social engineer shoes will probably do something like this:
1. Learn Who Your Friends Are and Collect Them
If your friend list is public, this social hacker, who we will call “Schmuck”, will first familiarize himself with your friend list. Then, he will choose a friend of yours, which we will call “Buddy”, who has enough mutual friends with you.
Schmuck will choose one of your friends
Schmuck will steal the identity of Buddy, by creating a profile with the same username and profile picture. He will then send friend requests to the mutual friends between you and Buddy (excluding yourself) and pretend that his original account was hacked.
Schmuck creates an account with Buddy's identity
Schmuck now starts the process of collecting confirmed friend requests.
2. Social Pressure You Into Accepting Him
Once Schmuck has a good enough number of your unaware friends on his list, he will go for the big fish: Schmuck will send you a friend request, using Buddy’s fake identity. Given that a) it appears to be your friend, b) your mutual friends have this person on their lists as well, and c) Schmuck sent a nice little paragraph explaining how he lost his password and had to start a new account, you will probably accept.
Schmuck will send you an email claiming that "Buddy" lost his old account
3. Gloat at Accessing Your Profile
Schmuck has obviously succeeded in accessing a private profile. If his initial purpose was snooping in your private life, you probably have nothing to worry about, except for some embarrassment. That might not be his purpose though…
4. Hack Facebook Account/Send a Virus
… there are good chances that Schmuck went through all this trouble to do something slightly more evil than just snoop; such as steal your password or send you a virus. He might send you a very unassuming message with a link that leads you to a Facebook sign-in page, which many people would use to re-sign in as they would attribute it to expired cookies. This sign-in page would record your log in info, which Schmuck will use to send a similar link or links to other compromised sites to your friends.
Protect Yourself
So, as you can see, the most human side of hacking is just as dangerous as the more geeky one. Protect your Facebook account to avoid Schmuck and other schmucks like him by being careful with which friend requests you accept, verifying with your friends in case you get an email that claims a lost password, double checking the url of any page that requests you to log in again, and never disclosing personal data online.
[Disclaimer: No Facebook accounts were hacked for the writing of this article. Special thanks to NewsNIdea for the image inspirations.]
