‘I lost £11,878 in a Face­book pay­ment fraud’

The Daily Telegraph - Your Money - - FRONT PAGE -

This reader found that his pay­ment de­tails, nor­mally used to buy advertising on the web­site, had been hacked. By

Fraud­sters can not only glean reams of valu­able per­sonal data from what users post on their Face­book pages; if they can ac­tu­ally hack a Face­book ac­count where users have stored their pay­ment de­tails, they can steal sub­stan­tial sums.

In what could be viewed as a weak­ness in Face­book’s sys­tems, once you use the site to make a pur­chase you’re un­likely to be asked for sub­se­quent au­tho­ri­sa­tion – or be no­ti­fied by your bank or Face­book.

Jas­bir Mann dis­cov­ered that more than 100 fraud­u­lent pay­ments, adding up to al­most £12,000, had been made to an on­line gam­bling game us­ing his Face­book ac­count.

Mr Mann, who runs his own yoga stu­dio in War­wick­shire, said he kept his debit card de­tails stored on Face­book as he oc­ca­sion­ally paid to ad­ver­tise his business on the so­cial me­dia site. The ad­verts usu­ally cost about £30.

But be­tween Sept 26 and 28 he was hor­ri­fied to view 110 trans­ac­tions, rang­ing be­tween £21 and £215, made to an on­line poker game site he had never used.

“Aside from the oc­ca­sional lot­tery ticket I don’t gam­ble and do not know how to play poker,” he said.

He im­me­di­ately con­tacted his bank, Bar­clays, which can­celled his card and told him to re­move his de­tails from Face­book.

Face­book be­gan re­fund­ing some of the trans­ac­tions, pay­ing £5,747 of the stolen £11,878 back in 30 tranches on Sept 28. But then the re­funds mys­te­ri­ously stopped. Mr Mann, 45, checked his Face­book ac­count and saw – in the “Pay­ments his­tory” section within “Set­tings” – 110 trans­ac­tions that matched the fraud­u­lent pay­ments. He raised a dis­pute with the so­cial me­dia gi­ant.

Mo­ments later the en­tire his­tory dis­ap­peared, he claimed.

Mr Mann said he re­ceived a cou­ple of mes­sages from Face­book ask­ing for him to sub­mit fur­ther de­tails us­ing the generic link it in­cluded. But he said it didn’t work.

Mr Mann turned his at­ten­tion to Bar­clays and tried to spur it into ac­tion. Here, also, the process was “slow and dis­jointed”, he said.

Mr Mann said: “I can’t be­lieve Bar­clays and Face­book have taken so long to deal with this. I’m a yoga


Face­book re­fused to ex­plain how the fraud­sters man­aged to ac­cess Mr Mann’s ac­count, but hack­ing ex­pert Chris Un­der­hill of Equiniti Cy­ber Se­cu­rity pro­vided a the­o­ret­i­cal ex­pla­na­tion.

Conmen ob­tain pass­words through data breaches or by send­ing out “mal­ware” via email, he said. This, when ac­ci­den­tally in­stalled by an un­know­ing user, ac­cesses pass­words saved on users’ com­put­ers or smart­phones.

You can check if your pass­word has been breached by en­ter­ing your email ad­dress on haveibeen­pwned. com.

Once fraud­sters have your pass­word and user­name for one ser­vice, they can check to see if they’ve been reused on other sites us­ing soft­ware known as “cre­den­tial stuffers”.

Crim­i­nals can also get hold of per­sonal de­tails through “phish­ing”. This ruse in­volves a crim­i­nal pos­ing as a trusted or­gan­i­sa­tion, or in­di­vid­ual, over email or an­other form of cor­re­spon­dence in or­der to trick vic­tims into hand­ing over their per­sonal in­for­ma­tion.

Fraud­sters have been known to send out emails pur­port­ing to be from HMRC, the po­lice and banks. And once you’ve au­then­ti­cated the pay­ments – de­pend­ing on how they’re set up – you’re not asked to reau­then­ti­cate them. Face­book holds more on you than you think,” he added.

“If some­one gets ac­cess, they can down­load your en­tire his­tory and use it to im­per­son­ate you.” He sug­gested keep­ing an eye on your ac­cess his­tory to see if your ac­count has been logged into from de­vices that aren’t yours.

You can also set up “two fac­tor” au­then­ti­ca­tion, which will send you a code to con­firm lo­gin at­tempts.

Face­book has not an­swered Tele­graph Money’s ques­tions re­gard­ing how Mr Mann’s ac­count was ac­cessed, how the fraud­sters man­aged to steal £12,000 and why ini­tially it re­funded only some of the cash.

The so­cial me­dia site apol­o­gised for de­lays in keep­ing Mr Mann in­formed, and a spokesman said: “We can con­firm that un­for­tu­nately this ac­count was com­pro­mised. A full re­fund has now been made.”

Face­book said it took a “num­ber of pre­cau­tions” to safe­guard users and pre­vent unau­tho­rised ac­cess.

Bar­clays said the fraud­u­lent trans­ac­tions were able to go through un­de­tected be­cause Mr Mann had pre­vi­ously given con­sent to Face­book us­ing his 16-digit card num­ber under the “re­cur­ring pay­ments” process.

By pro­vid­ing his card de­tails, he ef­fec­tively “au­tho­rised” fu­ture pay­ments, the bank said. Th­ese can be for reg­u­lar or ir­reg­u­lar ir amounts and fre­quen­cies. A Bar­clays spokesper­son s said: “This is a rare ra oc­cur­rence of a mer­chant merch sub­mit­ting nu­mer­ous nume pay­ments made through a cus­tomer’s custo ex­ist­ing au­tho­ri­sa­tion. au­tho “In such sit­u­a­tions we will seek the re­turn ret of the funds fu through the charge­back ch process – and dis­pute forms fo were is­sued to the cus­tomer to progress pro a claim.”

‘I was able to see my Face­book pay­ment his­tory – and then it just van­ished’

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.