Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Social Networks Facebook Google Twitter

Why Social Media Users Have Trouble Reclaiming Hijacked Accounts (siliconvalley.com) 64

After their Instagram accounts were hijacked, two different users say they contacted Instagram ten times -- and even proved their identity by submitting selfies -- but received no response.

And one Silicon Valley newspaper points out that If your account is hijacked at Instagram, Google, Facebook, or Twitter, "there's nobody to call... your options are limited to submitting an automated online form and hoping an actual human being gets back to you." In his book "Zucked: Waking Up to the Facebook Catastrophe," longtime Silicon Valley investor Roger McNamee criticized tech companies' approach to user service: "The customer service department is reserved for advertisers. Users are the product, at best, so there is no one for them to call." That's by design at most companies that offer free online services. In "I'm Feeling Lucky: The Confessions of Google Employee Number 59," a 2011 book by Douglas Edwards, he wrote that as Google was beginning to grow, co-founder Sergey Brin asked, "Why do we need to answer user email anyway?"

Problems have multiplied as the companies' user bases have skyrocketed. Instagram cited its scale (1 billion users, a spokeswoman pointed out) as one reason all user questions are routed first to an automated system. Facebook, Twitter and Google said they use a combination of humans and automation -- but mostly automation, and in Google's case, forums made up of other users -- to respond to users' concerns. A Google spokesman said the company focuses on making sure user accounts don't get hacked in the first place...

One woman discovered her Instagram account had been hijacked and was now posting pornography. "My grandma and cousins are going to block me..." she complained in a tweet, adding "Thanks for nothing!" And the article also cites another woman in California who says she lost access to more than 600 photos she'd posted on Instagram -- only half of which were backed up. Her response? She created a new Instagram account, this one with two-factor authentication, "and plans to change her password more often."

James Plouffe, a lead security architect at a Silicon Valley security software company, also suggests that if you ever do regain access to a hijacked account, "check the account recovery procedures to make sure they're yours, not your attacker's!"
This discussion has been archived. No new comments can be posted.

Why Social Media Users Have Trouble Reclaiming Hijacked Accounts

Comments Filter:
  • by Anonymous Coward

    It time for people to realize that so called "social media" is a cancer! It is destructive to everything it touches, and without an kind of redeeming value at all!! To Fakebook, TWITter, etc, people are products to be sold out to whoever will pay. They don't care about people, or data breaches!

  • by davidwr ( 791652 ) on Sunday April 07, 2019 @06:30PM (#58400384) Homepage Journal

    Would filing a police report for idenitty theft help?

    Would a letter from a lawyer demanding the account not be used by anyone else pending a resolution help?

    How about a court order?

    Granted, those are inconveniet and expensive, but the bad publicity of a few dozen cases of "I had to get a court order to get my account back" in a short period of time would be expensive for the social-media companies too. It might be enough to get them to streamline the procedures to regain control.

    For people in the USA and other countries with similar laws that would get YOU arrested for fraudulently trying to "take over" someone else's account by claiming you were the rightful owner, it shouldnt take more than a notarized copy of your driver's license, an affidavit saying the account is mine, and an affidavit saying you are who you say you are for the social media company to at least kick out the imposter. As far as you getting control of the account back, they might insist on some kind of video interview.

    For people who are in countries without a reasonably efficient legal system, and for people who - for good reasons or bad - deliberately lied about things like their birth dates when they created the account, well, it's going to be hard to prove you are the rightful owner.

    • by Solandri ( 704621 ) on Sunday April 07, 2019 @09:09PM (#58401074)

      it shouldnt take more than a notarized copy of your driver's license,

      Unless Facebook already has a notarized copy of your DL on file, or you somehow linked your FB account with real-life ID info which can be linked via authenticated services (e.g. state DL database) to that DL, how is FB supposed to know that the John Doe on your DL is the owner of the account, and not a John Doe on someone else's DL? If you did the typical thing and provided only the bare minimum of info needed to create a FB account, then it's impossible to "prove your identity" to FB. To prove your identity at a future date, you must have confirmed your identity at a previous date. Submitting proof of your ID after the fact, is like trying to restore from a backup when you never made backups.

      I suppose people's reasoning is that since FB is learning and tracking all this stuff about their identity anyway, it would be relatively trivial for FB to confirm that the identity info they've collected on your account profile's matches your identity, not the impostor's. But that opens up a huge liability issue. Since you allowed your account to be hacked, FB is not liable for the consequences. If they start handing back accounts to people who claim to have been hacked, and they screw up and actually take it away from the real owner and hand it over to an impostor, FB becomes liable for the consequences.

      The only real way to prevent this stuff while maintaining your anonymity is to create 2FA recovery tokens [github.com] - unique cipher-texts which can be used to confirm that you were the person who used the account to create the cipher-texts. By creating those tokens at a previous date, you can provide them at a future date as proof that you're the account's real owner. I've done it for my Google and web hosting accounts (I assume FB has something similar; I wouldn't know since I don't use FB). For domains, I register the important ones for multiple years, and set reminders for myself to renew them before they expire (I deliberately picked my birthday as the renewal day, even if it meant I lost a half year of registration fees - a whole $6).

      • by davidwr ( 791652 )

        The purpose of the notarization and the affidavit is to deter fraudulent claims of "I lost control of my account" by making it much more likely that someone making such a false claim would be caught and could be criminally prosecuted.

        Yes, you are correct, there is nothing to stop someone from claiming to be the owner of an abandoned account. However, if the original account-holder or his estate ever realizes it's been taken over by me though such a false claim and they can prove the claim was false - they

      • by vakuona ( 788200 )

        how is FB supposed to know that the John Doe on your DL is the owner of the account, and not a John Doe on someone else's DL?

        Well, on something like Facebook, I imagine if you have a friend, you can also ask them to vouch for you as well. So yes, you might be a John Smith with a specific date of birth, but you also have to be a John Smith that knows a specific Other Person who also has another specific date of birth.

        • by sjames ( 1099 )

          Keep in mind, for every method to take an account back, there is a corresponding method to fraudulently take over someone's account.

          It wouldn't be that hard to have a friend help you to take over a 3rd party's account.

          • But your friend would be wilfully committing fraud. And also, they would need to be friends (on FB) with the person whose account they want their friend to take over.

            There are no perfect solutions, but just making this difficult enough may be enough to deter most would be hijackings of accounts.

            • by sjames ( 1099 )

              Plenty of people willing to commit a little fraud, especially if they think of it as petty. Also since friending is hardly a lifelong commitment on FB, it could be as easy as friend me for a chance to win a new Xbox.

    • by AmiMoJo ( 196126 )

      It shouldn't be that hard.

      Facebook can see that suddenly you started accessing your account from a completely different IP address range in another state, and that your email address was changed to prevent account recovery, and your account switched from posting puppy photos to hardcore porn, and then contacted them to say that you account was hijacked.

      If they were still in doubt they could ask you to send a photo holding a sign with a code word written on it, and compare that to photos on your account. The

      • by shess ( 31691 )

        It shouldn't be that hard.

        Facebook can see that suddenly you started accessing your account from a completely different IP address range in another state, and that your email address was changed to prevent account recovery, and your account switched from posting puppy photos to hardcore porn, and then contacted them to say that you account was hijacked.

        If they were still in doubt they could ask you to send a photo holding a sign with a code word written on it, and compare that to photos on your account. They could ask your network of friends about it.

        This is all true, but the problem is that Facebook's existence is predicated on spending pennies per year supporting their users, because they can only sell off our privacy for a few dollars per year. Any sort of human-looking-at-things process makes your account unprofitable, probably forever.

        Best case is that they could automate some of these things so that when you contact about a hijacked account, the system can bubble up that contact along with various posting-patterns-changed indicators to show that

        • by AmiMoJo ( 196126 )

          YouTube is the same, which is why their awful system is fully automated and it's nearly impossible to contact a human.

    • Would filing a police report for idenitty theft help?
      Would a letter from a lawyer demanding the account not be used by anyone else pending a resolution help?

      Which will near immediately start being abused to silence disliked opinions, etc.

      See how DCMA is abused on YouTube.
      (e.g.: by people looking for a way to demonetize or censor video criticizing them).

      • See 58401372 [slashdot.org] above.

        Perjury - lying in a affidavit - is a crime in the Untied States. The threat of jail and having a criminal record should be deterrent enough, at least in the United States.

        In places where it not a good enough deterrent, then I concede that this solution won't work.

        • Perjury - lying in a affidavit - is a crime in the Untied States. The threat of jail and having a criminal record should be deterrent enough, at least in the United States.

          Again, have a look at the "abusive DMCA" situation on platform like YouTube.
          How many of the abundant false claims have ended up with the liar getting jailed?
          I can't even name a single occurrence that I've heard of.
          (I'm not saying it never happened, I'm just saying that it's a rare enough occurrence)

          Eventually that is what you're "sue Platform because I'm the rightful owner of the account"-system will devolve into.
          Lost accounts are big thing (there's a market for hacked account, just to gain visibility for n

    • by DogDude ( 805747 )
      rightful owner

      The "rightful owner" of a Facebook account is Facebook. The "rightful owner" of a Gmail account is Google.

      It's not theft if you don't own it to begin with.
  • by gurps_npc ( 621217 ) on Sunday April 07, 2019 @06:31PM (#58400396) Homepage

    When you sign up for Social Media, you are NOT the customer, you are the product.

    Would you a steak company to have a customer service line for the cattle? No. Only the paying customers get customer service.

    If you willing sign up to be the product, do not expect any service except a knife in the front. Not the back, the front.

    • by AmiMoJo ( 196126 )

      You are both the product and the customer. They need to keep you happy or you will leave, and then they can't sell your data to advertisers. Unlike cattle you have free will and a choice of social networks, or simply not using Facebook at all.

      Best not to over-simplify this if we want to fix it. Also customers have rights so better that we demand them.

      • You are both the product and the customer. They need to keep you happy or you will leave, and then they can't sell your data to advertisers. Unlike cattle you have free will and a choice of social networks, or simply not using Facebook at all.

        I always get a kick out of it when someone gets pissed off and tells me they're leaving Facebook because it sucks and Zuck is evil and from now on they're only going to use Instagram!

      • You are both the product and the customer. They need to keep you happy or you will leave, and then they can't sell your data to advertisers.

        Actually, I'm pretty sure they can, and do, continue to sell their data (concerning you) after you leave the platform. The purchasers are likely to pay less for information about someone who hasn't logged into an account for 7 years, but I bet the sellers charge more for datasets that filter out such users.

        Also customers have rights so better that we demand them.

        I'm not

  • Lost a domain and have a Twitter account linked to an email address on this domain....and I believe you have to 'confirm' the old email to swap, so that will be fun.

    (Don't use domainsatcost.com - they didn't send me any notices after 7 days remaining, even tho they claim they did, and by the time I noticed the domain was gone, a squatter picked it up; who's to say they're not in cahoots to charge $100+ for an obscure domain name??)

  • Try to search for help on google products, go to any 'official' google support page. Read 1 OP, 1 cut and paste reply by a Google AI, then read 20 pages of 'WTF' Google. I don't know why they even bother to pretend they give a shit by providing contact info.
     
    The only time I've ever seen Google reply is when I submitted a correction to Google maps. I presume they bothered because someone could have driven into the stand of trees that showed to have a road through it and sued them.

    • I was going to post exactly the same thing. Back when Google bought GrandCentral, my "number for life" was one of the ones that got fucked up in the transition.

      Predictably, I never did manage to get a satisfactory answer out of Google as to why my number died, nor were they able to do anything to fix it. I ended up just having to make a new account. That's the thing with free services - when they don't work properly, you get exactly what you paid for.

    • Google definitely does respond to customers. When I have a problem or question about advertising, somebody usually gets right back to me.

      When you say help with Google products, are you a customer or a data feeder? They don't respond (or have any reason to respond) to people who feed them their data.
  • My Skype account is still screwed up from the time hackers exploited some security flaw and took it over. Since I didn't have any payment/banking information or any really useful personal info linked to Skype, the damage was minimal. I reset my password ages ago, but it's still in some sort of a restricted status that customer service is unable/unwilling to fix.

    It's just annoying that if I ever have a need to use Skype again, I'll need to make yet another damn Microsoft account.

  • by Dutch Gun ( 899105 ) on Sunday April 07, 2019 @09:28PM (#58401148)

    And the article also cites another woman in California who says she lost access to more than 600 photos she'd posted on Instagram -- only half of which were backed up. Her response?

    Well, at least she's learned how important it is to regularly back up your...

    She created a new Instagram account, this one with two-factor authentication, "and plans to change her password more often."

    I... what? No... that's not... sigh...

    • Another question here: Why wasn't her first account using 2FA?

      Too complicated and who needs security anyway?

      Well, you do...

  • Apparently the solution to a hijacked Facebook account is to create a new account. A relative impersonated me on Facebook. After jumping through all the Facebook hoops to try to claim my own damn Facebook account (I hadn't previously "planted my flag" by making my own account) with no response from Facebook, I read that it is common for someone to be impersonated on Facebook. So I impersonated myself on Facebook by making a new account, and that seems to have worked.
    • by Kaenneth ( 82978 )

      Fun fact, in some state, like Washington I know of, social media impersonation is a crime in and of itself.

      https://apps.leg.wa.gov/docume... [wa.gov]

    • by rtb61 ( 674572 )

      Lets call a spade as spade, a social media account in reality is an antisocial media account. From corporate to user, the relationship is entirely antisocial and often between users the relationship is antisocial. How to use social media, the best answer, simply don't, there is no benefit, the account will be abused and you turn your private life and the lives of those you associate with, into a product to be sold, AGAINST, your interests.

      There is only one way to safe use social media don't use it. Sure pl

  • and even proved their identity by submitting selfies

    And what are selfies supposed to prove? That whoever claims to be the user at one point had received a selfie of the person who was using the account until now?

    Cool... Take a selfie posted from facebook and send it to instagram claiming that should give me access to that instagram account...

    Sorry but unless your drivers license has your instagramm account printed on there is no way to use it (or a selfie or passport or whatever) to proof that you are the person who created the account. Yes, those documents

  • ... exclusively for anything mission-critical. That includes, of course, social networks.

    Do not and never use your real name unless doing a regular online business transaction with trusted companies or in scenarios where you present yourself publicly online as a professional of some sort in an environment you yourself have total control over - such as, for example, an own website.

    I've followed these rules for almost 3 decades and taught my daughter to do the exact same. There is no single online account I can't completely abandon or cut loose or migrate away from within a few hours without missing a beat. Anything else is bound to open up a world of pain if shit hits the fan.

  • by Applehu Akbar ( 2968043 ) on Monday April 08, 2019 @05:26AM (#58402244)

    It’s not just social media. So many online sites lack any meaningful way of being contacted if something goes wrong. A company hires developers to set up the site and establish a payments scheme and then seems to forget to hire any back office personnel to take care of customer service. At some point, this will take legislation to enforce standards of policy, an “Internet building code.”

    Look at the tales from people whose PayPal accounts have been frozen for reasons they have never been given a clue about. This is a site primarily devoted to handling money. It gets worse from there.

You are in a maze of little twisting passages, all different.

Working...