I could have lost my Facebook account in an instant and two-factor auth wouldn’t have saved me!

I could have lost my Facebook account in an instant and two-factor auth wouldn’t have saved me!

The ways that you can lose your accounts are plentiful these days, but generally speaking there are some easy ways to protect yourself. The problem I encountered earlier today was one that’s remarkably slick and — honestly — I nearly fell for it, unfortunately two-factor authentication wouldn’t have saved me.

I could have lost my Facebook account in an instant if it weren’t for a general suspicion of the situation and my diligence to account security!

The method is quite clever

Using direct messaging to lower your guard from someone you know. In my case, I received a message apologising for bothering me and asking if I could help with something quickly. From here, once I responded (as it was someone I sort of know) I was, in their eyes, on the hook. Truth be told, the fact I hadn’t heard from this guy in any way in over 10 years made me very suspicious, but I wanted to see how this would play out – So I played along.

The conversation was quick and simple from there. They said that they were logging into Facebook on a new phone and that Facebook “elected me from their friends list” to receive a code, and they (Facebook) would send it to me.

This is where the whole thing got pretty slick, I received a photo of the dude via messenger, “proving” that it was him making the request to me.

Moments later, an email arrived as expected with a reset code in it. Were it not for the fact that I tend to read these things pretty carefully, I could have lost my Facebook account at this very moment. The code wasn’t a “friends recovery code”, it was to reset the password on MY Facebook account.

The sneaky ***** had used the password reset page, searched for me and triggered the password reset. They were clearly sitting there waiting for the code and, when I didn’t send it – my account would have been gone in a second because the email with the code WAS the two-factor authentication. Points for effort, because the conversation would be enough to lower the guard of a lot of people.

Combined with instant pressure to send the code: It would have been easy, as I was expecting the code to copy and paste it into the chat and think nothing more of it; at least until I went to access my account at a later stage that day and it was gone!

The warning flags

I’ve mentioned them along the way, but to put them out as specific flags as to why I was suspicious; here they are.

  1. The contact was from someone I hadn’t had any contact with in a very long time
  2. The contact came from someone already logged into Messenger, so they clearly HAD their password or access to a device to authenticate another one
  3. As I’ve nominated family to be my account recovery people, I knew this wasn’t the process
  4. The first screenshot had no Meta or Facebook branding on it at all
  5. The photo clearly wasn’t taken on a current generation device

My advice if you get contact like this through any social media is if you don’t know someone well enough to have their phone number and vice versa, you’re not a “recovery contact”. If you do have their number, call them to verify it’s them.

It might seem paranoid, but this type of attack can extend beyond Facebook and other social media accounts. What about losing your Google or Apple accounts with your banking detail attached to it? What about having your banking account compromised?

The potential is near limitless, so be diligent and consider your account security. This is particularly important when you get codes, or some form of authentication sent to you by a third party, don’t assume the validity of it and thoroughly read what you’ve been sent. That moment of pause saved me days, potentially weeks of headache or the very real chance of permanently losing my account.