How much safe am I on Facebook?

sewi4
sewi4 Posts: 4 New Member

I recently became interested in internet protection and security. I have few questions though.

Can hacker randomly attack someone on Facebook, perhaps only because the victim has a weaker password (eg a short word and 1 symbol), even if he doesn't even know the victim?

Could they perhabs try to log into some random account and click on forgot my password and mobile number and somehow "recover" the account only with the help of a password?

Is it necessary to send an email (phishing) before or can they just hack the facebook itself?

Does a hacker have to know his victim or can he just break into random accounts?

Comments

  • Ukko
    Ukko Posts: 3,611 Superuser
    edited May 2020

    Hello,

    Sorry for my reply. I am only an F-Secure user (their home solutions). So, just kind of a discussion.

    Can hacker randomly attack someone on Facebook, perhaps only because the victim has a weaker password (eg a short word and 1 symbol), even if he doesn't even know the victim?

    Yes, very likely. Maybe even such a background is most often situation. Whereas targeted attacks are more hidden and with a lot of fantasy around tricks - can be done by 'friends' as a joke or by competitors / rivals as a 'treat'. Targeted attack is an almost 'detective' crime adventure.

    But accounts with weak password or leaked password can be compromised pretty quickly. So there are indeed can be random attacks against random victims. Someone (sometimes can be called 'hacker') can to initiate automated attacks against 'any' (all) account / emails / phones or so on. Or can to use leaked data about users and to reuse (attempt to reuse it). It is can be automated and done by "bots" or by specific "tools" or even manually. Then compromised ('unknown' victim for attacker) account can be used for some further tricks (to use hidden information, to use their friends or contacts, to use it for 'botnet' and other threats). So, my own opinion - there is no "who needs my account?". For some strange people - not need any reason for hack/steal account. Partly because it can be done automatically (by automated processes with further reuse received opportunity). Also web resources can be with own vulnerabilities. As a result, accounts or data can be breached or leaked, or unexpectedly used.

    BUT perhaps social media resources (and other large websites) with some strict requirements. And too much weak password is not possible to use.  However, good to use as strong password as possible. In addition, attack should to know some entry point. So, good to limit any information that is published online (if other layers are not so secure and strong). Anyway, most of large websites with internal mechanisms against automated attacks and suspicious attempts to use account. And, usually, they launch bug bounty programs and other ways to increase their own security (and users' security as a result) - so, in general, too much random hacked account is less likely on current day. But if password is weak really - just matter of time when something start be wrong.

    Could they perhabs try to log into some random account and click on forgot my password and mobile number and somehow "recover" the account only with the help of a password?

    I did not understand the conclusion of "only with the help of a password". Since if password is known and, for example, 2FA or two step verification is not using - then password is enough to such a task.

    However, just to use 'password recovery' functionality should not be enough. By the way, I can not to restore access to my own (freshly) created account on Google. Since I forgot(?) password - but all information is somewhat known for me - however was not enough to ensure Google auto process.

    With enough information about victim or trying to contact support (phish them) - likely situation. But large companies are ready for that. So, it should not be too much easy.

    Some years before - it was quite common situation to use 'restore' access to account by answer to the secret (one) question. So it was something that is trouble on your sentence. But on current days - situation is much better.

    Again if security design of recovery functionality is good. If there are no any vulnerabilities around this flow. If it is not possible to trick process by psychical access to mobile phone or victim's devices.

    Is it necessary to send an email (phishing) before or can they just hack the facebook itself?

    I think depends on certain situation - can be different ways. But, perhaps, spam and rogue letters (phishing) are still too much 'easy' way and too much powerful. What about "hack the facebook itself" - if it is possible - not need to send an email. From victim - attacker want to know (probably) password, critical PII, remote access to his system. If such things are not needed for the trick - so not need to 'contact' user.

    Does a hacker have to know his victim or can he just break into random accounts?

    I think both. Attacker can just break into random accounts. For his (they) 'fun' or profit.

    Or as I wrote before - by automated processes (no a reason - just a random result).

    However, if to call professional attacker as "hacker" - then he have to know his victim. And if attacker want to do some manual work (victim is a potentially important target) - then he have to know his victim for successful targeted attack.

    By the way, F-Secure website with some useful pages about some points:

    where you could check whether your email is leaked somewhere or not. some services even can be about leaked passwords data and so on. however, need to use only really trusted for you. Since to provide your email to any online checker is a quite tricky thing.

    to check how much information are 'public' about you.

    Sorry for my long reply. And sorry for my English.

    If there can be continuation of discussion - I can a bit explain most of 'unclear' meanings of my words.

    Thanks!

  • sewi4
    sewi4 Posts: 4 New Member

    Hi, thanks for answering

    I also wonder, if these  automated processes can also find email or mobile number or the hacker has to find it out on their own?

    Can he perhabs get access to some database of all registered emails?

     ,

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

    automated processes can also find email or mobile number or the hacker has to find it out on their own?

    Not really 'to find'. But, perhaps, 'to generate' or 'to compose' such a list. Because email is only "words" and mobile number is only "numbers" with certain requirements for its look.  So, it can be completely random. However, even if someone with such a list - then he should to ensure which ones are really 'active' and 'exist'. For example, he can to try send spam letter or to call. If there is an answer - then email or number is 'valid'. Such a task can be automated too.

    Can he perhabs get access to some database of all registered emails?

    I am not sure that it is really possible. Just because 'all registered emails' means critical data of each email service providers and 'own' (users) hosted email servers. I think database with all registered emails, for example, of Google Mail should be protected against unauthorized access to it.

    BUT there are a lot of leaked databases from different services, websites, (email providers too), forums and so on. Also just generated lists of email addresses (with inclusions of these emails which can not be used or valid at all).

    So, most likely, someone will try to use this opportunity and use already 'existed' databases of known emails. It is pretty much data, actually.

    But, again, to known only email address is not enough to hack it. Because, for example, if 'criminal actor' know psychical address of Bank (and the place where the 'money' is actually stored) - it does not mean that it is easy to make a crime against bank.

    Thanks!

  • sewi4
    sewi4 Posts: 4 New Member
    edited May 2020

    Okay, so if i understand it correctly, if i have a weaker password, hacker can easilly randomly hack my account by these automated processes without even knowing my email, mobile number or anything? Can it also be done secrety, that i wont find out, that somebody was attempting to hack my account?

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

    Okay, so if i understand it correctly, if i have a weaker password, hacker can easilly randomly hack my account by these automated processes without even knowing my email, mobile number or anything?

    So, actually - no. Or I have to create some remarks:

    • if user with a too weak password (for example, "123456"). Or, for example, password is leaked or hardcoded under hardware/software (what can be with admin panel of routers, as example) and it is known one password for attacker;
    • then attacker can to attack user even if he is not knowing him well or anything about him.
    • attacker could try to 'brute force' not only password for known email. But also username or email or mobile number - for example, if it is known that the password is used in one of the accounts in this service. It can be completely automated processes, crawling around. Or trying each email (that he could imagine) / password pair.

    However, it is not so likely situation. Most of web services (large ones) with own protection against such threats. Web services backend/frontend/anything may suspect something strange and to prevent attempts to perform harm.

    But if more information is known for an attacker - then it is likely situation. But again, remarks:

    • there is a "web service" where user has an account (email / password).
    • if user with a weak password and password is known for an attacker - then, of course, it is not enough for automated process to hack account. Because 'email' is an important part of login process. And knowing only the password is not really somewhat helpful for attacker. Thus, automated processes should to find 'email' or to use already known all required information (that can be gathered from other automated processes or manual work; or from leaked databases or other sort of source).

    If user, in addition, with 2FA (or two step verification) - where mobile phone involved - then knowing email/password is not always enough for trouble. Because, then SMS or anything like that is required. Actually, hacker could try to bypass this layer too. In principal, it is possible by some ways. But sounds more as a target attack against user. If so - target attacks can be successful even with good security design (but it is not so likely as with bad security design. and user anyway should care about security).

    So, hack can easily and randomly hack "account" by some way with using some information - but it is not pinned to someone directly. It is can be leaked pair of email/password for service and not used additional security patterns by user (2FA). Or vulnerability on service and unexpected access to account or something like this.

    Sorry for my English and not clear explanation of my opinion.

    Thanks!

  • sewi4
    sewi4 Posts: 4 New Member

    Hi, I also wanted to ask if the hacker could break into FB account by an accident, I mean rewriting something in text or mistakenly alter an email, when he was trying to hack someone else's account

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

    In general, trouble can happen by accident. However, bearing in mind your described method - it is doubtful.

    Since some clarifications are needed:

    - "break into FB account" is accessing someone else's account?

    If so, such trouble can be if:

    • required credentials are known for attacker. For example, email/password pair. Then goes be some mitigations: if account with configured additional security options - then attacker should bypass it OR to have access to required stuff. For example, mobile phone (physically or with an ability to workaround it - duplicate of SIM-card/SMS catching or something else) - if 2FA/Two-Step Verification is there. If there is something as psychical token in use - then it is already stronger security design for user. And so on (IP limitations, own website protection logic against fraud).
    • attacker can to use user's device psychically. Or remotely via malicious software on user's system.
    • website with vulnerabilities which can be exploiting in such a way that attacker can to get access into someone's account.

    So, basically all things are pretty tricky to do when discussing large website and potentially well-protected user's data by his own.

    Attacker can try to use rogue/scam ways ('social engineering'). For example, 'phishing'. As try to 'receive' data directly (fake forms/fake requests). Or just to load a malware.

    So, do not use untrusted/unprotected networks (public Wi-Fi) via not encrypted connection is not recommended. To open suspicious letters is not recommended too, and especially to run/launch/open strange attached files. To visit unknown/untrusted or harmful-rated websites is dangerously. In addition, passwords should be really strong and unique. Stored securely even locally. And many other general tips.

     I mean rewriting something in text or mistakenly alter an email, when he was trying to hack someone else's account

    I am not sure. Could you explain this sentence a bit more? Did you mean if attacker trying to guess password for someone else's account, but instead he found a password for another account?

    Completely random hack accident or mistakenly 'break' can be, I think, only if website with internal broken design / vulnerability with such impact. Otherwise, it can not be completely random. So, attacked should be with something about account and way to hack it and not another one.

    But, basically, attacker can to try 'break' many accounts at once - he did not have any reason, any 'knowledge' for each one. With such wording - it can be accidently. Since accounts with weak passwords (and no any other security layers / options) can be hacked easily than others.

    And one form of 'attack' against them is:

    • list of emails.
    • list of 'generated' passwords.
    • check each one possible pair.

    so, it can be long process and a lot of time if password is good enough. If not - some minutes/seconds/hours. I think this topic is discussed somewhere, even on Facebook pages with their recommendations about security.

    Sorry for my potentially misleading and confusing words / sentences!

    Thanks!

  • johnjony
    johnjony Posts: 1 New Member

    In Facebook App, you can check the time duration of your Online Activity on Facebook. However, there is no such thing on Desktop.

  • Carols34
    Carols34 Posts: 1 New Member

    I was always sure Facebook is one of the most vulnerable social network. I like how they block normal people' accounts every day, but at the same time there are so many cases of online crimes there.

  • MarkKalski
    MarkKalski Posts: 1 New Member

    Facebook don't look vulnerable for me. I think people make mistakes those hackers don't forgive, that's why there are so many scam online.

  • MarthaP
    MarthaP Posts: 6 Observer

    I don't consider Facebook neither vulnerable nor secure. It's just like any other site on the internet. You have to understand what information you share and where you share it, and especially do not click links unless you are 100% about it.

  • johnmarkos
    johnmarkos Posts: 1 New Member

    No one safe on internet.

  • JamesMiller
    JamesMiller Posts: 3 Observer

    There are numerous ways to steal your data not only on FB.

    Phishing emails can steal your confidential information like passwords and bank account details. This kind of emails are usually come from a well-known person or organisation like your bank or company that you work for. It could be some urgent information that your card has been disabled and you need to reactivate it.

    Malware (viruses/spyware/Trojans) can also steel available data and track your activities.

    Even some malicious mobile apps can put your privacy at risk. It usually includes account access to your contact list, microphone access, device admin permission.

    Just try to avoid insecure network and apps, and don't say your personal info to everyone.


    Hope it was helpful.

    Regards, James

  • chalessmith11
    chalessmith11 Posts: 7 Observer

    Very helpfulful discussion here, i learned alot.

  • GabrielJones
    GabrielJones Posts: 2 New Member

    Use 10 to 12 character password with symbol.

  • ElanoMike
    ElanoMike Posts: 1 New Member

    I'm also confused as well. I would like to secure my FB. Though I set a difficult password already. But still I am worried because is there any possibility to hack my account?

  • Ukko
    Ukko Posts: 3,611 Superuser

    I'm also confused as well. I would like to secure my FB. Though I set a difficult password already. But still I am worried because is there any possibility to hack my account?

    Hello,

    With a difficult password (which is also stored securely) - your account is less likely to be hacked than with a weak password. That's all.

    General things to know:

    -- your password should be difficult and unique (because a 'difficult' password that is used for all services is not a good idea).

    -- it would be good to reduce possibilities to steal your password (psychically, remotely, by  trick or something like that). This includes a different range of things: not tell anyone the password (except for some exceptional situations), store it securely (nowadays it is fashionable to use software like password managers), have security software in the system / device (to reduce the likelihood of malware stealing the password by different ways, including keyloggers). And so on. The password is somewhat your secret. And it must be kept "secret".

    -- you must be careful and vigilant. For example, to ensure that emails from Facebook are really from Facebook. When accessing a Facebook page - do it from a reliable source and with guarantees that this is a Facebook page. Then, it would be nice to use secure networks (not as a public Wi-Fi, for example). It is possible to mitigate 'unsecure' network by VPN software (but  is not always an option).

    -- if Facebook has it, then you can set up 2FA (or two step verifications) or some other means of securing the login to your account.

    -- possibilities to hack your account with good design of above things are something like:

    • if the attacker will guess your password (while knowing your email / login and your account without additional login protection); a bit fantastic.
    • if Facebook will be hacked; if this happens, then in principle there will be attempts to use the accounts of specific people (rather than random ones). Yes, and most likely in trying to calm down before using. So you just have to be careful and attentive to the "oddities".
    • the password will be stolen in one way or another (or a fraudulent login method will be used, for example, using your own device).

    Generally speaking, everything is as with normal security. For example, a "good" door to a house. There remain opportunities for illegal penetration, but this is often rather conditional. But it is worth taking some additional measures.

    Some F-Secure resources about: https://www.f-secure.com/v-descs/articles/dealing-with-passwords.shtml

    https://www.f-secure.com/v-descs/articles/securing-web-browsers.shtml

    Thanks!

  • chalessmith11
    chalessmith11 Posts: 7 Observer

    Thanks Ukko

    Both articles are very useful for facebook user like me. I will always follows the instruction which is given in this article.

    Some F-Secure resources about: https://www.f-secure.com/v-descs/articles/dealing-with-passwords.shtml & https://www.f-secure.com/v-descs/articles/securing-web-browsers.shtml

  • Alvinda
    Alvinda Posts: 1 New Member

    This is the era of technology. Social apps like Facebook & WhatsApp have gained so much popularity that most of us seem addicted of these. But that's a great point that we should never compromise on our security and always double-check if we're taking all steps to ensure our security or not.

This discussion has been closed.