Listen to the Podcast
26 Apr 2024 - Podcast #879 - (18:19)
It's Like NPR on the Web
If you find the information TechByter Worldwide provides useful or interesting, please consider a contribution.
If you find the information TechByter Worldwide provides useful or interesting, please consider a contribution.
The number of hacked Facebook accounts seems to have expanded almost exponentially in recent months. Having an account cloned is still more common, but I've seen a surprising number of people who have created new accounts because their existing accounts have been stolen and they can't retrieve them.
You can take actions now to make your Facebook account harder to hack and to make it possible to recover the account if it is hacked someday. These tasks take time to complete, but it's faster and less trouble than having to recover a stolen account. If you can even recover it. Recovery might not be possible if you're not prepared.
If (when) your Facebook account is hacked, getting it back depends on how accurate the information is that you've given Meta. It's worth checking occasionally to ensure that the information Meta has is up to date and definitely worth updating information if you move, your email address changes, your phone number changes, or your name changes.
You'll receive a message from Meta if a thief changes your email address or password, but you may not see the message soon enough to react before it expires. If that happens, you can try the recovery process but don't even bother if your name and date of birth on your acct does not match what is shown on a driving license or other government ID. There's no point in trying if your proof of identity doesn't match what Meta has.
So check the information that's associated with your account and make sure it's up to date. Then, if you haven't yet set up two-factor authentication, do so. This doesn't guarantee that your account will be safe, but it makes stealing the account much harder.
To set up two-factor authentication (2FA), you'll need either an authenticator app such as the Google Authenticator or a password manager that supports 2FA such as 1Password. Here's how to set it up.
Log in to Facebook and click (1) the down-arrow on your account image. Then choose (2) Settings & Privacy. Click (3) Settings, then (4) Password and Security, and finally (5) Password and Security on the next panel. (I would like to have a word with the Meta user interface designer.)
Choose (6) Two-Factor Authentication and then (7) Authenticator App. The image shows that 2FA is on because I had already enabled it. Select (8) your account on the next panel and then (9) re-enter your password. You will see a (10) QR code and a long alphanumeric key. Which one you use and how you proceed will be determined by (11) the authenticator application you use.
When you've finished the process with the authenticator application, obtain a code from it and (12) paste it into Facebook. Each code is good for 30 seconds. Facebook will then tell you that 2FA has been enabled and you'll probably think that you're (13) done. Not quite. Select (14) Additional Methods and then click (15) Recovery Codes.
The final step involves (16) copying the recovery codes and storing them securely. 1Password has an option to create a secure note inside the password entry and that's where I store my recovery code. They do need to be stored securely, though, because a scammer who gains access to the codes can lock you out of your own account.
Now let's take a look at what happens if someone does hack your account.
Be sure that the account really has been hacked. If people tell you that they've been receiving friend requests from you even though you're already Facebook friends, the account has been cloned, not hacked.
A cloned account is one created by a scammer using your profile picture and information they find in your account. The scammer then impersonates you and invites your friends to connect with them. When an account has been hacked, the thief has full access to your account. This happens when the attacker gains control by obtaining your login credentials, often through phishing emails or other techniques.
Have you created a new Facebook account using the same email as your hacked account. If so, that new account is now your account. Only one account can be associated with any given email address, so creating the new account disconnects your email address from your original account. Recovery is unlikely.
If you no longer have access to the email address Facebook has on file for you, you will not be able to recover the accout.
Check the email address Facebook uses for you. There should be an email that says somebody changed your account password and asking if it was you. The message will explain that you need to visit the Facebook website if you didn't make the change. Facebook sets a short limit on response time and the message may have expired. If it has, take a screen shot of the message.
If you created a new Facebook account, there is a slim chance that you'll be able to recover the old account. Before proceeding, log out of the new account.
Locate your driving license, government-issued ID, or passport. The information on this document must match what Facebook has on file for you.
Go to the Facebook recovery page, https://www.facebook.com/hacked. Select the option that describes how you became aware that your account had been hacked. Work through the process as it appears on screen. You should eventually see a form to fill out. Provide the date and approximate time your account was compromised, the original email address Facebook had for you, a screen shot of the email that says your information has been changed, and a clear photo or scan of your government ID that shows the name and address Facebook has on file for you. Request a password reset link be sent to the email address Facebook has on file for you.
Facebook procedures change frequently and Facebook does not offer any type of live tech support. Any online offers to help restore your account are fraudulent. So from this point on, all you can do is read everything carefully and follow directions explicitly.
If you do not receive a response from Facebook within an hour, repeat the process. Sometimes it takes several iterations to recover an account. Sometimes it takes several iterations and nothing changes. That's why it's better to do everything in your power to avoid having your account stolen rather than spending hours trying to recover it.
Your internet service provider offers a modem and I explained a few weeks ago why you might be better off providing your own. The ISP also include a domain name service (DNS) server, but you might be better off using somebody else’s.
DNS is what converts a name such as “techbyter.com”, which means nothing to the internet, to an IP address (“67.222.41.89”). The internet understands IP addresses. Think of it as how you’d use a phone book (remember those?) or WhitePages.com to find someone’s phone number. Of course, you’ll have to pay if you want the website to give you any useful information. Or think about the earliest phone systems, the ones that used phones with cranks on the side and had operators who answered with “Number please”. The caller gave the operator a name and the operator made the connection.
When you type “techbyter.com” into the address line of a browser and press enter, the browser’s request is intercepted by the DNS, which has a gigantic look-up table that lists the internet protocol (IP) address of every known domain. The DNS forwards your browser’s request to the internet backbone that has its own routing tables that explain (in computer-speak) how to get to 67.222.41.89.
The trouble with your ISP’s DNS is that it allows the ISP to see everything sent from or received by your computer. The ISP can sell this information to advertisers or use it to insert ads. This is less of a problem than it was, but it can still happen. Additionally, DNS servers operated by some ISPs are inefficient or slow.
Third-party domain name services are generally better. One silly example: Type “googko.com” into your browser’s address bar. Google has registered a lot of near-miss domain names, but not googko.com, in which there are two typo errors. Many ISPs will just return a 404 (“not found”) error, but some of the third-party DNS systems will return a custom error page while others may intuit that you’re really looking for Google and ask if you’d like to go there. Many third-party DNS providers also keep track of sites frequently used for scams and will warn you and ask if you want to proceed.
Two of the best known third-party domain name system providers are OpenDNS and Google, but there are others. Selecting an alternate DNS provider involves making changes on your computer or on the router. You’ll specify two IP addresses for the third-party DNS servers you prefer:
To change a single computer, see HowToGeek’s explanation. This is an old article, but the basics are still correct.
It’s usually more efficient to make the change on the router and I’ll demonstrate this with a TP-Link Archer AX6000 router. Your router will probably be different, but every router will have similar settings.
Click any small image for a full-size view. To dismiss the larger image, press ESC or tap outside the image.
Start by opening the router’s control panel. You may need to examine the router’s documentation, but the control panel will usually be accessed by connecting to IP address 192.168.0.1 or 192.168.1.1.
If you never changed the router’s administrative password, do that while you’re here. Most manufacturers create an administrator account that’s almost always called “admin” with a password of “admin” or “password”. Leaving these in place is dangerous. You probably can’t change the user name, but you can change the password. Do that.
Now that the housekeeping measures are out of the way, look for an item called “internet”, “wan”, “modem”, or “external” on the router’s interface — something that clearly implies the outbound signal. Click that and then locate the section that refers to the DNS address. “Get automatically from ISP” will probably be selected and this is what you want to change.
Click the option to specify your own DNS servers and then fill in the IP addresses for one of the third-party providers. The user interface may have spaces for three DNS entries. You need only two. Use the IP addresses shown above. If the router interface has three slots for DNS IP addresses, you can add a third. You can also mix and match services. The Primary DNS will be queried first and the Secondary will be queried only if the Primary fails to respond.
The federal government is trying to force companies to drop junk fees or at least make sure that consumers are well aware of them. Those $35 overdraft fees from banks, for example. You know it doesn’t cost that much to decline a transaction. So does the bank. Many banks have eliminated them.
Click any small image for a full-size view. To dismiss the larger image, press ESC or tap outside the image.
Now internet service providers are being required to notify consumers about fees and introductory price offers. You know, the situations in which you sign up for an “introductory offer” and find that the price nearly doubles at the end of the introductory period. That information must be provided now in plain English and the Federal Communications Commission (FCC) has adopted forms that look a lot like nutrition labels found on food and over-the-counter supplements.
<< You’re probably familiar with labels such as these, one from a bag of raisins and the other from a bottle of MetaMucil caplets.
In addition to the total monthly fee price and taxes, the ISP forms must include details about activation fees, early termination fees, contract length, and when any discounted-fee offer expires. AT&T is pushing their upcoming fiber options in my neighborhood and those who visit the website will see “nutrition labels” for their three service levels. The forms include rental fees for equipment such as modems or Wi-Fi routers.
ISPs are unhappy about being forced to tell the truth, but now they are required to show upload and download speeds, data caps, and how much a consumer will be charged for any overages. ISPs had proposed providing a long page of small text such as those from banks that bury important information in a flood of legalese, but the FCC rejected that.
Major ISPs must show the information labels now, but small companies that have fewer than 100 thousand customers have until October to comply.