Episode: 3340
Title: HPR3340: Hacked?
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3340/hpr3340.mp3
Transcribed: 2025-10-24 21:08:14

---

This is Hacker Public Radio Episode 3344, May 21, 2021, to name show an entitled Hacker.com
and in part on the series Privacy and Security, it is hosted by a huker and in about 10 minutes
long and carry a clean flag.
The summer is, people commonly say that their own or someone else's Facebook has been
Hacker.
This episode of HBR is brought to you by an honest host.com.
At 15% discount on all shared hosting with the offer code HBR15, that's HBR15.
Better web hosting that's honest and fair at An Honesthost.com.
Hi, this is Ahuka, welcoming you to Hacker Public Radio and another exciting episode.
And this is going to be part of our security series.
It was triggered by something that happened to me and one Thursday evening as I was having
my dinner, my wife came in to tell me that my Facebook account was hacked and I should
change my password.
Oh, scary, scary stuff.
The evidence for this was that some other people that I was already friends with were
getting friend requests that appeared to come from me.
Now, I've been on the other end of this many times and didn't give it a whole lot
of thought.
Other people getting hacked is not exactly news as far as I'm concerned.
It sucks for them, but nothing I need to get worked up about.
But having it happened to me made me think a little harder.
Now, the first thing that puzzled me is that I've enabled two-factor authentication on
my account.
I have to enter a code from my phone to log into Facebook.
And I don't see any way that someone could get in without me knowing about it.
And at the time, I was in fact logged in.
So how could there be two different logins at the same time?
Well, the answer is my account was not hacked at all.
What happened was a Facebook clone scan, which is something that is increasingly common.
So if you hadn't known about this before, you know about it now and you can act accordingly
when it happens to you or your friends.
Now what scammers do is clone your account.
By using all the information Facebook makes public about you, this is not difficult at
all.
I decided to go through the steps of cloning without actually doing it, of course, just
illustrate how it is done.
First type in a first name into the Facebook search box and a list of possible account
names pops up.
Okay.
Pick one at random.
Now since I was doing a clone attempt, I picked my own account.
I didn't want to target some innocent person.
So I went to see what I could get out of my own.
Now after getting to my account, I clicked the link under the profile photo that says photos.
Now if you try photos by this person or profile photos, if that is there, those are places
where you can download their profile photo.
My profile photo was the very first one I saw there.
So I could easily just download it.
Then go back and next to the link to photos, you see a link to friends.
Click that and you will see all of this person's friends listed.
You now have basically everything you need to create a fake account and send out scan
and friend requests.
Now, this approach is the well-known security technique of thinking like an attacker which
is very helpful in making yourself safer.
So by thinking like an attacker, I went in and oh, you know, I can do all of these things.
What do you know?
Now the key to this attack is that Facebook makes public all kinds of information about
you.
This particular attack is pretty obvious, but there are more insidious ones.
If you go to the about link, take a look at what is there.
Places you have worked, places you have lived, where you went to school, family relationships,
your birthday.
Places you found out someone's spouse, you know, they are married to Sally So-and-So.
If that spouse has a Facebook account, you can get the spouse's birthday.
Now, why do I point all that out?
If you think about it, aren't these exactly the kinds of things they are used for those
second question authentications when you log into a number of other accounts?
When you are setting this up for your bank account, you might think no one would know this.
But in fact, it is all publicly available.
We had this exact thing happen in 2012, no, 2008, for a vice presidential candidate, Sarah
Palin, who had her email account hacked because her second questions were all things that
were easily discoverable.
One kid looked up the information and got into her account.
Of course, you can sometimes pone yourself.
I had set up a pin number for an account many years ago and it required four digits.
I thought I would be clever and picked a date from history.
All right.
Now, my first degree is in history.
So I thought I was being really smart.
It took me a few months to realize that the date I had picked matched precisely my wife's
birthday.
So I had to change it.
As to it being a duplicate request, that is not even possible, even if someone managed
to hack into your account.
Once someone is your friend, you cannot send another friend request period.
The software won't allow it.
So if you're seeing friend requests from someone you're already friends with, it is one
of these clone scams.
There's nothing wrong with their account.
And so instead of telling them that they have to change their, all of their passwords
and everything else, I mean, maybe they should from time to time, but that's a separate
topic entirely that I don't want to get into here.
Now, if this happens, what can the scammers get out of it?
Well, if they can get other people to accept this fake account as being you, maybe they
can send them malware, Russian election misinformation, promoter legal activities, or whatever.
The good thing is that these days we have seen this so often that almost no one pays them
any attention, but it's all a numbers game.
And even a very small percentage of successful scams can be profitable when pursued on a large
scale.
Now, what can you do?
Actually not a lot.
Changing your password won't do anything here because your account is not hacked in the
first place.
And I tend to be a little leery of changing passwords willy-milly because human nature
being what it is, it usually results in passwords that get simpler and more guessable over time.
And that is one of the reasons why NIST, our National Institute of Standards and Technology
here in the United States, recently came out against the requirement in many places that
passwords be changed frequently on a schedule.
And that's something that people who really understand security have been saying for a
long time is a bad practice.
Don't force people to change passwords.
Nonetheless, it still happens.
I'm even getting it from last pass, which I used to manage my passwords.
And I say, hey, you know, you haven't changed your master password in a while.
And it's going, yeah, because I got a good one.
Leave me alone.
OK.
Now, if you see someone you already already friends with, send you a friend request, do them
a favor, and click on the profile of this request.
Now you can always do this before accepting a friend request.
You know, I regularly get friend requests from suspiciously attractive females whom I have
never met, and who seem to have a serious lack of history.
Click the timeline.
There's a menu on the right with three dots.
Click on that to report the profile as a fake profile.
So you can do your friend a solid by reporting this fake before it does any more harm.
Now, of course, it may already be closed when you try to do this, because Facebook has,
in fact, gotten pretty good at finding and shutting down these clone accounts.
And you can always check to see if anyone has cloned your account simply by searching on
your name.
Now, my name is not unusual.
But if I see two accounts with the same profile picture, I know one of them is bogus.
Now, the other thing you can do if you have not done so yet, and I would encourage you
to do this, it's a good practice, is set up two factor authentication.
Now, to do this, you go to your home page in Facebook, click the drop down arrow on the
top right, select Settings and Privacy, then select Settings, and then finally select Security
and Log In.
Now, go to the two factor authentication on that page and turn it on.
Set up how you want to do it.
Now, I have a Facebook app on my Android phone and it gives me a code, but you have a few
options here.
So pick whatever one works for you.
I always advise people, turn on two factor authentication for any site that lets you
do it.
And it should be more and more of them as time goes on.
Now, I've also posted a link to an article that's called Scam Alert.
Be wary of accepting Facebook friend requests from people you're already friends with.
So if you want to read that article, you can get the link in the show notes.
But for now, this is Ahuka for Hacker Public Radio, signing off and is always encouraging
you to support FreeSoftware.
Bye-bye.
Today's show, like all our shows, was contributed by an HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out
how easy it really is.
Hacker Public Radio was founded by the digital dog pound and the Infonomicon Computer Club,
and is part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on
the website or record a follow-up episode yourself.
Unless otherwise stated, today's show is released on the Creative Commons' Attribution
ShareLive 3.0 license.