By Claudia Buck, The Sacramento Bee –
“Hi to you my lovely facebook friend’s this is my New account now i got a Trojan virus on the other account so that why i send you a new friend request thanks for Accepting me back.”
—Aug. 13, 2012
For anyone who knows Judie Fertig Panneton, a Sacramento, Calif.-based writer and author, that grammatically mangled Facebook post was clearly not from her.
But it sure looked like Panneton’s Facebook page. It had her smiling photo, along with the 86 thumbnails of her friends and daughters. Everything appeared the same, except that her hometown had changed.
It turns out that Panneton was Facebook-hacked. An impostor set up a nearly identical account, then started contacting her friends, in some cases appearing to solicit them for money.
She’s not sure how or why it happened, but it left Panneton feeling “punched in the stomach.”
“The creepy part is you don’t know what other harm they’re doing: asking your friends for money, hacking into your accounts. Even though they can’t spell,” she noted wryly, “they can do a lot of other bad things.”
Panneton’s problems with a so-called “impostor profile” raises one of the uneasy aspects of Facebook life: Users expose so much of their personal lives online that they’re hugely vulnerable.
Not that it’s anything new.
“We’ve certainly been aware for some time that social networking sites can be a source of information that bad guys can use, if users don’t have good privacy controls or put too much sensitive information out there,” said Joanne McNabb, who heads the California Attorney General’s new online privacy unit.
Those who deal with the aftermath of identity theft cases via social media say they’re all-too common.
“We see it a lot. … In a social network environment, people have a tendency to give away way too much information about themselves,” said Adam Levin, founder of IDentityTheft 911, an ID theft and security breach consulting firm.
“This whole ‘friending’ process is not the most positive thing,” he said, noting that supposed “friends” can easily harvest details, such as birthdates, travel plans, kids’ names and email addresses, that enable all sorts of financial, medical and personal identity theft.
The personal bits of ourselves that we freely share online, Levin said, are “a pot of gold” for identity thieves.
And there’s a lot of us out there sharing. According to Facebook’s most recent activity report, there were 955 million active monthly users at the end of June.
Panneton didn’t discover her impostor profile until several friends emailed her, saying they were getting suspicious-sounding Facebook messages. Some of the phony messages claimed that “Judie” had been hacked. Some mentioned getting $200,000 cash from an “agent” of an unnamed government poverty program.
Alarmed, Panneton immediately shut down her personal Facebook account, along with a separate Facebook page promoting one of her books. And she scrambled to change — and beef up — the passwords on her other online accounts — Amazon, Groupon, her iPhone, etc., something “I should have done in the first place.”
What she couldn’t easily do was shut down the phony Judie Panneton account. Under Facebook’s online “Report a Violation” page, she needed to submit a digital image of a government-issued ID (i.e. a driver’s license or passport), a notarized statement verifying her identity and her electronic signature.
But having been victimized once, Panneton wasn’t about to hand over more personal identification online. Unable to contact Facebook by phone, Panneton could only watch as her impostor continued sending out email messages in her name for at least 10 days.
According to a Consumer Reports survey issued in June, 11 percent of Facebook households — an estimated 7 million — reported some kind of “trouble” last year, ranging from someone using their log-in without permission to being harassed or threatened online. Yet the same survey found that nearly 13 million users said they had never set, or didn’t know about, Facebook’s privacy tools.
In an email, Facebook spokesman Fred Wolens said the company doesn’t provide statistics on incidents like Panneton’s. And, he noted, Panneton’s fake profile isn’t technically “hacking,” since it wasn’t “a compromise” of access to her original account.
But Wolens said Facebook takes privacy and security threats seriously. He said Facebook has internal systems to “flag and block” fake accounts, as well as investigate users’ reports of fraudulent activity.
When contacted by a reporter, Wolens immediately had Panneton’s fake account shut down.
In recent years, Facebook has come under criticism for its privacy policies. Just this month, the Federal Trade Commission finalized a settlement with the social media giant, which it accused of sharing users’ private, personal information without their permission. Part of the settlement requires Facebook to undergo audits of its privacy policies for the next 20 years.