> I want to start by pointing out I use two-factor authentication just about everywhere and Facebook is not an exception.
I wish he'd mention what kind of 2FA. The reason you _really_ should use U2F/WebAuthn is because it does origin binding which, unlike entering a TOTP, a code from your hardware token/authenticator app on your phone/SMS/etc is not phishable, i.e. you can't enter it by accident on accounts.google.com.totallylegit.ru and then have them enter it on real accounts.google.com. This is so because the U2F/WebAuthn security key signs a request, sent by your browser, which embeds the requesting page's domain, so a signature on attacker.com will not pass victim.com's verification checks, whereas a code from your authentication app is trivially copied.
Beating 2FA is almost always SMS hijacking, but sometimes it's social engineering where the attacker has figured out just the right script to tell support ("oh, I dropped my phone and it won't turn on...") to get it disabled.
edit: correction, beating 2FA without phishing-- like in the post where he lost his account while asleep.
> I wish he'd mention what kind of 2FA...U2F/WebAuthn...origin binding...SMS
It shouldn't matter, because it's irrelevant to the point of the article, which is that Facebook (at least as reported) leaves a hacking victim with little or no recourse to get their account, and sometimes livelihood back.
An imperfect real-world analogy of your question is like asking about what precise brand of bear mace an assault victim was or was not carrying, and whether a better one would have helped. Perhaps it would have, but that's not the point. If having hardware tokens is so important, Facebook should be making them mandatory at its scale.
For work things I often have to enter a code from one or another app that expires every few seconds. I've always wondered how exactly that works. Where might I go to find out about that? Is it as straight forward as googling "how two factor authentication works" or is there some other terminology?
How is that possible? Codes from authenticator apps I've seen are 6-digit decimal codes. I don't know much about how it works. But I can't see how this is immune from mitm. I pretend to $SERVICE and ask you for your authenticator code. If you fall for it, you'd give me the code, which I can use to impersonate you for the next 30 seconds.
How was the account hijacked? Via cookie theft. The author installed malware, maybe some dodgy windows binaries or malicious browser extensions. No amount or type of 2FA on sign-in will protect you against the session cookie being stolen. (Now, additional 2FA on sensitive actions might).
Why was the account was banned with such finality, with no chance of appeal? Probably for something outright illegal, like the hijacker uploading CSAM to the account. It's totally plausible that in an obvious enough case, the policy is e.g. to refer the case to law enforcement and keep the account disabled.
Why did the attacker want to get the account permanently disabled? Maybe an account disable doesn't stop ad campaigns on FB. So the attacker sets up an ad campaign, and then gets the account banned so that the owner can't reverse it.
I think that's quite likely. I have a (somewhat throwaway) FB account, not much of a profile and mainly used for a local cause. Co-admining a page I'd clicked on a clickbaity headline posted to the page and several days later my account was disabled.
The account recovery process was completely broken/circular but somehow the account revived itself after a week.
The fact that my 'friend suggestions' were untainted by a friends list seemed to confirm the hack as all my suggestions were from people in an entirely new continent.
The attacker should have replicated the browser fingerprint and IP on top of stealing the cookie - or just flat out used his computer remotely while he was sleeping.
I haven't used FB in a while but I remember login from other places were detected.
I had someone contact me on Facebook marketplace, we agreed upon a time/price and then they asked for my phone number (which I sadly gave them). Then they said "I'm going to text you a code, so I can verify you are legit". The text I got was from Google Voice's 2FA.....
This is what I'm worried about, to be honest. Not necessarily getting hacked but just getting flagged, banned and burned with no recourse.
This is why I commented on an article here some weeks ago that if they ever offered any paid user experience they'd be in trouble because they'd actually have to help their users with their issues.
These tech companies should offer actual support the moment you spend money with them with some actual recourse to solve problems, especially if it's caused by them. It's insane to me that they can just go and run away with your money or burn your account at a moment's notice, even when it's just some automated filter going crazy. At the bare minimum something like Amazon has should be the standard the moment you operate a paid digital software repository or sell a digital service or ads. Losing your investment should not happen to you unless you're a really blatant abuser and if you're the one getting abused your bank or credit card provider should never be your only line of defense.
I'm baffled that they have not been in any real conflict over this with any consumer protection agency for any of our governments.
I guess this is the model when the user is the product and not the customer. Flipping this, if this were a paying advertiser (customer) that got locked out, there probably is a valid path to contact someone.
Looks like it is time to remove all my Single Sign On from Google, Facebook, GitHub etc. And have individual user/pass for all of them. I have the same fear as you and way more so after reading this article, just way too much risk now.
>This is why I commented on an article here some weeks ago that if they ever offered any paid user experience they'd be in trouble because they'd actually have to help their users with their issues.
Facebook has offered a paid user experience to Oculus users for several years now, and so far no one has forced them to actually help users with these issues. Not the market, not regulators, and certainly not users. They will keep getting away with it simply because they can. What are you going to do about it?
Fascinating blog post. However I don’t know why it took him so long to reach out to Facebook support, everyone knows that to get your account unlocked you just need to write a viral blog post about your experience and use your existing popularity to ensure someone at Facebook reads it, realises you’re not one of their typical peasant end users and unlocks your account for you.
In other news, I built and deployed a "2FA Mule" last weekend.
It's a stock android phone with no google account and no apps installed except for "SMS Forwarder"[1].
It is configured to forward all SMS to an email address via encrypted SMTP. This means that I can receive these 2FA codes anywhere I have Internet access - such as an airplane or newly arrived in a foreign country where my SIM card does not work.
The "2FA Mule" itself is plugged in at my office in a corner.
I'm not employing this for anything sensitive but it's interesting to consider that I can use SMS based 2FA while divorcing it from my day to day SIM identity ...
Google Voice works for many services which is protectable with 2FA (hardware tokens) and accessible most anywhere in the world--you're at the mercy of Google, though
I really think for the Oculus side of this, they should be on the hook for refunding a significant portion of the cost of the user's Oculus library when they ban the account.
This would put the cost of a ban to Facebook for real users in the order of hundreds of dollars which is more than enough to have a support person do a realistic evaluation of the situation. It also reflects the non-recoverable portion of the cost to most users - you can sell the headset, but you can't transfer the value of the library to anybody. That is a straight up and very significant financial loss.
While other aspects of the ban policy are obviously still very problematic, the fact that an arbitrary ban that is caused by actions outside the user's control can result in hundreds of dollars of losses sits at a whole different level and should be legally problematic for Facebook.
What is the point of setting up a hardware or Google Authenticator-type 2FA solution when most companies will fallback to SMS? Is there a way to prevent the SMS fallback (last I checked it was 'No' for most sites except maybe Google if I remember, and then you still had to go in and manually delete it)?
Does a master list exist of companies that don't use SMS, or allow the user to exclude it? Otherwise it seems like most 2FA is just opening up a much easier attack vector (social engineering a phone number port) vs guessing a long, random, unique password. A password manager with browser plugin (or iCloud Keychain) mostly solves the phishing issue if you stop a second to think on the rare occasions when you need to manually copy/paste because of a weird subdomain or partner domain.
I've been 'about to' set up 2FA for over a decade now, but it always seems like a bad idea.
Edit: Also, who's to say customer service agents won't/don't fallback to sending an SMS reset code even if the account supposedly requires a dongle or app for 2FA.
It seems like the places that rely on SMS generally don't have hardware 2FA. Or, most websites that allow configuring multiple 2FA methods support disabling SMS
The ones that let you configure a single MFA method or single with backup are usually where I run into issues, personally
For instance, on Github, I have 2x U2F tokens and paper recovery codes but there's not even a phone number configured on the account
I can't tell you how many obviously-fake profiles and scammers I report, and see other people commenting about reporting, only for them to still be around days, weeks, sometimes even months later.
All of these were obvious scammers directing traffic to a single profile - some forex guru or whatever. Shilling get-rich-quick schemes doesn't meet Facebook's definition of "spam", apparently.
Ironically you have to be careful doing this, as their systems can ban you for too many reports, if they aren't all flagged as 'legitimate' scammers. The last time I filed a report I had this new warning show up at the bottom prior to submission
Facebook seems to be "too big to fail", at a point where their game theory is "the scammer is generating profits for us, so letting some of our users get scammed is something we can let happen".
It's pretty scary. I think they're really willing to let facebook die off and just keep instagram and whatsapp, I think that's their strategy.
Even facebook dating is buggy and not worthy of a giant like facebook. Maybe it's the how GAFA will start to decline.
I don't think Facebook 2FA is terribly secure. They definitely err on the side of usability. I was using TOTP on Instagram and I forgot to backup my Google Authenticator before wiping my iPhone. But I was then able to just go the the settings on a logged-in device and disable 2FA without 2FA. And it wasn't like I had logged into that device recently, either. I only had to 2FA Instagram once, years ago.
Google makes a point in their ads for the chromebook that you need a Google account to login, which my brain immediately translates into "could be randomly bricked at any time".
It's possible that's not true, but there's such an endless stream of these stories, that that's the attitude you have to take.
I think a Chromebook is a touch different, as there's nothing actually tied to the hardware itself (which, I suppose, is sort of the point).
If your Google account is borked, nothing is unrecoverable from the computer and any other account can log into it.
That being said, you will be screwed in various other ways, mainly that all of the information you'd lose because it was normally stored on the you've now lost because you got the ban hammer
i love how they say it cant be reversed in the warning. that is an absolute falsehood. its worded in a way that leads you to believe its final and not possible to undo, which is entirely false.
source: recently had to help someone get a developer account out of this position, account was reinstated. just gotta know the right people i guess?
this is the biggest example of all, to me, why big tech needs regulating... if you are going to take away access to things i paid for(or worse yet, my families livelihood depends on), you dang well better be willing to explain very explicitly why and provide me with a real person to appeal to. not some automated system(im looking at you too Google and Apple!)
> I’ve gone from a position of caution about Oculus + Facebook to a position of “Run, don’t look back.”
As if this wasn't an obvious problem.
Relying on any of Facebook, Twitter, Instagram, TikTok, etc. for anything is a risk. Doubly so if it involves your business or a product that won't work without permission from $PLATFORM.
I don’t understand how the hacker bypassed 2FA? Did OP accidentally entered his keys somewhere? Or did the hacker convince FB support to disable 2FA? How can we all avoid OP’s fate. Lot of comments go in-depth on yubi keys and whatnot. But if FB support disabled 2FA what good is a U2F, fido2 and whatnot?
Facebook's walled garden around oculus is really disappointing. Updates frequently broke mods, and the last time I tried to get it working again my Quest got bricked. Need to try factory resetting or something to see if I can get it working again, but it's left such a bad taste in my mouth I'm considering just selling it instead and buying a better VR system.
The only people I've heard have positive experiences with the Quest either:
- haven't had it for very long, or
- use Virtual Desktop or sideloading to break out of the walled garden. And are willing to frequently repair the issues that arise after frequent breaking updates.
I predict that gap in the fence will closed off and non-Oculus Store games will no longer work within the next two years and Quests will be junk. Please consider other options if you're thinking about buying oculus.
IDEA: Build a service that identifies all the Single Sign On accounts tied to your Facebook/Google/GitHub/Twitter accounts for you and gives you a nice list and instructions on how to separate out the accounts with links if possible.
[+] [-] neonate|4 years ago|reply
[+] [-] madars|4 years ago|reply
I wish he'd mention what kind of 2FA. The reason you _really_ should use U2F/WebAuthn is because it does origin binding which, unlike entering a TOTP, a code from your hardware token/authenticator app on your phone/SMS/etc is not phishable, i.e. you can't enter it by accident on accounts.google.com.totallylegit.ru and then have them enter it on real accounts.google.com. This is so because the U2F/WebAuthn security key signs a request, sent by your browser, which embeds the requesting page's domain, so a signature on attacker.com will not pass victim.com's verification checks, whereas a code from your authentication app is trivially copied.
[+] [-] Scaevolus|4 years ago|reply
edit: correction, beating 2FA without phishing-- like in the post where he lost his account while asleep.
[+] [-] quadrifoliate|4 years ago|reply
It shouldn't matter, because it's irrelevant to the point of the article, which is that Facebook (at least as reported) leaves a hacking victim with little or no recourse to get their account, and sometimes livelihood back.
An imperfect real-world analogy of your question is like asking about what precise brand of bear mace an assault victim was or was not carrying, and whether a better one would have helped. Perhaps it would have, but that's not the point. If having hardware tokens is so important, Facebook should be making them mandatory at its scale.
[+] [-] FabHK|4 years ago|reply
[+] [-] theshadowknows|4 years ago|reply
[+] [-] recursive|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] encryptluks2|4 years ago|reply
[+] [-] jsnell|4 years ago|reply
How was the account hijacked? Via cookie theft. The author installed malware, maybe some dodgy windows binaries or malicious browser extensions. No amount or type of 2FA on sign-in will protect you against the session cookie being stolen. (Now, additional 2FA on sensitive actions might).
Why was the account was banned with such finality, with no chance of appeal? Probably for something outright illegal, like the hijacker uploading CSAM to the account. It's totally plausible that in an obvious enough case, the policy is e.g. to refer the case to law enforcement and keep the account disabled.
Why did the attacker want to get the account permanently disabled? Maybe an account disable doesn't stop ad campaigns on FB. So the attacker sets up an ad campaign, and then gets the account banned so that the owner can't reverse it.
[+] [-] ricardo81|4 years ago|reply
I think that's quite likely. I have a (somewhat throwaway) FB account, not much of a profile and mainly used for a local cause. Co-admining a page I'd clicked on a clickbaity headline posted to the page and several days later my account was disabled.
The account recovery process was completely broken/circular but somehow the account revived itself after a week.
The fact that my 'friend suggestions' were untainted by a friends list seemed to confirm the hack as all my suggestions were from people in an entirely new continent.
Nd ads/CC attached to the account.
[+] [-] NiekvdMaas|4 years ago|reply
https://github.com/Niek/Niek/blob/master/facebook-scam/READM...
[+] [-] drummer|4 years ago|reply
[+] [-] jokethrowaway|4 years ago|reply
I haven't used FB in a while but I remember login from other places were detected.
[+] [-] dillondoyle|4 years ago|reply
[+] [-] StreamBright|4 years ago|reply
[+] [-] tomhallett|4 years ago|reply
[+] [-] beezischillin|4 years ago|reply
This is why I commented on an article here some weeks ago that if they ever offered any paid user experience they'd be in trouble because they'd actually have to help their users with their issues.
These tech companies should offer actual support the moment you spend money with them with some actual recourse to solve problems, especially if it's caused by them. It's insane to me that they can just go and run away with your money or burn your account at a moment's notice, even when it's just some automated filter going crazy. At the bare minimum something like Amazon has should be the standard the moment you operate a paid digital software repository or sell a digital service or ads. Losing your investment should not happen to you unless you're a really blatant abuser and if you're the one getting abused your bank or credit card provider should never be your only line of defense.
I'm baffled that they have not been in any real conflict over this with any consumer protection agency for any of our governments.
[+] [-] ElijahLynn|4 years ago|reply
Looks like it is time to remove all my Single Sign On from Google, Facebook, GitHub etc. And have individual user/pass for all of them. I have the same fear as you and way more so after reading this article, just way too much risk now.
[+] [-] neartheplain|4 years ago|reply
Facebook has offered a paid user experience to Oculus users for several years now, and so far no one has forced them to actually help users with these issues. Not the market, not regulators, and certainly not users. They will keep getting away with it simply because they can. What are you going to do about it?
[+] [-] albertgoeswoof|4 years ago|reply
[+] [-] rsync|4 years ago|reply
It's a stock android phone with no google account and no apps installed except for "SMS Forwarder"[1].
It is configured to forward all SMS to an email address via encrypted SMTP. This means that I can receive these 2FA codes anywhere I have Internet access - such as an airplane or newly arrived in a foreign country where my SIM card does not work.
The "2FA Mule" itself is plugged in at my office in a corner.
I'm not employing this for anything sensitive but it's interesting to consider that I can use SMS based 2FA while divorcing it from my day to day SIM identity ...
[1] https://play.google.com/store/apps/details?id=com.frzinapps....
[+] [-] breakingcups|4 years ago|reply
[+] [-] dheera|4 years ago|reply
I also have it auto-answer 2FA calls and automatically hit the # key.
Yeah, call it not real 2FA, but it's really companies that choose to not use U2F are at fault.
[+] [-] nijave|4 years ago|reply
That should help against SIM swap attacks
[+] [-] qntty|4 years ago|reply
[+] [-] phire|4 years ago|reply
I'm going to have to steal that.
[+] [-] danlugo92|4 years ago|reply
Will actually go this route in the future.
[+] [-] zmmmmm|4 years ago|reply
This would put the cost of a ban to Facebook for real users in the order of hundreds of dollars which is more than enough to have a support person do a realistic evaluation of the situation. It also reflects the non-recoverable portion of the cost to most users - you can sell the headset, but you can't transfer the value of the library to anybody. That is a straight up and very significant financial loss.
While other aspects of the ban policy are obviously still very problematic, the fact that an arbitrary ban that is caused by actions outside the user's control can result in hundreds of dollars of losses sits at a whole different level and should be legally problematic for Facebook.
[+] [-] fitzroy|4 years ago|reply
Does a master list exist of companies that don't use SMS, or allow the user to exclude it? Otherwise it seems like most 2FA is just opening up a much easier attack vector (social engineering a phone number port) vs guessing a long, random, unique password. A password manager with browser plugin (or iCloud Keychain) mostly solves the phishing issue if you stop a second to think on the rare occasions when you need to manually copy/paste because of a weird subdomain or partner domain.
I've been 'about to' set up 2FA for over a decade now, but it always seems like a bad idea.
Edit: Also, who's to say customer service agents won't/don't fallback to sending an SMS reset code even if the account supposedly requires a dongle or app for 2FA.
[+] [-] nijave|4 years ago|reply
The ones that let you configure a single MFA method or single with backup are usually where I run into issues, personally
For instance, on Github, I have 2x U2F tokens and paper recovery codes but there's not even a phone number configured on the account
[+] [-] Y_Y|4 years ago|reply
[+] [-] mr_toad|4 years ago|reply
Most people probably use it because it’s more convenient and reliable than SMS, not because it’s more secure.
[+] [-] someguydave|4 years ago|reply
One possible point is that you could still log in somewhere that has internet but no cell service
[+] [-] cmattoon|4 years ago|reply
All of these were obvious scammers directing traffic to a single profile - some forex guru or whatever. Shilling get-rich-quick schemes doesn't meet Facebook's definition of "spam", apparently.
https://imgur.com/a/xihRPwE
What a garbage app.
[+] [-] petee|4 years ago|reply
[+] [-] exikyut|4 years ago|reply
> You anonymously reported ...
> You *anonymously* reported ...
> *You* *anonymously* reported...
"Greetings, human. We have masked your identity from... o̧u͢rs̢e͘lv́e҉s."
[+] [-] jokoon|4 years ago|reply
It's pretty scary. I think they're really willing to let facebook die off and just keep instagram and whatsapp, I think that's their strategy.
Even facebook dating is buggy and not worthy of a giant like facebook. Maybe it's the how GAFA will start to decline.
[+] [-] jeffbee|4 years ago|reply
[+] [-] EMM_386|4 years ago|reply
DO IT. Please, do it.
While it's a damning write-up, words won't change anything. Lawsuits might.
[+] [-] tibbon|4 years ago|reply
Why is customer support so... unfriendly and unhelpful? No escalations possible? No way to reach anyone?
[+] [-] nitwit005|4 years ago|reply
It's possible that's not true, but there's such an endless stream of these stories, that that's the attitude you have to take.
[+] [-] jedimastert|4 years ago|reply
If your Google account is borked, nothing is unrecoverable from the computer and any other account can log into it.
That being said, you will be screwed in various other ways, mainly that all of the information you'd lose because it was normally stored on the you've now lost because you got the ban hammer
[+] [-] mtnGoat|4 years ago|reply
source: recently had to help someone get a developer account out of this position, account was reinstated. just gotta know the right people i guess?
this is the biggest example of all, to me, why big tech needs regulating... if you are going to take away access to things i paid for(or worse yet, my families livelihood depends on), you dang well better be willing to explain very explicitly why and provide me with a real person to appeal to. not some automated system(im looking at you too Google and Apple!)
[+] [-] jedimastert|4 years ago|reply
[+] [-] SrslyJosh|4 years ago|reply
As if this wasn't an obvious problem.
Relying on any of Facebook, Twitter, Instagram, TikTok, etc. for anything is a risk. Doubly so if it involves your business or a product that won't work without permission from $PLATFORM.
[+] [-] garyfirestorm|4 years ago|reply
[+] [-] efficax|4 years ago|reply
[+] [-] cwkoss|4 years ago|reply
The only people I've heard have positive experiences with the Quest either:
- haven't had it for very long, or
- use Virtual Desktop or sideloading to break out of the walled garden. And are willing to frequently repair the issues that arise after frequent breaking updates.
I predict that gap in the fence will closed off and non-Oculus Store games will no longer work within the next two years and Quests will be junk. Please consider other options if you're thinking about buying oculus.
[+] [-] ElijahLynn|4 years ago|reply