My Facebook Nightmare

 Culture, Media  48 Responses »
Jan 282009
 

It started with a phone call around 7.30pm on Wednesday night, January 14th. A concerned friend was calling from interstate.

“Mark, where are you?,” he asked.

“I’m at home. Why?” I replied.

“So you’re not in London?”

“No.”

“And you haven’t been robbed at gunpoint and had your wallet stolen?”

“No! What on Earth are you talking about?”.

“Mark, I am on Facebook right now, talking to you, and you’ve just told me that you’re in London, that you have been robbed, and that you need urgent financial assistance so you can get back to Sydney”.

“Oh crap!”.

Trying to Make Contact with Facebook

I immediately tried to log into my Facebook account. The login screen reported that I had used the wrong password. I guessed (correctly, as it transpired) that the hacker had changed my password to prevent me from accessing the account. I did a quick scan of the Facebook help pages and worked out that I could request that the password be reset, with the new password sent to my email account. I clicked to access the password reset screen, and Facebook asked me for details of the email address linked to my Facebook account. I entered my email address and it was rejected – the hacker had changed the email address linked to the account (presumably to stop the password being reset). Clever.

By this time, my mobile had rung several times and I had received multiple SMS messages from concerned friends, and the stress levels were rising.

I did another scan of the Facebook site looking for a contact phone number for their Help Desk or security team. Nothing listed. I looked for a contact email address. Nada. I did a couple of Google searches looking for any trace of a contact point (nothing, with the exception of the representative of their PR company).

The only option for making contact with Facebook that I could locate was to fill out their online form for reporting password problems, which I did immediately (in fact, I did it twice, one reporting the change of password, and one reporting the on-going phishing/scam activities by the hacker). Somewhat surprisingly, I received auto-confirmations of these reports to my email address, despite the hacker having changed the email address linked to the account.

I continue scanning the Facebook site for a direct contact address, first reviewing their Terms of Service and then their Privacy policy. Bingo – the Privacy Policy page listed the privacy@facebook.com email address. I sent them an email advising of the problem at 7.54pm, asking them to contact them immediately on my mobile.

I then jumped onto Twitter to ask my contacts whether anyone knew any representatives or employees at Facebook. No such luck.

A friend told me that my Twitter stream was still showing up in my Facebook status alert box (thanks to the Twitter app I had installed on my Facebook account), so I started sending a series of Twitter messages indicating my Facebook account had been hacked. Friends also started posting similar messages on my Facebook wall, trying to warn others of the on-going scam effort (although I later learnt the hacker started deleting these as soon as they appeared).

Leveraging social networks

For the next 24 hours, I waited.

I sent off several additional emails to Facebook (to their privacy@facebook.com email account, and to the return email address from which the auto-generated responses were sent, info+nszvnfe@facebook.com). I received no further responses.

The hackers were clearly still active in my Facebook account, as attested by the number of calls and SMSs I continued to receive. Several friends who had twigged to the scam played along with the hacker, and captured transcripts of the conversations, which they sent to me. The hackers were clearly sophisticated – the stories followed very closely to a script, but they were able to adjust according to the responses from my friends. They quoted Western Union account numbers for the transfer, and prodded my friends to “please hurry” as I was still in danger.

My levels of frustration and stress were steadily rising. The source of my stress was the fact that hackers were contacting some unknown number of my friends and trying to scam money from them, and I had no idea who or how many had fallen victim to the scam out of concern for my well-being. The source of my frustration was the fact that I could not raise anyone at Facebook to respond to this on-going criminal activity.

On Thursday night, after another evening and attempts to sleep punctuated by concerned calls and SMSs, I decided I needed to try to engage with local law enforcement agencies.

Around midnight, after answering another call from a concerned friend, I started researching my options. I called the Australian Federal Police (who, helpfully, have a 24/7 telephone service). Unfortunately, while they were familiar with the issue, they were unable to help (they pointed me in the direction of ScamWatch, a service run by the Australian Competition and Consumer Commission, a government consumer watchdog, for tracking scams, illicit multi-level marketing schemes and the like. As it was after midnight, I completed an online form describing the problem.

I then found the Australian High Tech Crime Centre. Unfortunately, it seems to be little more than a brochure-ware site that does not list any contact details. It did have an online form however, so I also submitted an alert via their site.

(At the time of writing, I have not received a single response from either the ACCC or the AHTCC.)

I returned to the Australian Federal Police Web site, and located the contact phone number for the New South Wales e-crimes squad. Unfortunately, there was no answer on the telephone number listed, nor a voicemail service.

By now, it was 1.30am, and I was at my wit’s end. I decided it was time to leverage some of my “social network” to address this issue.

I am a subscriber to Professor Dave Farber’s Interesting People mailing list. I knew this list had numerous computer security researchers as subscribers. So I penned a quick email, asking for help:

Dave,

I am writing partly to vent my frustration but mainly in the vain hope someone on the IP list can help me out.

My Facebook account was hacked approximately 40hrs ago. I discovered this when I was called by a concerned friend who wanted to confirm that I was being held at gunpoint in London and desperately needed him to wire me cash (via Western Union) so I could escape the country and return to Australia. Of course, I was not in London, and it was not me he was chatting to on Facebook.

I immediately attempted to log into Facebook, but the password had been changed. So I tried to reset the password, but the email address linked to my Facebook account had also been changed. I could not access my account.

I spent an hour scanning the Facebook site looking for a contact phone number. No such luck. I completed 2 different incident reporting forms, and received auto-confirmations. I then scanned their T+Cs and Privacy notices and discovered the privacy@facebook.com email address and sent an email to that address.

40 hours later, I have had no response from Facebook, and I have been alerted by friends that the perpetrators are still active on my account, initiating chats with people begging for help and a money transfer. I just alerted several authorities in Australia (though it is now 1.30am in Sydney, so had to use online forms). Unfortunately, the Australian Federal Police (who do have a 24hr hotline) couldn’t help me (they referred me to a Scam Watch service!).

So I am asking whether anyone on the IP list has a direct contact with an appropriate stakeholder at Facebook, or some specific advice on who I might contact in the US to get the account suspended and the perpetrators locked out (or, better, traced and apprehended).

Any feedback appreciated.

Regards,

Mark

It was clearly the right step to take. Within minutes of the email being distributed to mailing list subscribers, I received numerous offers of help. Within an hour, I received an email from Chris Kelly, Facebook’s Chief Privacy Officer, indicating that my email had been passed onto him, and that his team was on the case. Within an hour of Chris’s email, I received an email from Facebook Support, indicating that the account had been suspended. The hackers, it seemed, had been locked out.

Unanswered questions

I sent an email to both Chris Kelly and the support team thanking them for their assistance. However, I could not let the matter rest, as there were too many unanswered questions.

1. How did the hacker get into my account in the first place? Did they ‘brute force’ my password, or did they appear to already know it? (I have my theory that they exploited a known security weakness in the Twitter API).

2. Which of my friends did they make contact with? (so I could contact them personally and ensure no-one fell victim to the scam).

3. Why did it take Facebook over 48 hours to respond, and only then after my public plea for help which was passed by an external contact into the hands of the Chief Privacy Officer.

(Incidentally, only yesterday – 12 days after I submitted my original incident report via the Facebook online form – did someone from the Abuse department follow-up that report, and only then it was to note that it appeared it had already been dealt with).

4. Why doesn’t Facebook publish a contact phone number or the email address of a real person (such as the Chief Privacy Officer) as an escalation point?

I have received no answers to questions 1, 3, or 4, despite following up with Chris via email.

With respect to ascertaining which friends the hackers had contact with, I received this advice from Facebook:

Unfortunately, we cannot release the information you requested unless we receive a valid subpoena or court order. You should contact a lawyer or your local law enforcement agency and discuss this issue with them. If you decide to pursue legal action, have the lawyer or officer contact us at privacy@facebook.com, and we’ll provide more information about the process.

I was also advised (rather unhelpfully) that I could also check whether there were any messages in my Facebook Inbox or Wall that might reveal who the hackers spoke to. Clearly Facebook were not going to lift a finger to help me determine whether any my my friends (that is, other Facebook users) fell victim to this criminal activity perpetrated via their service.

Not Over Yet

Unfortunately, the saga wasn’t over yet.

Once my Facebook account had been suspended, the Support team sent me an email asking me to verify my identity (i.e. that I was the original owner of the account). They did this by asking me to answer a security question that was posed during the original account creation process. Having confirmed my identity, they issued me with an email containing instructions on how to reactivate my account.

I did not want to reactivate the account until I had received some answers. Unfortunately, the hacker had other ideas.

That evening, I received still more calls. The hackers were active on my account. After it had been suspended. Before I had reactivated it.

I immediately fired off an email to Chris Kelly asking what was going on. The account was promptly suspended again. But how did the hackers get back in?

The Support team suggested my PC might be infected by a Trojan program or some similar malware, which allowed the hackers to see my email. Multiple scans via several different tools and online security services indicated my PC was clean.

They also suggested that somehow the hackers also knew my email account password (I used a GMail account as the contact point for Facebook). Possible, I suppose, but very improbable.

Facebook are yet to provide me with an explanation of how the account found itself reactivated, and who reactivated it. Presumably they have IP address logging capabilities and could easily determine where the reactivation request came from.

Media Attention

My email to Prof Farber’s Interesting People discussion list took on a life of its own. It was republished in Risks Digest as well as on the Wired magazine blog, under the amusing title of Kidnapped on Facebook.

As a result, I was contacted by a number of journalists and media outlets in Australia and overseas, who ran stories on the hacking event. Within hours of each article appearing, I would receive emails from other victims of similar incidents who were also unable to get any response from Facebook. I pointed all of these people in the direction of Chris Kelly, and most replied indicating that soon after making contact with him, Facebook was quick to respond.

(If any one reading this is having similar difficulties with Facebook, please contact me and I will put you in touch with Chris)

Does Facebook Owe a Duty?

One of the people who contacted me for assistance made the observation that he doesn’t “blame” Facebook for the lack of support, given they provide a “free” service.

Complete claptrap.

Facebook’s service isn’t “free”. Users pay for it by giving Facebook access to their personal data (which they data mine for commercial purposes), and by giving attention to the (targeted) advertisements that Facebook generates as a result. We “pay” by paying attention.

In this day and age it is simply unacceptable for Facebook to have such a pitiful incident response infrastructure. If it’s “virtual” members were citizens, Facebook would be a sizeable country. It is the custodian of private data for tens of millions of people, and that data is all too frequently being misused by criminals.

I would argue that Facebook owes a fiduciary obligation to its members to take a more proactive stance than they have to date. It certainly should immediately upgrade the infrastructure and processes that it has in place for dealing with criminal activities and identity theft.

I am still awaiting a detailed response from Facebook to my questions. I don’t hold high hope of receiving any.

Mimicking bacteria – strategy for success?

 Culture, innovation, Leadership, Strategy  1 Response »
Sep 062007
 

History tells us that it is rare indeed that a single individual will come up with a totally new idea that leads to innovation (even Newton is purported to have needed a bit of help in the form of an apple). Innovation is more likely to arise from the recombination of existing ideas in novel ways or in different contexts, such as applying ‘tried and true’ practices from one industry to another.

Recombination of this type is only possible if ‘innovation elements’ – ideas, people and organisations – are given an opportunity to interact with one another. Diversity of people, thoughts and interests are the lifeblood of the innovation process.

Ok, that all makes sense – but why bacteria?

It is the biological realm of bacteria that provides the best ‘entrepreneurial’ example of how to crank up the innovation process.

Bacteria breed – recombine – every 20 minutes. That’s three generations – three spins of the evolutionary wheel – per hour. But this amazing recombination rate doesn’t fully explain bacteria’s evolutionary resistance – or should that be persistence!

Bacteria is in a constant state of evolutionary flux. It achieves this by a process known as ‘lateral gene transfer’, which is a really technical way of saying that your typical, garden-variety bacteria is an evolutionary kleptomaniac.

Bacteria excel at stealing useful genes from other organisms. How they do this provides a ready reckoner for entrepreneurs looking to obtain ideas from other industries to provide an innovation breakthrough.

Bacteria can ‘acquire’ gene sequences through:

- Conjugation (that is, physical contact with the host of the soon to be acquired cells),

- Transformation (picking up DNA that has been abandoned by another organism)

- Transduction (where the bacteria replicates itself inside the other organism, bringing with it random DNA fragments).

The business equivalent of conjugation is getting out an mingling with people who are “different” to you – who work in different industries, have different interests, hobbies and perspectives. Transformation, of course, can happen when we study business history, learning how other companies, markets or industries grew and flourished. Finally, there is transduction, which is the equivalent of bringing an “outsider” into your company for a new perspective.

What strategies do you have in place to mimic bacteria?

Short-sighted view of the growing importance of digital channels

 3rd Horizon, Culture, Leadership, Strategy  No Responses »
Aug 272007
 

I noticed an interesting job advertisement in the papers over the weekend. The job title – Online Communications Manager – caught my eye, as I had recently been wondering when we will see organisations  invest the same levels of resources into managing their relationships and interactions with customers over digital channels as they do, say, in-store.

I read the advert expecting to catch a glimpse of a ‘weak signal’ indicator of maturation in organisational stewardship of digital channels. Instead, I was rather appalled by what I read.

The advert, placed by a “Top 10 ASX” financial services company, describes the position and role criteria in these terms:

[Y]ou will be responsible for developing and implementing the overall online strategic framework and business rules around our front line customer websites. Acting as business consultant around web usage and measurement, you will be considered the online expect. The ability to manage key stakeholder relationships, facilitate web-based enhancements and ensure all content is succinct, thereby increasing audience cut through, is what makes you outstanding.To be considered you will have a demonstrated background in managing websites and an online channel with a good grasp of html coding.

The organisation clearly believes their online channel is important (they speak of it requiring a ‘strategic framework’), and their sites would appear to play a role affecting several ‘key stakeholders’ in the business. Yet, the primary criteria for the role seems to be technical, rather than strategic or commercial.

Let’s recast this example into a retail context. Imagine a major retailer advertising the role of manager of a department store. This person would be responsible for ‘implementing the overall strategic framework and business rules around our front line customer sales’. S/he would act ‘as a business consultant around floor space usage and sales measurement’ and have responsibility for managing ‘key stakeholder relationships’. The person would be considered the ‘retail expert’.

Do you think the role criteria would read: ‘To be considered you will have a demonstrated background in managing a sales counter with a good grasp of retail displays’?

Not likely.

Most companies still do not believe that their digital channels warrant significant senior management oversight or leadership. Implicit in job advertisements such as this is the view that digital channels are an addendum rather than a core aspect of business operations.

Far too many CEOs still speak of developing a ‘digital business strategy’. This is a telling misnomer.

How will tomorrow’s consumers differ?

 Culture, Strategy  No Responses »
Jul 062007
 

The UK Centre for Future Studies has released several studies outlining key demographic changes over the next 15 years, and the impacts these changes will have on lifestyles and consumer values. The following are some excerpts from their findings:

  • We will be living in an older society. This will be the result of increased longevity, and a declining birth rate. The over fifties are the new old. They are healthy, active, and experiential.
  • We will be living increasingly as single individuals and individualism will become paramount. Indeed, the outlook of the individual will be all the more important because peoples’ values are becoming increasingly focused on themselves. The term ‘masses’ will have no meaning. We will need to think about the needs of groups of individuals.
  • The ‘traditional family’ – married with 2.4 children living with both their biological parents – will be in the small minority. Trends in co-habitation, divorce, births outside marriage and single parents will be even more pronounced. With declining family obligations, individuals will exercise greater choices and this will lead to greater diversity of lifestyles. Traditional marketing categories will no longer be relevant. Paradoxically, however, while the traditional family will disappear, family values will continue to be important.
  • We will be a far better educated society with increasing standards of achievement and higher qualifications. This means there will be greater numbers of individuals who are able to use and benefit from information technology and more people able to work competently within the IT-centric working environment.
  • We will be living in a 24/7, globalised society in which individual lifestyles will be based on mobility rather than stability. As a result, personal identities will become more fluid. At the same time, individuals in a more unstructured and rootless society will feel more insecure. They will experience greater uncertainties and see society as high risk and threatening.
  • We will be a far more health conscious society and there will be a paradigm change from cure to prevention. Health promotion will be big business and food safety will be a paramount consideration. Basically, we will become increasing fearful about what can harm us and we will be looking for re-assurance that what we buy is safe.
  • We will become a society totally overwhelmed by messages and choices. As a consequence, we will be looking to simplify our lives and create a sense of stability and security out of chaos and complexity.
  • For most of us, time will continue to be at a premium. Work and leisure time will intermix and in the 24/7 society, set routines will become a thing of the past, and work will become increasingly more significant. To create more time for ourselves we will be taking advantage of time saving technologies.
  • We will be a far more demanding, hedonistic society. We will consume experiences and search for novel entertainment and fun fulfillment in all aspects of our lives. Good enough will not be good enough. We will expect the highest quality and value for money.

Food for thought!

 

Meta-Convergence and Demand Singularity – Part I

 Culture, Media, Strategy, Web 2.0  2 Responses »
Jul 042007
 

For the past 24 months, I’ve been seeing signs that a unique strategic challenge is emerging, one which will significantly impact every industry, including media, before the end of this decade: demand singularity.

We can already see that a form of ‘meta-convergence’ is happening in nearly all consumer industries, in that more and more companies are trying to be all things to all people. They are trying to sell everything to everyone.

Coca-Cola no longer sells just cola – it sells water, fruit juices, energy drinks and teas/coffees. Pepsi Co. is now the largest US vendor of potato crisps and similar snacks. McDonalds no longer sells just burgers, it sells salads, yoghurts, cereals, and cafe-style coffee. Woolworths doesn’t just sell groceries, it offers banking, petrol, electrical and whitegoods, music (including iTunes cards).

Today, there was news that the eponymous watchmaker, Tag Heuer, was moving into the eye glasses market!

We’re seeing a similar meta-convergence in the media space.

Newspaper companies, like Fairfax, now offer music, video news, audio programs and, elsewhere, movies-on-demand. Web publications are moving into print and vice versa (e.g. Sensis/Trading Post). Search engines are moving into rich media and broadcast media (Yahoo! + Google). Electronic games companies are moving into cinema. Outdoor advertising companies are embedding mobile media capabilities. The list goes on.

The root cause of this trend is economic.

Companies are leveraging technological efficiencies to re-engineer traditional value/supply chains, in an effort to squeeze additional profit or growth through ‘economies of scope’ (i.e. cost savings achieved by increasing the variety of goods and services produced using existing infrastructure/staff).

This trend is likely to continue (and accelerate) for the remainder of this decade.

Continue reading »

Creating Culture (Australian Anthill)

 Australian Anthill, Culture  No Responses »
May 302007
 

This is an excerpt from a regular column that I write – Neely Ready – which appears in a magazine called Australian Anthill.

—8<—

The Importance of Culture

Every organisation has a culture. Spend time observing the day-to-day goings on within, say, a medical practice, a law firm, an airline and a fast food franchise, and you will notice some stark differences. While each business might have common objectives – serving clients, generating profits – it is very likely they go about these objectives in vastly different ways.

Culture, broadly defined, is the personality of an organisation. It is the collective, learned behaviour of its staff (“the way we do things around here”,) and the values, norms and beliefs that shape that behaviour.

Culture drives the behaviour of people. It drives how your staff choose what is done, and what is left undone; what is valued, and what behaviour, actions and outcomes are rewarded. Culture operates (and can be influenced) at three levels:

Continue reading »

How Creative is Your Business? (Australian Anthill)

 Australian Anthill, Cash, Culture, Media, VC  No Responses »
Apr 152007
 

I write a regular column – Neely Ready- which appears in an (exellent) magazine, Australian Anthill.

—8<—

How creative is your business?

Entrepreneurs and scientists use the concepts of ‘creativity’ and ‘innovation’ interchangeably. This is not surprising, as both play an integral role in the new product development process. They are not the same, however they do have a symbiotic relationship: each is largely useless without the other.

Creativity is the process of coming up with new ideas. Everyone is capable of being creative, and there is no single, definitive methodology for generating creative ideas.

Innovation, on the other hand, is a broader process of implementing a creative idea – or ‘applied creativity’. Innovation is intrinsically harder than creating ideas, and there is again no definitive methodology. However, it is the process of creativity – coming up with the spark of an idea that kick starts the new product development process – that most individuals and businesses believe they require assistance with (perhaps because creativity is seen as a behaviour, whereas innovation is seen as a process). Continue reading »