Facebook Promotes Identity Theft


Update: Of all the various email aliases I tried at Facebook to get that profile taken down, the one that finally did the trick was to allege a copyright violation over the picture of me that the scammer found (on Flickr). Now I just need to send a small check to the EFF to balance it out.

Here’s the bit of text that I think did the trick:

The picture is definitely of me, and it is unlikely there is another Avi Bar-Zeev in Seattle Washington who might mistake himself for me...

Original:

This post comes as a result of having my identity stolen on Facebook.

Now, you hear about this happening for celebrities quite a bit. But why would anyone want to impersonate me? What could they possibly gain, except some fine fake friends, right?

Well, having a look at the fraudster’s current friends list indicates he’s already sent invitations to people at Microsoft. Perhaps all of them, I can’t tell. Those who friended him back probably know me and were just trying to be nice. And as result, the fraudster now has some idea who I know at Microsoft, or who the other targets know, which could be telling.

Ironically, Microsoft folks are so friendly in general, so many of them friended ‘me’ without ever having met me (some just saw a division-wide "welcome" email about me) that the usefulness of that list is diminished. But the potential exists for the criminal to email them from his faked account to obtain additional information about me or them, or at the very least violate their privacy by bypassing their "friends-only" controls. But more likely, the scammer will eventually put up some phishing attacks.

This is a major design flaw with Facebook, and a potential liability, IMO (note: I am not a lawyer).

Why?

Facebook has active controls to prevent you from changing your name to something they don’t like, but nothing to prevent you from stealing someone’s name in the first place. It has a place to report a copyright violation — god forbid anyone should use a stolen photo. But I couldn’t find a single link to report that an entire profile’s identity was falsely claimed or in violation of the terms of service in any way, nor do I see any attempt to resolve such issues thus far. I’ve emailed what I can only guess are the appropriate links and contact forms.

And if this exploit works in general, as it definitely seems to do, there’s nothing to stop someone from creating a false profile to parallel anyone’s real profile and inviting co-workers who might never do a search to see there are two profiles with identical names. It’s an open hole that Facebook seems to do nothing to fix. And that is why they are liable, IMO. (again IANAL).

Bottom line: if you received any email from my apparent Facebook account or from bar_zeev@live.com (the apparent account used to sign up), please report it to the abuse areas on Facebook or Live, if you can find them…

BTW, I use only one social network, LinkedIn, and there’s no way in hell I’m going to use Facebook now, except to post a note saying to stay away from this bullshit service.

Facebook’s new advertising slogan should be "Join Facebook, before someone else does it for you!"

 

 

  1. #1 by Daniel on September 5, 2008 - 12:06 am

    Finally catching up with a few good folks. I don’t trust Facebook as it is — I prefer to stay with MySpace, regardless if it’s a little hokey, to keep in touch with various people. Aside from that, it sounds like somebody who at least knows you or of you — and has some reason to contact folks at Microsoft through your name.

    What the motivations would be, would be anyone’s guess — but it’s interesting that MySpace at least has some level of control and ability to contact them if in the event something like this is noticed.

    Good luck with this, Avi.

(will not be published)