‘I lost £11,878 in a Facebook payment fraud’
This reader found that his payment details, normally used to buy advertising on the website, had been hacked. By
Fraudsters can not only glean reams of valuable personal data from what users post on their Facebook pages; if they can actually hack a Facebook account where users have stored their payment details, they can steal substantial sums.
In what could be viewed as a weakness in Facebook’s systems, once you use the site to make a purchase you’re unlikely to be asked for subsequent authorisation – or be notified by your bank or Facebook.
Jasbir Mann discovered that more than 100 fraudulent payments, adding up to almost £12,000, had been made to an online gambling game using his Facebook account.
Mr Mann, who runs his own yoga studio in Warwickshire, said he kept his debit card details stored on Facebook as he occasionally paid to advertise his business on the social media site. The adverts usually cost about £30.
But between Sept 26 and 28 he was horrified to view 110 transactions, ranging between £21 and £215, made to an online poker game site he had never used.
“Aside from the occasional lottery ticket I don’t gamble and do not know how to play poker,” he said.
He immediately contacted his bank, Barclays, which cancelled his card and told him to remove his details from Facebook.
Facebook began refunding some of the transactions, paying £5,747 of the stolen £11,878 back in 30 tranches on Sept 28. But then the refunds mysteriously stopped. Mr Mann, 45, checked his Facebook account and saw – in the “Payments history” section within “Settings” – 110 transactions that matched the fraudulent payments. He raised a dispute with the social media giant.
Moments later the entire history disappeared, he claimed.
Mr Mann said he received a couple of messages from Facebook asking for him to submit further details using the generic link it included. But he said it didn’t work.
Mr Mann turned his attention to Barclays and tried to spur it into action. Here, also, the process was “slow and disjointed”, he said.
Mr Mann said: “I can’t believe Barclays and Facebook have taken so long to deal with this. I’m a yoga
AN OPEN BOOK? HOW CONMEN GET IN
Facebook refused to explain how the fraudsters managed to access Mr Mann’s account, but hacking expert Chris Underhill of Equiniti Cyber Security provided a theoretical explanation.
Conmen obtain passwords through data breaches or by sending out “malware” via email, he said. This, when accidentally installed by an unknowing user, accesses passwords saved on users’ computers or smartphones.
You can check if your password has been breached by entering your email address on haveibeenpwned. com.
Once fraudsters have your password and username for one service, they can check to see if they’ve been reused on other sites using software known as “credential stuffers”.
Criminals can also get hold of personal details through “phishing”. This ruse involves a criminal posing as a trusted organisation, or individual, over email or another form of correspondence in order to trick victims into handing over their personal information.
Fraudsters have been known to send out emails purporting to be from HMRC, the police and banks. And once you’ve authenticated the payments – depending on how they’re set up – you’re not asked to reauthenticate them. Facebook holds more on you than you think,” he added.
“If someone gets access, they can download your entire history and use it to impersonate you.” He suggested keeping an eye on your access history to see if your account has been logged into from devices that aren’t yours.
You can also set up “two factor” authentication, which will send you a code to confirm login attempts.
Facebook has not answered Telegraph Money’s questions regarding how Mr Mann’s account was accessed, how the fraudsters managed to steal £12,000 and why initially it refunded only some of the cash.
The social media site apologised for delays in keeping Mr Mann informed, and a spokesman said: “We can confirm that unfortunately this account was compromised. A full refund has now been made.”
Facebook said it took a “number of precautions” to safeguard users and prevent unauthorised access.
Barclays said the fraudulent transactions were able to go through undetected because Mr Mann had previously given consent to Facebook using his 16-digit card number under the “recurring payments” process.
By providing his card details, he effectively “authorised” future payments, the bank said. These can be for regular or irregular ir amounts and frequencies. A Barclays spokesperson s said: “This is a rare ra occurrence of a merchant merch submitting numerous nume payments made through a customer’s custo existing authorisation. autho “In such situations we will seek the return ret of the funds fu through the chargeback ch process – and dispute forms fo were issued to the customer to progress pro a claim.”
‘I was able to see my Facebook payment history – and then it just vanished’