[HN Gopher] I lost EUR4k in a Facebook scam ___________________________________________________________________ I lost EUR4k in a Facebook scam Author : babuskov Score : 533 points Date : 2020-09-14 13:35 UTC (9 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | cbluth wrote: | here is the apk, if anyone is interested: | | https://apkpure.com/tiktok-ads-business/com.acazira.tforbusi... | drchiu wrote: | I'd say that the prevalence of marketing hacks out there have | made people let their guard down. We assume businesses will lose | money on purpose to gain traction to the degree that when we see | deals like these, we jump at it without a second thought. No | doubt there's technical engineering that went into this scam, but | the social engineering and manipulation of the target's | psychology is the real secret sauce. | thrownaway954 wrote: | just saying... As much as everyone hates on Apple cause of their | review process, you have to admit that an app like this would | have been caught. | jakub_g wrote: | Is it just me, or the screenshots just scream "scam"? | | 1. Inconsistent spelling TikTok vs Tiktok, business vs Business | in app names and logos | | 2. Inconsistent font in Tiktok logo (Times New Roman like font in | Android app, wut) | | 3. Typos and clumsiness: "vocher" instead of "voucher"; space | between $ and 3000 on confirmation screen. | | 4. As mentioned, the app developer not being TikTok | | I'd not be surprised for random person to fall for this, but an | experienced techie should have seen many red signs. | | (Having said that, as some other comment said, logging with FB on | mobile is inherently unsafe because you can't really tell if it's | FB or impostor site. Plus the way the ads markets work, which is | just built for scams like this. Modern web sucks). | josefresco wrote: | Aren't those small mistakes on purpose? To ensnare users who | miss obvious signs of fraud? I know that's a proven tactic for | phishing/email scams. | tuankiet65 wrote: | It might look like aluminium but the description says it's just | tape. | z3t4 wrote: | How could Facebook charge the Paypal account without | authorization nor second factor?? | commoner wrote: | If you accept a billing agreement with a merchant on your | PayPal account, that merchant becomes able to charge your | PayPal account without confirmation. | | https://www.paypal.com/uk/smarthelp/article/what-is-a-billin... | | To cancel the billing agreement, follow these instructions: | | https://www.paypal.com/us/smarthelp/article/how-do-i-cancel-... | | Some merchants encourage or force a billing agreement before | the customer can make a purchase. The PayPal UI does not make a | strong distinction between entering into a billing agreement | and making a standard purchase. For users who are not familiar | with the PayPal checkout process, the billing agreement UI | looks just like a normal step in the process. | koyote wrote: | I actually happened to be going through the Paypal settings | yesterday as I couldn't get it to make a purchase on ebay and | thought something might be wrong there. | | I had around a dozen merchants who were listed in the | automatic billing payment list and only one of them was a | subscription I remember setting up. (the others were all | legit and large businesses and none of them have charged me, | but they could have!). I have since 'deactivated' all of | them. | | I really do hate Paypal but I often choose them when I buy | something from a smaller web shop as I do not trust the web | shop to keep my card details safe... | GoblinSlayer wrote: | American convenience "shut up and take my money". | muststopmyths wrote: | >Sure, the developer name "Develop App" sounds strange and should | I have looked better, the developgameonline@gmail.com developer | email and com.acazira.tforbusiness package name would have | definitely raised some concerns. | | Come on, dude. | | I will say that even the most experienced techies among us | sometimes become complacent and let our guard down. It's | exhausting having to constantly second-guess every application | you want to run. | | (Not interested in starting another platform flame war, but this | is the main reason I don't use Android. I deal with enough | paranoia running Windows daily. Maybe I'm misinformed, but I'm | also probably not unique in this respect) | | I'm curious if this fake TikTok app would probably have been | blocked at the outset in the Apple App Store review process | because it's trying to masquerade as another business ? | jrochkind1 wrote: | I believe they are saying they didn't NOTICE the | "developgameonline@gmail.com developer email and | com.acazira.tforbusiness package"; if they had, that would have | raised alarm bells. I don't think these are visible on the page | without clicking. "the developer name 'Develop App'" is | visible, although I don't know how many pay attention to it. | They are retrospectively thinking they probably should have | thought that wasn't right, and motivated them to look further. | ggggtez wrote: | >It's exhausting having to constantly second-guess every | application you want to run. | | Maybe try to have a sip of coffee before jumping for that | $3000. Let's not pretend that this is just ToS fatigue. The | only reason they installed this app is for the free money. | | So yes, maybe if someone is offering you thousands of dollars, | you should consider _that_ to be the time to second-guess what | 's happening. | JAlexoid wrote: | So.... False sense of security is OK, just because "Apple". | Give me a break... | fencepost wrote: | The gmail address as a red flag yes, but the package name? Nah. | | Given that a lot of companies outsource app development to | third-party companies that in many cases mostly reskin and | extend an existing app that they sell to many clients, a | package name that could be from a development shop likely | wouldn't cause concern. | | Sure Tik-Tok has a significant in-house development staff, but | they're focused on the backend and client apps and Sales and | Marketing may not have much access to them. It may be much | easier for those departments to fully outsource that | development to a vertical-market vendor, particularly if it's | SaaS and the resulting app(s) aren't integrating with internal | systems except via downloaded CSV files. | bentcorner wrote: | And literally nothing stops someone from creating a | tiktokforbusiness domain and fixing the developer name. | flavmartins wrote: | Any free app I always look at the developer name. Generic name | that looks like it could be trying to mislead? Always a bad | sign. | | Who gets together and says, "I have the perfect name for a new | dev shop: Develop Apps". | varispeed wrote: | It's the problem of Facebook and PayPal that they have | inadequate protections and blame the users for that. I think | the issue is of allowing a payment to go through without | triggering any security checks. Probably some basic checks | should also be done whether a company publishing an app | actually exist. | luckylion wrote: | I wouldn't blame PayPal as much, this is on Facebook in my | opinion. Recurring payments are a good thing, we don't want | constant re-authorization when the relationship has been | established. | | Facebook on the other hand should have handled it | differently. I don't know how their permission screen for app | authorization looks, but I guess it should have a huge red | warning sign if it includes a permission to allow the app to | spend your money. | brian_herman__ wrote: | I don't know looking at the other parts the app looks legit, | however TikTok asking for facebook login? That is where I would | stop and think for a little bit. | donmcronald wrote: | "Sign up for TikTok", "Continue with Facebook". It's | literally the first screen you see from the official app, so | it's not unbelievable. Social sign in is pervasive. | actionowl wrote: | Not being an android user and not being familiar with the Play | story I might have glanced over "Develop App" having internally | misread it as "Developer App" and thinking it was a category, | not the developer's name. | reaperducer wrote: | _I might have glanced over "Develop App" having internally | misread it as "Developer App"_ | | I bet many thousands of people on HN would have done the same | thing. | | I think it's an issue with reading comprehension. In general, | comprehension seems to have plummeted in the last five to ten | years. I send people e-mails asking two questions, and only | get the first one answered. People read a headline and think | it means something other than what it says. Flamewars erupt | online over something that nobody actually wrote, but someone | thinks they saw. | | It seems to be rooted in the fact that these days people skim | text, rather than read what is written. I don't know if it's | because of general information overload, or a lack of | attention to detail, or if the mindless scrolling of phone | apps has trained us that visual impressions of words are good | enough. | | Or, if I can put on my old man hat, maybe it's just that | people aren't as good at reading as they think, and that if | people looked at a book half as often as they look at their | telephones, they might get some good reading practice. | bakuninsbart wrote: | > It seems to be rooted in the fact that these days people | skim text, rather than read what is written. I don't know | if it's because of general information overload, or a lack | of attention to detail, or if the mindless scrolling of | phone apps has trained us that visual impressions of words | are good enough. | | I think it is the former. I'm perfectly capable of reading | a poem or code word-for-word, but as soon as I'm in my | browser something "clicks" and I'm just skimming text. It | is usually completely subconscious, but while reading your | comment for example, I realized I was only reading half of | each sentence. | curryst wrote: | > It seems to be rooted in the fact that these days people | skim text, rather than read what is written. I don't know | if it's because of general information overload, or a lack | of attention to detail, or if the mindless scrolling of | phone apps has trained us that visual impressions of words | are good enough. | | One aspect is that it's a parasitic efficiency increase. | The 80/20 rule applies here; you can answer 80% of the | emails by skimming. If you just don't handle, or poorly | handle, the 20% of the emails that take 80% of the time, | you get a bunch of time back. | | I also think that the overload comes from notifications, | not general information. We get a crazy number of | notifications from our personal devices (and many/most | people check them), and during the work day that's | compounded with all the systems at work that send | notifications. I think that we've subconsciously taught | people to work between the notifications. It can feel like | if you don't respond to them in real time then you might | end up with an insurmountable backlog of notifications to | handle, so people have acclimated to handling them in real | time. Each time someone responds to an IM, a mental timer | starts, counting down how long it is until it thinks the | next notification might come. Or, conversely, you're in a | notification lull, and you start thinking this is your only | time to get anything done towards the sprint, so you smash | out fast responses to the notifications you do get, trying | not to break your train of thought. | | Others may have different experiences, but I get | notifications from so many systems and people that it can | be overwhelming. And the tools we are offered to manage it | suck. Slack's notification settings are better than what I | had before with Lync, but they're still lackluster. Email | has the best filtering record so far, but it is also by far | the most abused by tools. | | Some things I would love to see in a chat system: * Chat | and notification filters based on whether the user is a bot | or not * A sane "handle this later" queue or some kind of | integration with a task manager to let me click to create a | ticket * A way to communicate busy-ness through my status. | Either a level I can manually set, or a system that can | guesstimate it (i.e. "curryst has 8 active private chats | right now") so we can all gauge whether what we need is | that important right now * Customizable options to batch | notifications. I would love it if I could have Slack batch | my notifications and just send me one notification per | minute that says "3 new messages" | | My holy grail is if they would let me write my own | functions to determine whether to notify for an event, | batch it into the next batched notification, or to not | alert at all. Most of these desktop clients are in Electron | anyways, just let me pass it a path to a Javascript file | that exports functions to filter notifications. | insomniacity wrote: | > I send people e-mails asking two questions, and only get | the first one answered. | | This has been bugging me for at least 10 years, and also | extends to IM. If it's IM, I ask one at a time. | | If it's email, I either have to ask one at a time, form the | two questions into one, or turn it into a sandwich - | question 1, question 2, rephrase question 1. | | What I really want to do is grab them by the shoulders and | shake them, shouting "You saw the second question - | yes?!?!" | [deleted] | StavrosK wrote: | It is also the case that people aren't as good at writing | as they think. I've seen people write pages and pages of | text to say a few simple things, don't separate the | important from the unimportant, etc, and then wonder why | others don't take 15 minutes out of their busy day to read | the incessant, flavorless text until they find the actual | point. | | A good way to write text where you're going to ask people | for stuff is to write it in a top-down manner, where first | of all you mention "I want X", then you quickly summarize | what exactly you want and why, and then write a more | detailed paragraph on the various nuances, always making | sure to cut everything down to its absolute essentials. | akdas wrote: | I really like that style. It's related to the Inverted | Pyramid style in journalism, meaning others have thought | a lot about how to get important information up to the | front of a piece of writing. | | https://en.wikipedia.org/wiki/Inverted_pyramid_(journalis | m) | Osiris wrote: | I learned about this in journalism class in high school | over 20 years ago and it's still one of the most valuable | lessons I remember from high school. As someone with | ADHD, I _really_ appreciate when people follow this | style. | | Blog articles, especially medium, are really bad about | this. I've clicked on headlines about an interesting | topic only to find the article no even mention the topic | from the headline until 2/3 of the way into the article. | StavrosK wrote: | I didn't know it had a name, thanks! | Sohcahtoa82 wrote: | > I've seen people write pages and pages of text to say a | few simple things | | Heh...reminds me of a couple anecdotes from my days in | school. | | Sometimes as we were being handed back tests/quizzes that | had some questions that required a couple sentences to | answer, there'd be times where I did exactly that. I | wrote only a couple sentences. Meanwhile, I glance at the | person next to me to discover that they had wrote two | entire _paragraphs_. I got marked as having a correct | answer with only two sentences, so what the hell were | they writing about? | | Then I had a teacher who, before the final exam, said | that every question is able to be answered in four | sentences or less. If you write several paragraphs, you | would lose points for wasting his time, even if your | answer was correct. | Osiris wrote: | > In general, comprehension seems to have plummeted in the | last five to ten years. I send people e-mails asking two | questions, and only get the first one answered. | | OMG, this happens to be all the time, and I don't even use | email as a primary communication mechanism. It's so | frustrating. I think the case is that people are reading | and responding to emails on the go on their phone and so | don't have/take the time to write a full response. | | In the "old days" it was appropriate to answer emails by | leaving a partial quote in place and responding below that | for each answer. Something changed (I blame Outlook) and | now that never happens. | NiekvdMaas wrote: | Exactly this, it doesn't really stand out. Obviously I | wouldn't have installed the app if I would have noticed. | donmcronald wrote: | I didn't notice it the first time I looked either :-( | | Bad spelling and grammar used to be a great indicator of | something being amiss, but the volume of it in legit | business these days has made me so desensitized that I | didn't even blink at this one. | muststopmyths wrote: | I wasn't trying to excoriate you for your mistake, so I | apologize if that's how it comes across. | | I did try to modulate the harshness of "Come on, dude" with | the rest of my comment. Like I said, sometimes we let our | guard down. So it's understandable if you got fooled. | | In hindsight there are more red flags in just that | screenshot ("More by Develop App", obviously fake reviews | to point out just two), but God knows I've clicked through | installs for shit apps on iOS many times. | NiekvdMaas wrote: | No worries, no offense taken. | | I still can't believe myself I fell for this, as said I | have 2FA on all accounts and I'm normally very cautious. | I guess it's a combination of all the factors here at | play: Facebook allowing a fake TikTok Ads advertiser, the | ad looking very legit (referring to an existing ad credit | program), Google allowing a fake TikTok Ads app with fake | reviews, and not getting any notifications until the | amount was charged from my PayPal account. | ShroudedNight wrote: | FWIW, Given the surrounding context, I interpreted "Come | on, dude" as an exhortation for the author to cut | themselves some slack. I agree that 100% correct 100% of | the time is an exhausting bar to maintain, and one that | we should be working very hard to ease this requirement. | | I think it's worth pointing out that the difficulty / | impossibility of achieving that bar (at least in the | general case) is one of, if not the central tenet of | Christianity, ostensibly the dominant religion of the | West for something like 1500 years. Regardless of one's | metaphysical beliefs, it's worth remembering that | arguments for the necessity of grace and slack in | positive interactions have a long historical precedent, | and I find we ignore them at our peril. | StavrosK wrote: | Being an Android user, I looked for the developer's name, saw | "Develop App" and thought it was a category and I was just | mistaken about where on the page the developer's name was | supposed to be. This was all instinctive, I didn't sit down | to think about it, though. | | It doesn't help that the developer name and category have the | exact same visual style, I guess. | kn0where wrote: | The big red flag I saw was that "Tik Tok" is in the wrong | font in every screenshot. | solinent wrote: | I've actually stopped using google's spam filter and starting | looking into the spam occasionally. | | With no data, if one slips through it shouldn't be up to the | spam filter if I can be scammed! | | edit: that was a particularly bad typo to make. I mean scammed, | not spammed :) | mrtksn wrote: | >I'm curious if this fake TikTok app would probably have been | blocked at the outset in the Apple App Store review process | because it's trying to masquerade as another business ? | | I bet that it is possible to slip through the review process | however there's also a safeguard on the developer account | creation. Apple wouldn't let you create a developer account | using vouchers, PayPal or prepaid cards, at least not from | countries where scams are commonplace. Also you would be asked | to provide documentation of company registration to have an | account named "Develop App". | | It is a common theme on HN to trash Apple on its "draconian | restrictions" but the reality is that Apple AppStore is a safe | place to be. You don't have to study the App before downloading | it, you first download then decide if you want to keep it and | security is never a concern. The Apple tax is something I am | happy to pay for that luxury. | | I am a developer and I have no idea what | com.acazira.tforbusiness means. What keeps it from being | com.toktik.forbusiness? | | On AppStore this is something that you type it by yourself on | the project configuration screen in XCode and I don't remember | reading any restrictions about it, only recommendation to use | reverse domain name notation to prevent conflicts. | saagarjha wrote: | > I don't remember reading any restrictions about it | | You can never change it. This is how you get | com.toyopagroup.picaboo (Snapchat) or | com.yourcompany.TestWithCustomTabs (AccuWeather). | Dragonai wrote: | This is too funny. Thanks for sharing! | freeqaz wrote: | Thank you for sharing. This is hilarious! | jonplackett wrote: | Haha, this possibly explains why the accuweather app is not | the best made app ever. | danlugo92 wrote: | False dichotomy. | | Google could up its Play Store review process + not | installing from outside the store would result in the exact | same security advantages you're talking about, while still | letting you install from third party sources if you're a | power user. | CapriciousCptl wrote: | Google probably could implement similar security. But the | problem is as of today, 2020, they don't. | shawnz wrote: | Yes, but it's not because Android allows sideloading that | the Google Play store is poor quality. Apple could allow | sideloading and still have a better quality app store. | hevelvarik wrote: | But until they do the dichotomy isn't false | brundolf wrote: | This doesn't preclude there being competing app-stores on the | platform, though. I'm glad Apple's is the way it is | (overall). And if alternatives popped up I would probably | mostly stick with the first-party one. But having an | alternate channel means you _can_ circumvent Apple 's review | process when they're being especially unreasonable, and the | competition would probably force them to improve their own | offering as well. Everybody wins (except maybe Apple). | ConcernedCoder wrote: | I will second this "security as a tax is well worth it" | mindset, I'm a programmer, and like to think I'm security | savvy, but I CANNOT babysit my non-tech-savvy wife 24/7 and | having her on iphone / macbook is a weight off my shoulders | as far as appstore security, as married assets are shared | assets and the "weakest link" plays in the security arena... | _fullpint wrote: | I'm a programmer and having taken graduate classes in | Security Analytics and have a hard time convincing myself | that I'm security savvy. | | It's such a cat and mouse game that has massive jumps in | acceleration when it comes to 'novel' ways attackers create | new exploits. | | Having Apple taking it seriously even for people like me is | a huge win. | blackflame7000 wrote: | No matter how much you learn, you will still never know | what you don't know. A zero day is by definition | something you don't know and therefore we recognize that | there is some futility in trying to defend against | everything that ever was and all that ever will be | junon wrote: | Apple takes it more seriously than the Windows teams do, | sure. | | That's not to say Apple is perfect. Their "root"/"" login | bypass zero-day was absolutely unacceptable, even | compared with Microsoft's problems. | | Other than that, I'd trust an Apple device over a windows | device any day of the week. | ufmace wrote: | That's a key part of the security landscape that many techie | users just don't seem to get. Maybe you'd like to be able to | run your own code natively without jumping through a bunch of | hoops, and distribute code you wrote without it having to be | blessed by some megacorp that might not care too much about | you. And maybe you're doing nothing but good and useful | things when you use those abilities. | | But there are a ton of bad actors out there who will also use | those abilities to scam and steal. You can stereotype it as | only clueless users falling for that, and there's even a | little truth to it, but 1. Some are quite good and nobody is | perfect, you can still get scammed yourself, and 2. It seems | not cool to just write off everybody who isn't a tech expert, | throw them to the wolves, blame them for falling for any | scams. | orangecat wrote: | _That 's a key part of the security landscape that many | techie users just don't seem to get._ | | I get it. And I don't think the threat justifies handing | complete control of our computing environments to a single | corporation. | | _But there are a ton of bad actors out there who will also | use those abilities to scam and steal._ | | Bad actors often set up fake websites. Should computers and | phones have mandatory browser filters so you can only go to | approved sites? | ufmace wrote: | _Bad actors often set up fake websites. Should computers | and phones have mandatory browser filters so you can only | go to approved sites?_ | | Well they don't, but browsers do spend an inordinate | amount of effort trying to make sure that bad websites | can't do anything other than show you things. I'm pretty | sure that all of the browser vendors will pay 5-6 figure | sums for any exploit chains that would allow a website to | do things like read files without permission or execute | code on the OS. And people regularly complain about the | ever-tightening restrictions on what websites are allowed | to do. | tgsovlerkhgsel wrote: | That's also the case for apps though, at least on iOS | apps are sandboxed almost as well as web sites to my | knowledge. | mekoka wrote: | It's not necessary nor useful to create a false dichotomy. | The safety of the AppStore may be a reason to have a strict | review policy, but it should not become an excuse to abuse of | that policy. The price tag of safety is certainly some amount | of freedom, but it's worrisome that people are learning to | accept this without also distinguishing when this | relationship is being usurped for other means. | noizejoy wrote: | If something simply doesn't exist, how reasonable is it to | assume that it could exist? How am I supposed to | differentiate the statement that something could exist from | fairytales? | tehlike wrote: | Initiate a charge back through the bank | disillusioned wrote: | I lost $2k in a Facebook scam that I'm really not proud of. A | company spoofed BitMain's FB page and ran ads for their newest | AntMiner models saying they had a batch that was ready to ship in | limited supply. The BitMain FB account looked legit. The website | itself obviously had an SSL cert (and was a pixel for pixel clone | of their real site, except the product was in stock), but what I | didn't notice was the microscopically small presence of a dot | over one of the characters. It was an IDN homograph attack, and | looking at the website and not noticing the unicode character, | everything else looked right. | | The fact that they took BTC as payment didn't raise any red flags | either, because, you know, BitMain does. | | I'm mostly infuriated at Facebook for not validating the company | name or doing anything resembling protecting their audience. I | lent them too much credibility because it looked like they were | ads from the real company's page, and so I let down my guard | elsewhere. | | I've never otherwise been hacked or scammed, and I know allllll | of the basics to look out for, but this one still infuriates me | for making a fool of myself. | tha0x4 wrote: | And this is why BitCoin will never fully take off. | | If you made this transaction with your credit card, you could | call up your bank two weeks later and get your $2k back that | day. | | BitCoin? Kiss that virtual fool's gold goodbye. | Dahoon wrote: | 6 months by law in the EU. | jankeymeulen wrote: | What browser are you using that is displaying IDN unaltered? | colejohnson66 wrote: | Not blaming you at all, but a good tip is to look at the number | of "likes" a page has and see if it sounds reasonable. | Definitely not foolproof though. | searchableguy wrote: | Nope. Easily faked. There are centres where people get paid | $5-10/day to like, follow, comment, etc here. They use bots | too. | | You can purchase an official ID under $10. Many Indian | marketing firms use them. | colejohnson66 wrote: | Oh absolutely. I admit it's not foolproof, but if a page | named "Amazon" only had 100,000 likes, I'd be a bit | suspicious. For comparison, the actual Amazon FB page has | _19 million_ likes IIRC. | searchableguy wrote: | I have been scammed only once by a company so far. It was | oyo (another gem run by softbank). They sold all my | information, made me paid twice and left with such a poor | service. Few of their actual employees were the scammers | along with the hotel manager (likely) so I wasn't | suspicious... because ya know, you are supposed to trust | official communication portals. | | It opened my eyes to how far scam can go. A billion | dollar valuation or millions of likes says nothing. | | I filed a complaint but have yet to follow up due to | covid. It was a visit due to medical reasons so we didn't | focus too much on it. | foobarian wrote: | Every now and then I catch myself not doing this but by and | large I always type out URLs for ads/emailed links by hand. It | takes out a lot of the attack surface for me, and it looks like | in this case it would have worked. | [deleted] | JAlexoid wrote: | Facebook Ads are the worst ones. Full of scams! | | Never click on them | jacquesm wrote: | Red flag missed: all reviews are of the same date. (Sept. 1st). | fortran77 wrote: | If Facebook ran that ad, you should at least try to hold them | accountable. | chatmasta wrote: | > Unfortunately I don't have a screenshot of the ad in question | | FYI I believe there is a way you can see the ads you've clicked | on in the last 3 months from within Facebook settings somewhere. | crispyporkbites wrote: | You didn't lose 4k- Facebook have the money, it's in their | account. | | They sold virtual space at an almost infinite margin to a hacked | account. The account was hacked on their system, the ad that | facilitated the attack was ran on their platform and they allowed | the whole thing to perpetuate. | | If this was in meatspace, Facebook would be an accessory to | fraud. | rbrtl wrote: | I shortened the TLDR: | | TL;DR: don't click ads | dvcrn wrote: | Most ads I see these days on Instagram are scam. They usually | lead to sites that have been built with a quick template and | always offer 50-80% discount on little things I want, for example | lamps. | | They all offer PayPal so I took the bait once. The scam was | clever: they ship something that isn't what you ordered. Like a | jump rope for $1 instead of the $30 lamp (discounted from $200) | or drone. To get a 60% refund, you have to send it back on your | own cost. | | Now it gets more tricky: the parcel might not even be delivered | to your address. Mine never arrived but got delivered to a zip | code close to mine, but not mine. There are lots of reports of | people that receive things without ordering anything and people | who never get their stuff. There is also no guarantee what you | ship back arrives back at them. If it doesn't, the company | doesn't refund anything. | | I quickly realized this is an obvious scam and asked them to | cancel, and opened a PayPal claim before anything got shipped. | The company said they are processing my refund and it will take 3 | days for my money to be back (which is not how PayPal works). | Guess what? In the 3 days, they just shipped something which | threw the PayPal claim off because now they have to wait until | the shipment arrived and gets sent back (info from PayPal cs). | | It's been over a month and I am still trying to get my money from | PayPal back. It's difficult because I haven't received anything | but the shipping number says it arrived. The site no longer | exists and the email I previously used to reach out is gone too. | | It's crazy to me that PayPal enables all of these scammers. They | clearly know how to play PayPal to get around the buyer | protection. | | These days I can't trust any ads because of this unless I do a | lot of research on the site. It's very likely all scam. I saw | similar sites on google shopping (the price comparison product), | so it's not just Facebook. | babaganoosh89 wrote: | It's better to use credit cards when you can, chargebacks are | way easier than that. | vezycash wrote: | One more reason why adblockers are a must install for everyone | especially non technical people. | tluyben2 wrote: | Browsers / webviews must have a special visual state for OAUTH | requests. As it is very easy to mimic. | negamax wrote: | Android has become a serious security risk | lxe wrote: | > Sure, the developer name "Develop App" sounds strange and | should I have looked better, the developgameonline@gmail.com | developer email and com.acazira.tforbusiness package name would | have definitely raised some concerns. | | Sorry that you have to deal with this, and well done on actually | flagging all these things as suspicious. I also sometime make | these tradeoffs, when something sounds 'not quite right' I would | still sometimes make a judgement to ignore it. | rdiddly wrote: | HN loves to downvote any comment about grammar & spelling, but | now we see it in its proper context as a cybersecurity measure. | If I'd seen "vocher" (i.e. voucher) on a big blue button I | would've applied the brakes on my clicking finger. Whether it's | unintentional (indicating incomplete mastery of English and | perhaps foreign scammery), or intentional (indicating a | purposeful screening device to make sure only rushed, inattentive | and stupid people respond), take advantage of the warnings they | leave for you. | VonGuard wrote: | I'm completely unsurprised. I cannot be the only sucker in here | who bought something off of a Facebook ad, and got a token piece | of China-shipped junk instead. Mine was a video of a steel light | saber being disassembled and put together, with all working | parts. I was stupid, I paid $30 for it, and a month later, a box | from China shows up with a $1 plastic sword. | | After that, I started commenting on every Facebook scam ad I saw, | and guess what? That just got me into the queue for MORE scam | ads! Facebook sees me commenting "SCAM" on ads about cheap Legos, | and it says "Hey, this guy likes cheap Lego scam ads!" | | Plus, these ads go to different sites, have different company | names, and different images every time, but they are the EXACT | same scam, guaranteed. It's like Facebook is incapable of having | a legitimate and ethical advertising business at some genetic | level, and all the money from these obvious scam ads is just too | good. | | This shit is so prevalent and so brazen, I've considered setting | up my own scam ad, maybe sell a Qanon book that's blank and say | "Fuck you, idiot" inside... I mean, why not? It seems like people | are getting rich by fucking over Facebook users, and Facebook | LOVES it! | | They have such utter contempt for their users. And here I am | still using it because it's the only platform I can see pictures | of my family members on, as they are non-technical users. Am I | supposed to run some kind of internal family campaign to get them | all to move to some non-existent alternative? I hate this so | much. I feel trapped by Zuck's heartless machine. | Nextgrid wrote: | > That just got me into the queue for MORE scam ads! | | I once created a Facebook account to test something and for | some reason it decided I was some sort of gambling addict (that | e-mail was registered on a legitimate gambling website and I | guess they leaked it) and the "people you may know" was full of | fake accounts all related to some kind of scummy mobile casino | game (I guess the game requires login with FB or maybe gives | new people free tokens so they just register tons of fake | accounts?). | | I've spent a good 20 minutes reporting every single one of them | (up to actually hitting the rate limit on the report endpoint) | and not only did the algorithm not take the hint that maybe it | wasn't a good idea to recommend me more accounts out of that | category but their support didn't deem the majority of them as | violating the community guidelines despite them being obviously | fake (and I couldn't notice any difference between those that | were deemed as violating their guidelines and those that | don't). | fencepost wrote: | It may be that there were cultural clues that cued you into | them being fake but that would be completely meaningless for | someone being paid pennies to review those reports in another | country. | Nextgrid wrote: | Yes but it is that person's job is to spot those things. If | I as a user can do a better job than them then something is | very wrong with the resources/training they are provided. | They should be _better_ than I am, not worse. | VonGuard wrote: | I reported every single ad for Legos I saw for a week. I | ended up with more ads for Lego scams, too. | sova wrote: | Astonishing that people with such creativity would resort to | theft and deception -- you cannot steal as much as you could earn | legally, making something useful for everyone! | crispyporkbites wrote: | Not in Vietnam | londons_explore wrote: | Your mistake is using "Log in with Facebook" on a mobile device. | | Since neither iOS nor Android have any kind of trusted UI, there | is no way you can be sure if you are logging into Facebook on an | app, or just giving that app your credentials for them to do as | they please. | | Until iOS or Android get trusted UI for these usecases, I suggest | using browsers on windows/Mac/Linux where you can see the in the | address bar which company you are giving credentials to, and | can't as easily be faked. | | If you must use a mobile device to log into Facebook via a third | party app, I suggest using a new Facebook account each time. | gridlockd wrote: | It's possible to do "trusted UI" on iOS/Android by opening a | browser window that shows you're actually logging into | facebook-dot-com. That still wouldn't prevent these scams from | working because users don't necessarily know how to tell the | difference between "trusted UI" and "scam UI". | londons_explore wrote: | Except it isn't... Because the app can just show a UI that | looks like a browser window, and there's no way for the user | to know. | gridlockd wrote: | If you open a browser window, there is going to be some | things that can't be faked 100% accurately, e.g. on iOS | there will be a link back to the app at the top left, there | is going to be an animation, and so on. | | It could be faked 95% accurately, but that's moot, because | like I said, the user hasn't necessarily learned what | "trusted UI" is in the first place. | danielhua wrote: | https://news.ycombinator.com/item?id=24470530 | | Looks like it was a real Facebook login webview. | gridlockd wrote: | ...which is different from a browser window, running | inside the actual system browser. | | The difference may of course be subtle, but even | obviously fake logins can work on the untrained eye. | donmcronald wrote: | Like this old trick. | | https://news.ycombinator.com/item?id=4629906 | ramses0 wrote: | iOS has trusted UI via "double-tap-side-hardware-power-button". | So it's a trusted trigger, and a presumably native UI. | | I've been very impressed by eBay/PayPal providing "very good" | almost native-feeling payment integration (swipe-to-pay, UI | coming up from the bottom of the screen), so it may not last | forever, but interesting to hear of the depth of scamming | possible on phone UI's (and probably desktop UI's too). | babuskov wrote: | > _Your_ mistake is... | | Not mine. I just posted what Niek van der Maas wrote on his | GitHub. I don't think he's even reading this HN thread. | NiekvdMaas wrote: | Actually I am ;) | babuskov wrote: | Cool :) | NiekvdMaas wrote: | (OP here) | | While you are absolutely right, I want to highlight that this | was done in a quite sophisticated way. It's actually the real | login page of Facebook in a webview. I have 2FA on all my | accounts including FB, so it looked very legit. Once you have | logged in, they seem to grep the token and close the webview. | GoblinSlayer wrote: | You mean they extracted your primary full access token, not | the generated restricted oauth token? | londons_explore wrote: | If your app has a webview in it, on both iOS and Android, | you have full access to run script inside that webview and | take/set cookies for any domain. You can easily take the | auth cookie. | | Some Google auth cookies can only be used _on the same tls | session that created them_ [1]. That means the TLS session | resumption information (which can be tied to hardware | platform features like the TPM) is required to make use of | a stolen auth cookie. Unfortunately while that approach has | big security benefits, it's pretty anti-user-privacy. | | [1]: https://nakedsecurity.sophos.com/2018/10/25/could-tls- | sessio... | NiekvdMaas wrote: | Yes, pretty sure. It wasn't an oauth screen but the actual | FB login screen. | canes123456 wrote: | iOS will redirect you to your Facebook app | beervirus wrote: | Delete the app. There's no reason to install it. | taftster wrote: | I don't feel comfortable tying any two logins together for any | site, regardless of mobile vs. desktop. Choosing to log into | any site using facebook, google, etc. is setting up for | trouble. I much prefer a strong password manager and separate | logins for everything. | xaitv wrote: | > If you must use a mobile device to log into Facebook via a | third party app, I suggest using a new Facebook account each | time. | | I might be wrong about this as I've not used Facebook for many | years now, but doesn't Facebook require a phone number for new | accounts nowadays, and requires you to use your real name as | well? | danielhua wrote: | It's actually even nastier than that. If you fail their | automated checks for fake accounts, they'll lock your account | and require you to submit a photo of your face and ID card. | wolco wrote: | No I have an older relative who creates a new account every | other week for whatever reason. | | Think of how many accounts are created for games reasons. | Some games require friends taking action to progress. Some | allow friends to send prizes like lives/money/resource. | Sohcahtoa82 wrote: | > No I have an older relative who creates a new account | every other week for whatever reason. | | Could be like my grandma who would occasionally manually | log out of the app, but then the next time she loaded the | app, rather than actually logging in again, she'd create a | new account because that's what she did the first time she | loaded the app and thought she had to do that every time. | commoner wrote: | PayPal is not very dependable when it comes to handling disputes. | If you paid with a credit card through PayPal, file a chargeback | via the card itself and your financial institution should be able | to help. But if you paid with your PayPal balance, you're most | likely at Facebook's mercy at this point. Dutch laws might offer | additional consumer protections. | bluedino wrote: | Most fraud starts with people thinking they are getting something | for free. | sukilot wrote: | It's hard to con an honest person unless they are mentally | impaired. | pbhjpbhj wrote: | I think it's relatively easy to con honest people because | they tend to think other people have similar moral standards. | | 'we're inspecting your home on behalf of the government' | [steal your jewelry] | | 'we're calling from your bank as there's been a problem with | your account; we need you to read an access code from your | phone' (steals savings) | | 'we're calling from your pension advisor as you appear to | have been missold payment protection' (steals pension) | | They're doesn't appear to be any need for dishonesty on the | part of the conned. | | It's possibly easier to con a greedy person? | newsbinator wrote: | > Contacting Facebook about such scams/hacks is a challenge on | its own: there is a support page but in all my attempts I was | unable to click the "email" icon. The "chat" icon always says | "chat unavailable" | | This is both incredibly frustrating and incredibly unsurprising. | phoe-krk wrote: | > The scammer used my Facebook auth token to remove me from the | Facebook Business entity. Strangely enough this is possible | without getting any emails from Facebook. I had no way to check | my Business entity or Ad account on Facebook to see what's going | on. | | This is an error on the Facebook side. Actions like this should | never be possible without appropriate confirmation or re- | requesting the password for 2FA confirmation. | marcinzm wrote: | I can sort of see why this is allowed. | | * Employee starts a Facebook business page using their personal | Facebook account. | | * They add their boss to it. | | * Employee is fired. | | * Boss removed employee from Facebook business page. | | edit: Should still send a notification email but I'm guessing | angry "why did you remove me from X" reactions are why they | don't. Not good but there's a logic behind it. | envy2 wrote: | Sure, but then [employee]'s payment methods should be removed | along with them. If they were using the company / boss's card | or PayPal, then surely the company / boss should be able to | add it back again without too much undue trouble. | marcinzm wrote: | Sure although I'd guess having all your advertising | campaigns paused (as there's no billing info anymore) would | annoy many people especially if they didn't notice or | weren't aware it happened. It may in aggregate be cheaper | for Facebook to just eat the cost of refunding these things | versus providing more friction to their users. | bkor wrote: | The additional confirmation is not from the user being | removed, it's from the user doing the removal. In this | example the API/oauth was enough to do this. There really | should be an additional confirmation certain times. Like how | Google sometimes requires you to put in your password/2fa | again, despite previously authenticating or saying something | like "don't ask me again". | marcinzm wrote: | I presume the scammer added a new account, made it an admin | and then used that to take over. So it's not the removal | that's the issue but adding a new admin on the account. Of | course if you allow this type of activity through oauth I | don't think there's a good way to re-authenticate. | jackson1442 wrote: | In that case, adding a new admin should require re- | authentication. | fabbari wrote: | It seems odd that the Facebook authentication token would allow | that kind of access - admin on the business pages - by default. | Were you asked for particular permissions? Or did they fake the | Facebook login completely? | NiekvdMaas wrote: | It's actually the real login page of Facebook in a webview. I | have 2FA on all my accounts including FB, so it looked very | legit. Once you have logged in, they seem to grep the token and | close the webview. | jlund-molfese wrote: | I'm assuming the app impersonated a real login with Facebook | prompt. When I use a real Facebook login in another app, it | tells me which permission I want to grant to another site, and | lets me edit them. | | But I wouldn't think twice if I was asked to enter my | credentials (which happens if you don't have the Facebook app | installed) and didn't receive that permissions prompt. | IAmNotAFix wrote: | I don't understand the step where the author is logging in with | Facebook. | | Was that a legit OAuth 2.0/OpenID Connect log in? (In this case | this must have been OAuth 2.0 with a scope giving the application | write access to business stuff.) | | Or was it a phishing page in which the author gave his facebook | password? | admn2 wrote: | I believe it was actually OAuth or else FB would have likely | blocked the login from another country or at the bare minimum | sent OP a suspicious login email. | TekMol wrote: | This sounds like the author typed their facebook and paypal | credentials into the app. | matsemann wrote: | Thousands of apps have "Login with Facebook" (and others), and | it's often impossible to know if it's a real oauth flow or just | a fake login page. | JimDabell wrote: | On iOS, if you have the Facebook application installed, the | Facebook Login user journey opens the actual Facebook | application. If you don't have it installed, it will open the | Facebook website in Safari. In both cases, assuming you are | an active user of Facebook, you will already be logged in. | | If it's a fake OAuth screen? The first tip-off, assuming you | use the application, is that it didn't open the application. | The second tip-off, in either case, is that it's prompting | you to log in. You can verify that you are logging directly | into Facebook by going back to the home screen (which is not | something an application can intercept), and re-opening | Safari or the native application. If you were really in | Safari / the Facebook application beforehand, it will come | back to the same screen. Then you can check the URL to ensure | you are on Facebook if you are in Safari. | | As far as I am aware, it's never "impossible to know". | However it may be difficult for the average user to know how | to determine this. For the average user, the rule of thumb | "never log in to Facebook if a different application opened | the Facebook login screen; only log in to Facebook if you | opened the native application yourself or typed the website | address yourself" is adequate. | | It's also worth mentioning that most password managers will | pay attention to the domain, and there's also a mechanism for | this for native applications on iOS. So the password manager | not auto-filling is another red flag. | vezycash wrote: | >On iOS, if you have the Facebook application installed, | the Facebook Login user journey opens the actual Facebook | application. If you don't have it installed, it will open | the Facebook website in Safari. | | Can someone else confirm this? | | Those authentication screens are scary. | | With a web browser, I can at least scrutinize the URL. | JimDabell wrote: | If you have any doubt as to whether you are in the | legitimate Facebook application or not, return to the | home screen and open Facebook from the icon on your home | screen. | | Bu really, the tip-off is the login prompt. Unless it's | the first time using the Facebook application on this | device, you would normally be already logged in and it | shouldn't be prompting you to log in to Facebook. | vezycash wrote: | I was looking for an android app to make my phone | contacts on Outlook available on my phone. | | The official app screws up with my share menu. I'd see | one set of share targets and just before I hit my choice, | outlook will place two contacts at the top. And this | causes the remaining to rearrange. | | Got pissed and uninstalled it. And I don't want to copy | my contacts over to gmail. | | I tried two contact apps and they both open a login | screen - typing my password both times raised alarms in | my head. Neither app worked. And couldn't risk trying | more apps. Gave up and reinstalled the official outlook. | WrtCdEvrydy wrote: | > the scammer used my Facebook auth token to remove me from the | Facebook Business entity | | If you are able to use the account to purchase something in my | name, I would expect the security to at least include a 2FA | prompt. I'm not really big into the Facebook ecosystem but this | sounds terrible. | canes123456 wrote: | You can make paypal charges with a Facebook oauth token? Or they | keyboard log his facebook password | danielhua wrote: | He had a Facebook ads account with PayPal linked, and the | hacker used his login info to run their own (apparently | Vietnamese aluminum product) ad campaign and spend using his | account. | drcongo wrote: | Why would anyone link those two things? That just seems | insane to me. | dmix wrote: | The misspelling of Voucher as Vocher on the big FB call to action | (to connect your business FB account) was the biggest red flag to | me. | toxicFork wrote: | > Initiated a PayPal chargeback process - PayPal responded: | "we've determined there was no unauthorized use" | | Just wanted to highlight this. Things like this is why I avoid | PayPal as much as possible. For many years now. | deepstack wrote: | Trust your bank more. Find a good trust worthy local bank or | credit union. | leviathant wrote: | Back in 2004 or so, I logged into online banking and saw that | where I had about $3000 the day before, I now had less than | $100. Mortified, I looked and saw that there were a couple of | Paypal transactions being processed. I didn't see anything in | my email, and I logged into Paypal and didn't see anything on | the summary screen, but when I looked at the fully history, I | saw two eBay purchases: One for a hacked PS2, one for a | laptop. I was able to contact both sellers: The guy with the | PS2 hadn't shipped his yet, and canceled. The laptop seller | lamented that he had mailed it right away - to the | Philippines. To this day, I don't know how this guy in the | Philippines accessed my Paypal account - I did manage to | reach out to him, but he expected me to pay him to give up | his secrets, and I'm not playing that game. | | Anyhow, I called my bank and explained to them that these | were fraudulent transactions, and thank goodness you have | them on hold but haven't processed them, because my rent is | coming up and could you please release the money. | | The bank refused. I'd been a member of the same institution | for probably a dozen years, had a car loan out through them, | was on track to get a mortgage through them in a few years, | and they told me that even though I had caught it that very | morning, about as soon as I could possibly have caught it, | that there was nothing they could do. | | Paypal, on the other hand, asked me to sign an affidavit, and | a couple of weeks later, fully refunded my account. | | I've held Paypal above banks ever since. In retrospect, eBay | had acquired Paypal only two years prior, and this | transaction happening on eBay probably garnered additional | scrutiny at the time. However, nearly every time I read about | someone's Paypal account getting locked out, it turns out | they weren't paying attention to the Terms of Service - which | are, without a doubt, designed to minimize fraudulent use of | Paypal as a payment provider. It's why you can't do pre-sales | on Paypal - it leaves them open to liability. | | For better or for worse, the overwhelming narrative becomes | "Paypal sucks", but as you start to look at the big boy | payment providers, you'll discover that Paypal is often more | permissive by comparison, with rates that are comparable to | or better than the big boys when you're running with such | small transactional values. And if you end up going to some | upstart that will let you do things Paypal won't, that | party's only going to last as long as those providers don't | get stung by regulatory fees or plain old fraud. | commoner wrote: | While it's nice to hear a good story, PayPal is not a bank | and a PayPal account lacks the consumer protections that | bank accounts in many countries (including the US) receive | by law. PayPal takes advantage of this lack of consumer | protection to freeze accounts and hold funds for up to 180 | days on grounds that aren't necessarily reasonable or | disclosed. | | https://news.ycombinator.com/item?id=13851120 | | https://news.ycombinator.com/item?id=1678582 | | https://news.ycombinator.com/item?id=6333203 | | https://news.ycombinator.com/item?id=7968737 | | https://news.ycombinator.com/item?id=18783493 | | https://news.ycombinator.com/item?id=4455520 | | https://news.ycombinator.com/item?id=6891306 | | Financial institutions do not have this kind of control | over bank accounts. All bank accounts inherit a level of | trustworthiness from consumer protection laws that only | apply to bank accounts. PayPal does not. | | When PayPal freezes/limits an account in a way that a bank | account could not legally be subject to, the problem is not | the account holder, but PayPal itself. | _-___________-_ wrote: | The amazing thing is that they are equally unpleasant to deal | with as a merchant. You'd think they just favoured one side, | but no, they screw both sides. | readams wrote: | PayPal fraud protection is mostly about making sure PayPal | isn't the one holding the bag in the end. Any actual | prevention of fraud is secondary at best. | ezconnect wrote: | They have a recent change that is anti merchant, when | someone request for a refund they wont give back the | transaction fee. Seller lose out on the sale and pay paypal | a transaction fee, buyer get their full money and paypal | keeps the transaction fee. It used to be returned to the | merchant. | encom wrote: | I'm honestly surprised Paypal is still in business. | Everybody hates Paypal. | tgsovlerkhgsel wrote: | The power of network effect. | | You can't afford to not accept PayPal because all the | buyers have it, and all the buyers have it because you | can pay with it everywhere. | | An alternative network would have a hard time getting | users to sign up. | Osiris wrote: | That's weird. As a merchant, I get requests for refunds and | even if I provide all the details about the transaction (for me | that would be a license key and proof the license key was used) | they always side with the buyer. | | Really, the only way to not get PayPal to approve a refund is | to work with the customer and solve the problem so the customer | cancels the refund request. | jonplackett wrote: | I think it's A) because it's Facebook. and B) because this | type of scam is very prevalent, and no-one wants to be stuck | with the numerous bills for it. | dilly_li wrote: | In my limited times with Paypal with scam-like charges, Paypal | never approves my request. | | On the other hand, all my credits card companies, | Citi/Chase/etc. approved my similar requests after a review | process. | sokoloff wrote: | Anecdata here as well. I've had two times where I had to | contest a Paypal purchase. In both cases, Paypal took a | reasonably short amount of time to rule in my favor. (Both | however were for clear-cut cases of "online vendor took an | order and _didn 't bother to ship anything at all nor reply | to Paypal inquiries_".) | badRNG wrote: | I've been in two different situations where I have had | obviously fraudulent charges on my PayPal. In both cases, | PayPal denied my claim. | | In both cases, Discover approved charge-backs for the PayPal | charges to my card. | droopyEyelids wrote: | Did PayPal ban you after the Discover charge-back? | badRNG wrote: | Nope, still use them for a handful of things (for | convenience.) The charge-backs were of significant size | too ($300-$500.) This was around 2012-2013 for one and | around 2015 for the other. | ryan-c wrote: | Oddly, I have actually been told in the past by PayPal to | file a $1500 dispute with my credit card company (AmEx in | my case) because for whatever reason they couldn't handle | it internally. Didn't get banned. | mcv wrote: | I thought PayPal had a reputation for pro-actively blocking | payments for really bad reasons, and now they won't block | payment when it's a clear case of fraud? | | Why does anyone still use PayPal? | willcipriano wrote: | > Why does anyone still use PayPal? | | Paypal.com -> Subscriptions -> Unsubscribe | | Paypal makes it two or three clicks to unsub from any | reoccurring payment. No dark patterns or "call us" | required. I use it whenever I can for subscription | services. | fireattack wrote: | Why? | | The payment is authorized by the author (i.e. his PP account | wasn't stolen), the whole thing being a scam is irrelevant and | PayPal shouldn't be the judge here (if you got scammed and send | some physical items to the scammer, can you ask the post office | to take it back?) | | I sold digital goods on eBay a few times (like, less than 10 | times) and I've already got 3 (!) people claiming their | purchase is "unauthorized" after I sent them the goods (redeem | codes, so I can't really let them "return"). I'm more than glad | that PayPal took my stance instead of giving them chargeback, | since they're likely trying to _scam me_. | nerdponx wrote: | _The payment is authorized by the author (i.e. his PP account | wasn 't stolen), the whole thing being a scam is irrelevant | and PayPal shouldn't be the judge here (if you got scammed | and send some physical items to the scammer, can you ask the | post office to take it back?)_ | | PayPal does have a 6 month purchase protection policy in many | cases. So... maybe, if you manage to argue that this was a | purchase that you're entitled to protection for. But that's a | different channel and probably a different physical | department at the company. | Sohcahtoa82 wrote: | > I sold digital goods on eBay a few times (like, less than | 10 times) and I've already got 3 (!) people claiming their | purchase is "unauthorized" after I sent them the goods | (redeem codes, so I can't really let them "return"). | | This shit is why I don't sell on eBay anymore. | | I have a friend who sells stuff on eBay a lot (or at least, | used to), and he says about 5% of his sales go to scammers | who will request refunds claiming they never received an | item. | | Of course, now that I think more on it, I wonder how many of | those 5% were scammers versus how many of them simply had | their package stolen from their front door. | Dahoon wrote: | A brick and mortar business normally sees more than 5% loss | so if that is a real number it is _great_. | megablast wrote: | Tracking numbers exist. What package delivery does not | include a tracking number? | willcipriano wrote: | The tracking number reports the package as delivered, | someone came by and picked it up after it was left at the | front door. | Sohcahtoa82 wrote: | Having a tracking number doesn't matter if the scam buyer | tells PayPal/eBay that you mailed them a brick and not | the item you actually ordered. | lalaithion wrote: | If the author had payed with a credit card, he could have | gotten a refund, and it would be the responsibility of the | credit card Issuer to track down the merchant and get a | refund. | fireattack wrote: | And if he has paid with a _debit card_ or wire transfer, he | would be even more out of luck than PayPal. | | Why would we (I'm genuinely asking here) consider PayPal | more similar to CC than the others? My point being, it | could be (closer to) either, and both make sense to me. PP | doesn't necessarily need to operate like CC. | | After all, CC as a service charges much more with | processing fees from merchants and sometimes annual fees | from the customers. It's meant to provide a | "better/premium" service. | megablast wrote: | Not necessarily. | time0ut wrote: | I came here to say this as well. PayPal is garbage and should | never be used, at least as a consumer. There are much better | options available. I have never had PayPal side with me in any | dispute, no matter how one sided it was. I closed my account in | 2014. Haven't missed it. | DanBC wrote: | Just checking you know that many banks would take the same | stance. | starfox64_ wrote: | I doubt many banks would refuse a charge-back considering | this transaction obviously didn't use 3DSecure since it went | through PayPal. You'd probably get your PayPal account | shutdown if it went through though. | DanBC wrote: | If the money left your account because you did a thing, | even if you did the thing because you were defrauded, a | bunch of banks are going to decline to repay you. | | Here's news about a new protection scheme in the UK. But | this is new (only came in last year), and it doesn't cover | all banks. https://www.bbc.co.uk/news/business-48385426 | | > New protection for individuals tricked into transferring | money to fraudsters has now taken effect - but not all | banks are signed up to the scheme. | | > Some 84,000 bank customers lost money - sometimes tens of | thousands of pounds - last year after being caught out. | | > Only a fraction of the amount lost was refunded by banks. | Now a new code should mean more will be reimbursed. | | > The refund will come from a central pot in cases when | neither the bank nor the customer are to blame. | | See especially this bit: | | > Some of the more elaborate frauds see the con-artists | using social media and other avenues such as data breaches | to gather information about their victim, making it more | likely that potential victims believe they are genuine. | | > In all these cases, the individual authorises the | payment. Banks have often refused to refund these frauds as | a result. | toomuchtodo wrote: | American Express has never denied a chargeback I've | initiated. When you say "many banks", of course don't bank | with someone who is going to screw you, like Paypal or Wells | Fargo (and Bank of America or JP Morgan Chase, to a lesser | extent). This should be common (US centric) knowledge by now. | tluyben2 wrote: | Amex doesn't but visa/master/etc depend on the issuing bank | and they can (and do) refuse. More in other countries vs | USA as far as I understand. | toomuchtodo wrote: | Agreed, but if your time has value, (if you can) | structure your financial transactions in a way and with | service providers that derisks you having to spend hours | chasing down your own money when you shouldn't have to | (or going through the motions and being told you're SOL). | And never use Paypal! | klmadfejno wrote: | On some services. You would almost certainly be able to | recoup the money if it was paid for via credit card. | scott31 wrote: | Paypal is 100% right in this case though | 0xFluegel wrote: | Is it though? It surely is _authenticated_ but is it | _authorized_? By whom? Certainly not by the user. | luckylion wrote: | The user has authorized PayPal to give money to Facebook. | Facebook wasn't authorized by the user themselves to run | the ad campaign, but PayPal is doing exactly what it | should. | hinkley wrote: | And if the same charges had been made on a Visa card, we | wouldn't be having this conversation. | basch wrote: | If I have a Visa card saved in the Starbucks app, and | somebody uses my Starbucks app, I did not authorize Visa | for that transaction. It would be no different than | losing the card. If somebody picks up my card and swipes | it, "Visa is doing exactly what it should" but also it | wasn't an authorized transaction and should be reversed. | luckylion wrote: | I'm not sure. When you give authorization for "all future | payments to Starbucks until I tell you otherwise" (which | is what you're doing with recurring payments being set up | between FB and PP), you're authorizing that payment to | Starbucks. You're not authorizing Starbucks to take | whatever they want, but that's between you and them, not | you and Visa. Visa just happens to be very accommodating | and will often pressure the vendor. | | Losing your card would have been similar to the OP's | PayPal account being hacked. | behringer wrote: | In what world would paypal be right? Facebook allowed a | scammer to advertise on their platform, and then allowed the | same scammer to steal 4k. Facebook is as much complicit in | this crime as the criminal himself. Paypal was charged by | Facebook. Facebook should not be entitled to the 4k and | PayPal should take it back. | commoner wrote: | A consumer can still file a chargeback through the financial | institution (of the payment method used in the transaction) | after PayPal declines the dispute. Hopefully, the author was | charged on his credit card and not his PayPal balance. Debit | cards and bank accounts are in a gray area for this case. | LandR wrote: | I have a VISA credit card and a VISA debit card. | | I was under the assumption that the VISA debit card offers me | the same protections as the crecit card but I think I was | wrong... | | > Are PayPal purchases covered? You are unlikely to be | protected under debit card Chargeback schemes for items | purchased using PayPal. In these cases the act of loading | money onto your PayPal account counts as the debit card | transaction so, unless the money fails to be credited, it | won't be covered. PayPal runs its own purchase protection | scheme which extends some cover to your purchases, but it is | in house rather than regulated by law. | commoner wrote: | Consumer protections are based on your country's laws, but | credit cards will generally have stronger protections than | debit cards and bank accounts. In the US, the consumer's | liability for unauthorized credit card use is capped at | $50, while the liability for unauthorized debit card and | bank account use is capped at $50 (2 days), capped at $500 | (3-60 days), or is unlimited (61+ days) depending on when | you report it. Most American financial institutions go | beyond the law to promise $0 liability for unauthorized | credit card use. | | https://www.consumer.ftc.gov/articles/pdf-0075-lost-or- | stole... | | In the US, you don't have to pay the disputed portion of a | credit card bill while the chargeback investigation is | ongoing. Most financial institutions will issue a temporary | credit to make this clear. | | https://www.consumer.ftc.gov/articles/0219-disputing- | credit-... | | If anyone here is familiar with Dutch law, the author might | appreciate your input. | ma2rten wrote: | But how would that work in this case? The customer | authorized paypal to be used for facebook ads, someone | ran facebook ads using their account. If I give my Amazon | log in credentials to someone and they order a bunch of | expensive TVs to their house without my knowledge, can I | get a chargeback? | fencepost wrote: | IIRC the institutions distributing debit cards (banks, | credit unions, whatever the heck PayPal is, etc) will | often 'voluntarily' give you effectively the same | protections as for credit cards _at their discretion_ | because they want you to have and use those cards and the | benefit they get through transaction fees, etc. outweighs | the cost of the fraud that happens. | | Details are likely spelled out in the multipage 5-pt text | pamphlet that you received with a new debit card at some | point. | scoutt wrote: | I wonder what would happen if the author shows this article to | PayPal (if not done already), showing that also Facebook | confirmed the scam and Google taking down the app. | novaRom wrote: | Exactly this. In my recent experience PayPal is also absolutely | inaccessible for a chargeback resolution. This was the reason I | left booking.com, now I am considering to get rid of PayPal. In | my opinion no serious transaction should ever be done on either | platform. | tgsovlerkhgsel wrote: | What issues did you have with Booking.com and what are good | alternatives? | | I absolutely loathe them for their high-pressure sales | tactics (their site is full of dark patterns and booking | there is outright stressful; it feels like you're trying to | browse while a drill sergeant is constantly yelling into your | ear "BOOK NOW YOU WORTHLESS SCUM, BOOK, BOOK, WHAT ARE YOU | WAITING FOR YOU IMBECILE, CLICK IT, BOOK, NOW, NOW YOU | MAGGOT") - however, unfortunately they often do have the best | price (by far) or are the only place certain accommodations | are available, and aside from the drill sergeant, their UX is | absolutely perfect. | | I've been burned far too often with sites that let you go | through the entire flow only to tack on ridiculous fees for | payment or simply fail to process your credit card. | except wrote: | The app looks poorly made and there are clear spelling mistakes | plus the fact that it was not offered by TikTok which should have | made you suspicious. It sucks this happened but maybe you should | have done some research and checked if this app actually did | belong to TikTok. I assume the app also asked you to login to | Facebook directly rather than OAuth which should also made you | suspicious. | Avamander wrote: | Very American opinion. You are aware that there's a lot of non- | native English speakers who can absolutely miss a few typos? | except wrote: | My apologies, I missed that possibility. The app still looks | poorly put together regardless. | babuskov wrote: | > _you_ should have done some research | | Just to be clear, this didn't happen to me. I just posted what | Niek van der Maas wrote on his GitHub. I don't think he's even | reading this HN thread, so no use giving him advice. | klmadfejno wrote: | I've often heard the argument that scams add spelling mistakes | to only catch the idiots that have a high conversion rate for | the scam. That doesn't feel like it makes sense on something | like this which is highly sophisticated. Is it just bad | quality? | except wrote: | My point was that official applications rarely ever include | them, not that it was intentionally placed there. | aurelien wrote: | You lost your life with facebook and that do not disturb you ... | so thanks for the 4K ;-) | PerilousD wrote: | sorry for your loss - but you are STILL using Facebook? Any | future problems look and hard in a mirror. | sjroot wrote: | As someone who also takes all the right account security | precautions, I too have been fooled by a scam Facebook ad. It | seems like this is an increasingly-common attack vector that FB | needs to address. | | Specifically, I think it would help for them to verify ads, as | they do people / pages. | Nextgrid wrote: | Is there any evidence that the people/pages verification is | safe? I've seen plenty of fake accounts and the existence of | misinformation or outright criminal (card fraud, etc) pages | suggests the opposite. | Avamander wrote: | Yet another scenario where we're collectively being bitten in | the ass because most of the world is still lacking a proper | digital identity system. | | If you're thinking that sending pictures of identity documents | or bills is going to fix it no, it's clown-tier identity | verification and will just postpone the issue a tiny bit with | massive human resource cost and false negatives. | donmcronald wrote: | > it's clown-tier identity verification | | I remember learning this when I got my first code signing | certificate. I had to jump through a TON of hoops including | sending notarized copies of my ID to Comodo. After all that, | they asked ME to send them a list of notaries for my | jurisdiction. They also wanted a direct line to call the | notary I used which is basically impossible to provide. | | The verification is outsourced to the cheapest English | speaking 3rd world country they can find and there's ZERO | localized knowledge. I don't think you could build a system | that's worse if you tried. The whole think is just a process | of checking boxes which is very similar to most of the 2FA | systems in existence. | spzb wrote: | But then they'd lose that sweet revenue | prox wrote: | One attack I personally had was when I had an android tablet | and a client who has business in China asked me to put a | promotional video on some Chinese version of youtube. So I | thought I found the app in Play store, but once opened it asked | me something in chinese, so just thinking this is obligatory | privacy agreement or something, I click okay. Instead it | started downloading an update, and rebooted. After my tablet | was malware ridden and unable to be recovered, because older | version of Android. | | I learned that a lot of apps behave differently if they find a | different language keyboard. I don't know if this attack is | still possible in Android, it's been some years now. | spzb wrote: | So this basically amounts to "sign in with Facebook and the app | gets a token with which it can control your whole account"? | zenexer wrote: | Perhaps the most interesting part is the final line of the | document: | | > Initiated a PayPal chargeback process - PayPal responded: | "we've determined there was no unauthorized use" | | While I get the impression that the user had authorized Facebook | to charge via PayPal in the past, I find this conclusion rather | silly. If I give my credit card number to Amazon, and someone | hacks my Amazon account and starts making random purchases, | chances are I'd have no trouble filing a chargeback. | donmcronald wrote: | Yep. Authentication is being used as an excuse to blame the | user. It's because Facebook's a big company. If it was a small | website where a user got phished PayPal would have charged it | back IMO. | tobyhinloopen wrote: | I think the trick here was to prompt the user with a fake oauth | screen. Many legit apps show the oauth screen using a web frame | inside that app. It is absolutely stupid that it is still a | common occurrence. | | If you need to enter your credentials when using sign-in-using- | xxx, be VERY cautious. Even if you have 2FA enabled, the fake | oauth screen can just ask you for the 2FA code. You have no way | of knowing whether the login page is keylogged or hijacked. | JangoSteve wrote: | This was pretty much an exact question I had about OAuth 10 | months ago: | | Something I still don't understand about the OAuth flow is how | it's _not_ training users to be more easily phished for actual | usernames and passwords. The very first step is "If you are not | logged into the third-party, display a login-form from the | third-party." | | The thing is, you never really know off-hand if you're logged | into the third-party (provider) or not without opening a second | tab and going directly to the third-party's site, since you're | always getting logged out after various timeouts, cookie- | clearing, browser-closing, and computer-restarting events. | | What prevents an OAuth client application from displaying an | OAuth process that shows a fake login form, which looks | identical to the provider's login form, to get the user to | enter their provider username and password before they realize | the URL is off? It seems like it trains users that it's normal | for websites to launch a Gmail login form and this is perfectly | safe. | | https://news.ycombinator.com/item?id=21357370 | donmcronald wrote: | I think you're right. Users are being trained to enter their | passwords and 2FA tokens everywhere with the false promise | that 2FA makes it secure. Even U2F using a signed challenge | seems iffy to me. | | This [1] says "In fact, the spec requires that browsers only | expose the API in secure contexts", so if that's correct it's | better, but still not good enough. | | This [2] looks like it does U2F by grabbing the challenges | via browser plugin and relaying them to a phone app for | signing. | | Trusting the browser to "expose the API in secure contexts" | seems like a failure because it's assuming nothing else can | collect the credentials or send a challenge to a security | key. Is that true? Could I write an app that would phish a | user into signing a challenge with their security key? | | 1. https://security.stackexchange.com/a/206549/134291 | | 2. https://krypt.co | georgiecasey wrote: | I'd guess it's a fake oauth screen as well. I coded one of the | first (I think) Tinder auto likers for Android back in 2013, | and the only way I could do it was get the real facebook | username and password and log into Tinder on the phone in the | background. I just put up a fake Oauth HTML page in a webview | and saved the login, with a disclaimer of course, but nearly | everybody ignored it. I was surprised how easy it all was. | dragonwriter wrote: | > Even if you have 2FA enabled, the fake oauth screen can just | ask you for the 2FA code. | | Not all 2FA is "enter a code"; it's a lot harder for a fake | oauth screen to send a request to your registered | authentication device. | | EDIT: this doesn't really help, as a reply points out. OTOH, | separate side channel verification of logon from unexpected | devices does. | snazz wrote: | Is it? Couldn't the backend (or even a human attacker) just | type the credentials you provide into the real login page, | giving you the "tap yes" push notification just the same? | dragonwriter wrote: | Come to think of it, you're right. I was mentally combining | that 2FA method with "new device attempted login" | detection, but the latter is usually separate from 2FA. If | a login system uses that and provides notice and requires | confirmation through a side channel, rather than merely | providing informational notice, it will stop (or at least, | make it easier to stop; a second user mistake or | preexisting side-channel compromise is still possible) the | attack. If it's just notice, it at may limit the impact or | streamline recovery from the attack. | | But now that I think about it, it would make sense to | combine new device notification with push-notice 2FA for | exactly that reason, since you've got a push channel that | takes a confirmation already, flag unexpected devices in | that channel as well and it becomes much more secure. | AntonyGarand wrote: | It absolutely is: https://github.com/kgretzky/evilginx2 | tialaramex wrote: | Yup. Notice that this can't work on WebAuthn (or its | predecessor U2F), which is why everything should do | WebAuthn and you should ignore attempts to downgrade you | to any other method. | | An attacker can play the legitimate WebAuthn request from | the real site, which will (statistically certain) be | nonsense if played by their phishing site. | | Or they make their own request, which doesn't help them | because it's not valid on the real site they want to sign | into so it's pointless. | GoblinSlayer wrote: | And even if you find a correct oauth address, you still have | the risk that you understand what permissions you give and | facebook implements them correctly. | twodayslate wrote: | This wasn't mentioned anywhere in the article sadly | atum47 wrote: | I'm getting tired of flagging false ADs on Facebook platform (in | my case Instagram). | | [https://imgur.com/a/1MUuST4] | | The image above is a confirmation that they removed a false AD I | flagged and thaking me for it. Yeah, ok, but as I said, I'm | getting tired of flagging this kind of ads. | | I sent an email to Instagram not so long ago, complaining that is | hard to know a official AD from a fake one in Instagram, cause | they use that ridiculous thing of opening a webpage inside their | own browser (?!) hiding the address. | | I'm sorry that this happened to you. I usually deal with low | effort scams (but they usually get my parent's attention) but | maybe it's time for Facebook to be held accountable for this kind | of stuff. | | Did you bought a TV from an AD you saw on Instagram and turned | out to be a scam?! Well, let's have Facebook accountable. Maybe | they'll improve their ADs platform. | noisy_boy wrote: | Not sure if Facebook allow some sort of max-spend cap that can | only be increased with a 2FA together with an alert from the | Facebook app itself. That should atleast alert someone in the | sense that "why am I getting a confirmation message to debit for | a voucher credit" and worse case scenario even if they don't | realize it, should limit the damage. | tnolet wrote: | I'm clueless about mobile stores and reviews. How does such an | app get so many positive (obviously fake) reviews? | squeaky-clean wrote: | It's really easy to find services like this just by googling | the right thing. I've never used one, but just from a quick | search $630 can get you 200 five-star reviews. I don't know if | the site I found will let you repeatedly purchase for even more | reviews, but several of these sites came up when I googled so | it would also be pretty easy to just use 5 different fake | review sites to get up to 1000 fake reviews. | | If the price is consistent across them, that means 1000 reviews | costs about $3.1k. Expensive, but it apparently only takes 1 | tricked user to become a profitable scam. | | Not saying a similar scam would not have fooled me, as I'm | looking at the screenshot in the article with the knowledge | that it's a scam, so it's an unfair comparison. However the | first thing that immediately stands out to me is there are no | 2,3,4 star reviews on this app. The reviewer comments are also | very generic and have many grammatical errors in each featured | one in the screenshot, and the featured reviews are all from | Sept 1. | rasz wrote: | Want a $1? download and like 5 of our apps! works great in | countries with $1/hr wages. | mikorym wrote: | I don't know whether this is relevant for fact checking, but the | add logo in the first image with the bullseye image uses an image | (the bullseye itself with the arrow) that is available as a | logo/icon on MS Office exactly as is. | jrockway wrote: | I read things like this and keep thinking about the "web of | trust" from the 90s. There is no way to visit some random app | store, or read an email or website, and trust that it's actually | officially what it says it is. The author of this article relies | on some heuristics; good spelling, reasonable-sounding developer | email, reasonable Java package name, etc. but these things can go | either way. It is possible for a scammer to be good at spelling, | and it is possible for a big company to contract out some app | they don't care about to the lowest bidder and be perfectly | running their ads program through the "FooCorp Develop App; | ru.definitelynotascam.dumbcodename". It has historically been an | okay data point, but in the future scammers are going to be good | at English -- it's only a matter of time. | | Where I'm going with this is that there needs to be some sort of | mandatory linkage between something you trust and this random app | you see on the app store. You trust Google. You trust TikTok. So | why doesn't Google generate some sort of code that TikTok can | stick in their DNS (or website) to create a linkage? By default, | an app on the store could say "not trusted by any company", but | then TikTok could add that record on their website and it would | say "Trusted by TikTok" or something. | | There are some problems with this, of course. Anyone could claim | any app, and then you'd see incorrect information. DNS and web | servers can be hacked, TLS roots of trust aren't trustworthy, | etc. But there has to be some way to create this linkage safely, | so that people aren't misled again and again and again in the | same way. | GoblinSlayer wrote: | Just go to tiktok site and download whatever you want there. | But if you go to app store, you can barely tell what is what in | this grey faceless pile of garbage. | Exuma wrote: | How does simply connecting/logging in with an app give the FB | application to spend on your business manager ad account...? | stiray wrote: | (My moral compass is still up and running while some call | disabling it "running bussiness") | | I wonder why something like this never happens to me? | | - I am not paying a dime for advertising as it is completely | inappropriate to spam more users with ads (Zillions of ads and | you are one of them? And this works? Really? Not for my users and | my reputation.) | | - I dont use facebook as I have real friends to go to a beer with | | - I dont open any ads (but ad nauseum [1] does) | | - I dont use TikTok and I dont see anything positive in it so | even if I would be advertising I surely wouldn't spam kids with | ads | | -- ... | | (I could call this whole event a "poetic justice") | | [1] https://adnauseam.io/ | | (edit: fixed wrong wording as suggested - anyway I dont attack op | - in same manner I dont attack drug dealers. I am just explaining | why I dont do that. Or sell drugs. Someone might learn something | from it.) | [deleted] | elwell wrote: | > unappropriate | | "inappropriate", as in: "Your attack on OP is inappropriate." | jariel wrote: | Can someone explain what happened here? | | 1) His FB credentials were hacked? | | 2) All to force 'spend' on some odd Vietnamese add? How does that | benefit the scammer? | | 3) If the money went to FB for clearly scummy purposes, how on | earth does FB not simply refund the ad spend? There's not cost of | goods sold here for them, usually they should be pretty easy on | giving you the money - or at very least giving you credits? | OJFord wrote: | 3 - yeah my reaction too, I imagine it will no problem, just | OP's case hasn't yet reached someone who can refund that | figure. | fsaintjacques wrote: | Let me introduce you to the underworld of affiliate marketing | https://www.investopedia.com/terms/a/affiliate-fraud.asp | | There's always money to be made if you can generate significant | legitimate traffic to a given destination. | alphager wrote: | 1) Yes, they either outright stole the credentials or stole an | oauth-token. | | 2) The scammer either actually has a vietnamese metallurgy | business ore (more likely) sold ad space on facebook to a | vietnamese metallurgy business. | | 3) yes | catchmeifyoucan wrote: | Voucher was spelled as "Vocher" in multiple places. At first I | thought it was localization, but then I realized that the author | was spells it as "Voucher". That was the red-flag for me. | danielhua wrote: | As someone who's fairly involved with the e-commerce/digital | marketing space, let me just say I'm amazed by how brazenly | _nasty_ this scam is. | | The TikTok promotional program is actually a real thing that does | give around that amount of ad credit, and they have been | promoting it very aggressively on Facebook with for a long while | now, so it makes sense that OP would've not had any mental red | flags triggered by the designs and creatives used by the | scammers. The real killer is that PayPal is actually well within | their rights to process this transaction (as part of the billing | agreement generated when you link PayPal to Facebook Ads Manager: | there actually was real ad spend in a real Facebook ad auction), | so it's down to Facebook itself to refund the ad spend. (As an | aside, I'm actually impressed that OP managed to reach Facebook | support at all, and that they acknowledged or even understood | what the problem was. I have had worse experiences in the past | with FB...). What's really amazing to me is that the scammers | managed to get on Google Play with thousands of obviously fake | reviews, and get through Facebook ad review at all. | | The scammer silently removing OP as an admin from their own ad | account, preventing them from noticing or stopping the fraudulent | ad campaign is just icing. | | I suppose the real lesson to be learned is to simply avoid | installing native applications when you can help it. OP didn't | screenshot the login screen in app, so I can only assume it was a | real Facebook oauth flow, but honestly at that point it's already | too late. If anything OP should be grateful that the native app | running on what was presumably his personal device didn't do | anything worse. | gowld wrote: | Tiktok is giving away $3K in ad credit per customer? And the | regular price isn't massively overpriced? | jauntbox wrote: | Is this something that could have just as easily happened | through Apple's app store? This sounds like exactly the type of | thing that those 30% app store cuts should be going towards to | prevent (regardless of the platform). | user5994461 wrote: | > The scammer silently removing OP as an admin from their own | ad account, preventing them from noticing or stopping the | fraudulent ad campaign is just icing. | | This hints of not having 2 factor authentication anywhere in | the chain? | | Would definitely advise to setup 2 factor authentication on | anything managing 5 figure sums. | StavrosK wrote: | How would that help? They were removed via the API, no | passwords were stolen. | danielhua wrote: | I was surprised too since OP's writeup indicates that he has | 2FA on everything. You would think that you'd at least get an | email or push notification if you get removed from an ad | account/notification settings get changed, so it seems like | an oversight by FB. | jandrese wrote: | Hardly anybody does the "when changing an email address on | an account send an email to the old address to allow them | to revert the change and temporarily lock the account". It | seems like such an obvious thing to do. | kbenson wrote: | 2FA is how you protect your credentials from being stolen and | used. This wasn't a case of credentials being stolen, this is | a case of someone being tricked into authorizing a separate | account to take action. They hacker didn't change his | credentials to lock him out, it literally revoked access from | him Facebook login to the ad account. | | I'm using "login" and "account" specifically here to | highlight the difference. On systems where there are likely | to be multiple people that need access, there's a distinction | between the "service account" and "logins or user accounts" | that can control it. Generally, when the service account is | created by a login, that login is added implicitly as a | controlling user account with full privileges, and other user | accounts (logins) can be added with varying levels of | control. This situation appears to have been along the lines | of the following: | | 1. User "real_user" create facebook ads account id 123456, | and real_user is the admin of the ads account id 123456. | | 2. At some point real_user adds "scam_user" to the facebook | ads account id 123456 with full admin permissions. | | 3. scam_user uses the full admin permissions it has for | facebook ads account 123456 to remove access for real_user. | | Note that is is a fully legitimate and common action to take | in systems like this. If you are a business and pay someone | to manage your facebook ads, they are likely the admin on the | account (and you may be too), and if they leave and you hire | a new person to manage it, you would want to revoke the old | employee's account access and add access to the new | employee's account. | | This is how you handle it on Google Suite, Zoom's business | accounts, Active Directory in Windows domains, etc. The real | problem here is that the scammer got enough permissions to | revoke the original user, and the original user did not get | an email notification. I'm not sure if facebook ads allows | adding accounts with limited permissions so only certain | actions can be taken and part of the scam was making the | permissions asked for non-obvious, or if that's a permissions | distinction facebook ads doesn't support. | jellevdv wrote: | Maybe the oauth scope requested edit access to the FB | business manager? That way the scammer can remove OP from the | business and add himself via the API | throwbacktictac wrote: | I'm curious if the oAuth flow requested a specific scope to | have permission to remove the user from their Ads account. If | so, did Facebook make it clear that the permission was be | requested. | | I must say that it was a pretty clever scheme. | Osiris wrote: | When you do a login with Facebook, does the popup show you | what permissions are being requested? I know I've seen that | before. | pbronez wrote: | Permissions scoping is a really under-utilized tool. | | I see this most often with extensions, which usually want to | act on all domains when they should really need an allow list | of just 1-2 domains. There are also many app integrations | that use an API token that just straight bypasses login with | NO security restrictions. | | I would use a lot more app integrations if I knew I could | trust the host platform to keep the apps honest. | | I think we're missing a lot of innovation because we lack | secure and reliable integration points between commodity | services. Banking and Health are the most obvious issues. It | should be trivial for me to authorize a third-party app to | download transaction history from any bank without giving it | the ability to change anything. I should be able to assemble | my entire medical history by pulling from any medical office | I interact with, and push that to any provider I choose to | use. | | There are lots of industry incentives to prevent this though. | It's just like the Cable Card saga. You need strong, un- | captured, technically-literate regulators to fix this stuff | and unleash broader innovation. | firloop wrote: | It's possible that the attack didn't happen through the | regular oauth credential request flow -- if the OP logged in | to Facebook inside of an app-controlled webview, the app | could have just exfiltrated the user's login cookie and | performed the change using "first-party" Facebook APIs. | jonplackett wrote: | The problem with many attacks is we've now been trained to | do dumb things - like putting our password into webviews | inside 3rd party apps - by reputable companies. So it | doesn't feel as insane as it should do. | andybak wrote: | Yes. A thousand times yes. | | oAuth outside a browser is just training people to be | phished. | Ayesh wrote: | This is what I think too. WebView doesn't show the domain | of the page, and it is not possible to see if you are | really in Facebook login page, or somewhere the attacker | controls. Unless the attacker was using Yubikey or some | sort of hardware token, the victim would have entered the | TOTP code too, which the attacker can ask and pass to | authenticate successfully. | donmcronald wrote: | How does a YubiKey prevent that kind of relay attack? If | those keys blindly sign whatever's given to them, there's | got to be a way to trick a user into signing something | malicious. | | This [1] says that U2F avoids phishing by having the | browser tell the 2FA device the domain, but that seems a | bit weak to me. The same site even has an app where the | info is relayed via a browser plugin, so literally | relaying the data that's supposed to be trusted. The only | way I can see that actually working is if the security | key knew to only sign challenges for a specific domain. | | 1. https://krypt.co/blog/posts/prevent-phishing-on-the- | web-with... | jrockway wrote: | The security of the browser implementation is important. | It provides the origin for the security hardware to sign, | and the authenticating server ("relying party") verifies | it. If your browser tells the key it's google.com when | it's really evil.com, then sure, you can log into | google.com if the user signs the request. | | The WebAuthn spec says: "Direct communication between | client and authenticator means the client can enforce the | scope restrictions for credentials. By contrast, if the | communication between client and authenticator is | mediated by some third party, then the client has to | trust the third party to enforce the scope restrictions | and control access to the authenticator. Failure to do | either could result in a malicious Relying Party | receiving authentication assertions valid for other | Relying Parties, or in a malicious user gaining access to | authentication assertions for other users." | | (https://w3c.github.io/webauthn/#sctn-client- | authenticator-pr...) | | If you click further into the older FIDO spec, they cover | this more explicitly: "Malicious software on the FIDO | user device is able to read, tamper with, or spoof the | endpoint of inter-process communication channels between | the FIDO Client and browser or Relying Party application. | Consequences: Adversary is able to subvert [SA-2]. | | Mitigations: On platforms where [SA-2] is not strong the | security of the system may depend on preventing malicious | applications from being loaded onto the FIDO user device. | Such protections, e.g. app store policing, are outside | the scope of FIDO." | | (https://fidoalliance.org/specs/fido-v2.0-id-20180227/fid | o-se...) | donmcronald wrote: | I learned a lot from that. Thanks! | searchableguy wrote: | > I suppose the real lesson to be learned is to simply avoid | installing native applications when you can help it. | | I looked at the playstore page and it immediately raised many | red flags. The app isn't by Tiktok or Bytedance. | | It's like clicking on a similar looking domain link in your | email. | tgsovlerkhgsel wrote: | > OP didn't screenshot the login screen in app, so I can only | assume it was a real Facebook oauth flow | | My guess would be that it was an in-app phishing page. Many | legitimate login flows result in the official login page | opening in a web view and asking for a password, which is | indistinguishable from a phishing page. | | > but honestly at that point it's already too late. If anything | OP should be grateful that the native app running on what was | presumably his personal device didn't do anything worse. | | On phones, sandboxing significantly reduces the risk. Yes, it | is possible to break out of the sandboxes if you have an | exploit for that device, but it's a lot harder than on desktop | where by default anything you install has full control over | everything and could just steal all the users' passwords. | tgb wrote: | > Many legitimate login flows result in the official login | page opening in a web view and asking for a password, which | is indistinguishable from a phishing page. | | I don't understand how Google/Facebook/etc can allow this to | happen, let alone encourage it. I'm just baffled. | coddle-hark wrote: | How could they prevent it? | tgb wrote: | Ban apps that do that. | gruez wrote: | And how are they supposed to do that? If it's a fake | login (aka phishing) page facebook wouldn't even know | about it. The only _effective_ way is dissuade consumers | from entering their login credentials in-app, but even | that 's tricky because if it's a malicious app they could | "fake" a web browser complete with a fake "address bar". | andybak wrote: | This is why "with a password manager" is a crucial part | of the puzzle. | | You have to fail at several steps if you're entering your | credentials in this scenario. | tgsovlerkhgsel wrote: | AFAIK Google doesn't encourage it and made some efforts to | block it: https://auth0.com/blog/google-blocks-oauth- | requests-from-emb... | | Hasn't been 100% effective unfortunately, and even if it | was, it's really hard to make users understand that this | flow is incredibly dangerous. | | And while Google on Android can simply go through system | libraries, Facebook doesn't have the option if the app is | not installed. They have to open something that will allow | the user to log in (usually a browser), which is something | the app can fake (in the case of the browser, just fake the | whole browser UI, fake address bar included). | tgb wrote: | I misunerstood the part I quoted, I thought it was about | web pages asking you to log in via Google/Facebook. So | the problem I was thinking of is more generally entering | Google credentials into logins provided to us by a third | party. The "don't use the link in your email to log into | google, go to gmail.com instead" advice has been | seriously degraded by this. It should always be that if | you aren't already logged in, you have to go yourself to | gmail/facebook/etc and log in there. | bobbyi_settv wrote: | > avoid installing native applications when you can help it | | Why couldn't a web site have stolen his credentials in the same | way? | JeanMarcS wrote: | I guess you'll have a better chance to spot the URL is fake | than in an app where you won't see it | andybak wrote: | And notice that you're logged out which is unusual in many | cases. | | And a bunch of other potential signals that would be | missing in a native app. | | It's not foolproof but it's a step forward. | Causality1 wrote: | To me the lesson is the same old basic web security practice: | don't click links, navigate to pages yourself. When he saw the | ad that interested him he should have googled the offer instead | of clicking on the ad. | rsync wrote: | "If anything OP should be grateful that the native app running | on what was presumably his personal device didn't do anything | worse." | | I don't understand why _any_ of these actions would be taken | with a mobile phone ... | | What I mean is, managing advertising campaigns and budgets and | managing assets and spend, etc., is kind of a complicated | workflow ... further, it's a fairly critical business process | involving a lot of money. | | I can see ordering some workroom supplies or paying a hosting | bill with my phone ... but creating and managing ad campaigns ? | That seems very unwieldy and inefficient. Google adwords, | through the web based interface, is _very complex_ and there 's | a lot of functions there. I can't imagine trying to do this on | a phone. | | So what am I missing here ? | forgotmypw17 wrote: | It's not that unreasonable. When I am on the road, it can be | days between sitting at a desktop. If I can do something on | my mobile, I'll do it, or try. | | I don't get involved in ad buys. | AdrianB1 wrote: | Laptops exist as a very efficient middle way between a | desktop and a mobile phone: all the desktop functionality | and the benefit of mobility. This is not an add :p | 8ytecoder wrote: | I fell to a (now) very obvious scam on Instagram. It seems to | me that it's really easy to bypass their checks. It was a fake | ad for a real product. They accepted PayPal and it took forever | to get PayPal to refund me. Worst yet, even after multiple | escalations PayPal continued to be on the website. Instagram | continued to show me ads for the exact same product from | different domains. I realized that PayPal is next to useless if | you're a victim of fraud. It's much better to use a credit card | directly (esp Amex or Discover) and challenge fraud than | PayPal. | jkoudys wrote: | Maybe it's because the banks are all pretty good and modern | in Canada, but I honestly just don't get PayPal. My credit | cards are all very easy to pay with, fraud detected quickly | and easy to dispute, and many purchase types insured. | yawboakye wrote: | I use PayPal as a front to my bank account via SEPA Direct | Debit, which has an 8-week no questions asked refund policy. | If PayPal doesn't cooperate when I raise the issue I can | easily get my money back through my bank. But I still like to | dispute just so the business goes on record for fraudulent | transaction. | TedDoesntTalk wrote: | In the US, debit cards do not have the same consumer | protections that credit cards do. If you've gotten refunds | from your bank for debit card fraud, you are lucky. | | https://www.investopedia.com/articles/personal- | finance/05021... | | " But if the item was bought with a debit card, it cannot | be reversed unless the merchant is willing to do so. What | is more, debit card theft victims do not get their refund | until an investigation has been completed. Credit card | holders, on the other hand, are not assessed the disputed | charges; the amount is usually deducted immediately and | restored only if the dispute is withdrawn or settled in the | merchant's favor. While some credit and debit card | providers offer zero-liability protection to their | customers, the law is much more forgiving for credit card | holders." | viraptor wrote: | Direct debit is not a debit card. It's an authorisation | to pull funds from your debit account as needed. | avianlyric wrote: | You should be careful relying on that. While many Direct | Debit systems have some sort of quick refund guarantee, | they don't guarantee that you get to keep the money. | | The normal flow will be your bank reimburses you from their | own pocket. Then goes after the merchant to recover the | funds, however if the merchant can present evidence that | the charge is valid then the your bank will attempt to claw | the money back from you. | | Now the important question is here is what is a "valid" | payment. Normally the direct debit scheme will outline that | that is, and it probably some very simple like there's | evidence that you requested the funds are removed from your | account. With something like PayPal they can probably claim | that the request was valid, at least the bit between PayPal | and the bank was, and that the onwards movement of money is | a separate issue that doesn't fall under the direct debit | guarantee. | | It's worth really digging through the small print on these | things, they're frequently a lot less helpful than you | think, and PayPal has managed to exploit these little holes | to their benefit. | | Personally I avoid using PayPal where possible and stick to | debit/credit card where you have a very simple relationship | between you, your bank and the merchant. Which makes | disputes much easier, and places the law very much on your | side. All this comes from experience dealing with disputes | from the banks perspective, and trying to get the right | result for the customer, while dealing with payment | schemes, and regulatory obligations. | jrochkind1 wrote: | I recently made a purchase that turned out to be fraudulent | on paypal, and somehow had no trouble getting my money back | relatively promptly. Maybe have taken about a week from when | I filed "I never got the product, I think the whole website | was fraud". | beefield wrote: | > I suppose the real lesson to be learned is to | | ...never, ever buy or even take anything from anyone who | approaches you without you being the original initiator of the | communication. Simple rule that applies to both online and real | world and makes your life simpler and safer. | stallmanite wrote: | This is my strategy as well. If I want something I initiate a | search. Incoming sales attempts do not exist in my universe. | forgotmypw17 wrote: | Be careful which search result you click: | | https://wp.josh.com/2019/05/06/breaking-news-google- | adwords-... | coronadisaster wrote: | If you want to see where Google search results really | point to, you can right click it and then hover over it | to get the real destination... it's been like this for | 15+ years (google changes the destination on-click). | toxicFork wrote: | Also works nicely against advertising too, a good principle | ;) | _jahh wrote: | except he clicked the link, he did initiate the communication | so your bizarrely overly paranoid guidance doesn't apply. Not | taking anything from anyone certainly closes you off to the | generosity that can be found in humans. | chuckSu wrote: | Yawn | zentiggr wrote: | When I'm curious about something that I might have to click | through, I DDG it and find source material. It's not overly | paranoid, it's been good advice for decades. | | Telephone charity calls are exactly the same way in my | world, and started me down that handling path. If I look | your org up and you look legit, and I'm interested, we'll | see. You having called me isn't always strike one, but it | often is. | jonplackett wrote: | Yeah, but they SENT the link. That was the initiation. | TedDoesntTalk wrote: | This is an old tip my father gave me 40+ years ago that | applies to banking, mortgages, insurance, investing, credit | cards, and all personal finance. | AndrewUnmuted wrote: | Also a very good rule of thumb for recreational drugs and | other illicit activities. | spurdoman77 wrote: | Really nice guideline for work. Should spread it around. | mritchie712 wrote: | meh, he calls out the exact mistake he made. If I see an ad | and like the product, I go to the domain. If the domain is | legit (e.g. not developgameonline@gmail.com), you can start | to feel pretty good about it. We run ads. If you google my | companies name ("seekwell"), the entire first page is | properties that we've owned for years. This includes podcasts | and youtube videos. | | It's ok for the initial pull to be an ad, but only buy from | the source. | headmelted wrote: | Not at all fool-proof. | | What if they can register a very similar / regional domain | that you didn't set up already? | | Normal rules don't apply when you're a criminal so spoofing | SSL cert names is something you might as well do too. It's | just not practical to examine and confirm the cert manually | of every company you interact with online. | | These internets are dangerous, even if you know what you're | doing. | tialaramex wrote: | > Normal rules don't apply when you're a criminal so | spoofing SSL cert names is something you might as well do | too | | SAN dnsNames in certificates in the Web PKI are verified | by the issuer - these days using one of the Ten Blessed | Methods. It would certainly be possible to obtain | certificates for a name you don't actually own, but it's | a bit beyond the usual casual crooks that run scams like | this. We see what appear to be nation state adversaries | doing it, as part of wider targetted hijack schemes (e.g. | to intercept IMAP credentials for a foreign government | agency) but it's definitely not something you see an ad | scammer doing. | | Any vaguely competent modern browser checks the | certificate is trusted in the Web PKI and that it matches | the SAN dnsNames to the FQDN in the URL exactly so | there's no room for any funny business there. | | And human readable names in end entity certificates are | largely irrelevant. Nobody looks at them, who cares? | jkoudys wrote: | The people here posting about how clever/careful they | are, which is why they haven't been scammed, are the ones | I see as most likely to get scammed (if they haven't been | already without realizing). You're best protection | against being tricked is realizing that you can be | tricked. | andybak wrote: | > so I can only assume it was a real Facebook oauth flow, | | another reason why we should be training users to only do oAuth | in a browser with a password manager. | | It's one last solid line of defence. | | OAuth in a native app is a security risk. | donmcronald wrote: | That's not a silver bullet though. If the password manager | does a poor job of domain matching, the user gets accustomed | to having to manually search for logins once in a while. | 0xbkt wrote: | I can't stress this enough. | | Please always check for the correct spelling, punctuation and | stylizations of words/brands in a suspected ad. It's written as | "TikTok" everywhere, not "Tiktok". I almost always see this kind | of stylization errors in fraud ads. | segfaultbuserr wrote: | Good advice, and I'm generally pay attention to correct brand | stylizations, but I do have to acknowledge that the large | "TikTop" icon in the ad and the app description was attractive | enough for me to let my guard down (I'm not the author), I | didn't notice the incorrect "Tiktok" text in the app screen | until I saw your comment. | bluedino wrote: | They spelled 'voucher' two different ways (vocher), and the | poor grammar should be a sign of trouble. | pbhjpbhj wrote: | On the other hand, I spot errors in major brands copy pretty | regularly. | | Verification of origin is something companies need to put | more effort into in general. | redleggedfrog wrote: | "...and I'm generally very cautious with account security." "Two | days ago, I spotted an ad while browsing Facebook..." | | Those two statements are mutually exclusive. | TillE wrote: | I'm constantly baffled by the number of tech-literate people | who don't use ad blockers. I don't know how they can stand it. | zerr wrote: | fwiw Facebook has a dedicated team for adblocker | circumvention. | Avamander wrote: | You're acting like Facebook isn't __hostile __to adblockers, | Facebook is making it very difficult to block their ads | continuously. | drcongo wrote: | It's easy, I have every single Facebook owned domain | blocked at the network level and I never see a Facebook ad. | Or Facebook. | GoblinSlayer wrote: | He literally buys ads and fell for this scam because it | proposed ad credit. Oh, wait, he got what he deserved. | jlarocco wrote: | I wouldn't go quite that far, but the sense of | schadenfreude on reading the article was through the roof. | | Spam and web advertising have always been underhanded, and | if a person with "15+ years in adtech" can't avoid an ad | scam, what does that mean for everybody else? | jacquesm wrote: | Unless you're in ad-tech there is no reason why you would. | akersten wrote: | Maybe not "spotted" an ad while browsing Facebook (since even | with uBlock Origin, FB is ruthless at shoving Sponsored posts | into the feed), but certainly _clicking_ on an ad disqualifies | one from being able to claim "I am cautious with account | security." | | That was like, the #1 rule I learned in the 90's: don't click | on banner ads unless you want to get a virus or get scammed, | what the heck. | tscolari wrote: | Very shitty attitude from Paypal. | bjarneh wrote: | So _someone_ payed EUR8,235.82 for 2,126 clicks? Clicks are | getting expensive these days... | zurfer wrote: | well, someone payed 8k to show an ad to 2.6 million people it | was just not a good ad | 9HZZRfNlpR wrote: | They probably want to run the budget as fast as possible | because sooner or later you get caught and care little how | effective it is or how much to optimize it. | bjarneh wrote: | I wonder what the average is, i.e, how many people have to | see an ad to click it. Only time I seem to click those ads | seem by mistake | s_dev wrote: | Scams like this are why walled gardens like the App Store exist. | | Theres no way a scam app like Tik Tok Business would be able to | stay on the App Store for a sustained period of time. | | Even still the Dev admits himself he could have been more on | guard with an Android Developer name like "Develop App". | behringer wrote: | The Google App store is a walled garden. How come this scam app | operated long enough to get so many high reviews? | moneywoes wrote: | It's possible they bought the reviews | s_dev wrote: | Play Store is much more flexible than the App Store regarding | what it will allow published -- also how much attention it | places on its gatekeeping activity. | | It is a walled garden but the walls simply aren't as high. | vezycash wrote: | You can buy reviews. Same would be possible in any other | store. | kzrdude wrote: | And why we have adblockers - because it's an as-if-unmoderated | stream of invasive and untrustworthy links. | thrownaway954 wrote: | i don't get how an adblocker would have help in this case. | the victim could easily be conned into downloading this app | through a marketing email or some other way. the real issue | is that an app like this is even allowed on the play store at | all. | bo1024 wrote: | I think single-sign-on stuff and "Sign In with X" are a cancer. | They encourage you to type in your sensitive credentials all over | the place and hope it's safe. | junon wrote: | > Initiated a PayPal chargeback process - PayPal responded: | "we've determined there was no unauthorized use" | | Yep. This is why I avoid PayPal like the plague. I've never heard | good things about them. | marcinzm wrote: | Facebook ads seem to be an ocean of scams. If I click the | comments of half the ads I see there's nothing but complaints | about products not shipping, fake closeout sales, cloning another | store and then not shipping, etc, etc. I'm guessing they delete | the bad comments so you can only imagine how many people must be | upset to not be able to handle the flood of bad comments. At this | point I just assume any Facebook ad is a scam of some kind. | behringer wrote: | I reported one such scam business and it's still operating | months later. Best to just block all facebook ads and ignore | any that slip through. | pbhjpbhj wrote: | Perhaps a 'truth in forums' regulation should require all | comments to be accessible, with the reason for their removal | from standard view being indicated? That way removal of all | negative comments could be monitored and consumers would have | sufficient information to moderate their trust in companies | advertising. | | I reported one of the 'miracle showerheads' to UK Trading | Standards [it was possibly ASA?] as it clearly gave false | (physically impossible) claims. I was seeing lots of their | ads on FB and people were clearly falling for it. | | They reported back that it was a foreign company and so they | couldn't do anything. Which is weird because they're allowed | to advertise to me, so they should have to follow the rules. | Also, they had a UK Trademark, which seems a major flaw - | protect the trade of scammers but don't hold them to account. | moneywoes wrote: | I have Unlock origin and still get Facebook ads, any idea? | [deleted] | [deleted] | behringer wrote: | F.B. Purity should do the trick. | giarc wrote: | Ad account manager can actually delete comments from the ad. | marcinzm wrote: | Which is why I assume everything is a scam since the ones I | notice from comments are simply the ones that they either | didn't bother to delete comments on or had too many negative | comments to delete. | adrr wrote: | Ad providers should be liable for the content they distribute. | This would be so beneficial for society and prevent | malware/adware. | fokinsean wrote: | The app reviews are your first dead give away | | > Tik Tok ads business is best application. It's very awesome | application. | | And every other review is similar | ed25519FUUU wrote: | > _the app asked me to log in with Facebook to get the credits._ | | These places (facebook, google, etc) really need to separate the | "login with ____" button with a "authorized ___" button. Several | times I've tried to login using google only be greeted with a | permission request, such as READING ALL OF MY EMAILS. Even | Dropbox requires you to give them permission to your contacts if | you want to login with google. | | When you're not paying attention it's really easy to miss this | kind of thing. So much so that now I prefer creating an account | traditionally using a generated password. | homero wrote: | Wow I saw that same ad for the tiktok ads a couple of days ago, I | almost clicked it but something seemed off with the colors | justmyname wrote: | Thank you, Niek, for sharing that story. Such cases should be | maximally open and transparent for people to learn the real | risks. | saos wrote: | Wow all that an OP still won't delete Facebook business account. | gm wrote: | I was scammed through PayPal, PayPal did the same thing to me, | basically gave me a "Looks good to us, case closed, go fuck | yourself." The negation of my case was automated, too. I received | the "resolution" a few seconds after submitting the case. | | Thankfully, I had paid with a credit card as the PayPal funding | source for that transaction, and I disputed the charge with my CC | company, which found in my favor, and did a chargeback to PayPal. | | After that, I immediately unlinked all of my funding sources from | PayPal and closed my decade+ account. Never again. Not as a | buyer, and certainly not as a seller. | tinus_hn wrote: | The moral of the story: if you use your Facebook account for | anything concerning money, do not enter its credentials into any | app or site that asks for it. | coldcode wrote: | Or don't use Facebook at all for anything. Facebook makes money | off of selling real people's information to anyone who pays; if | some of them are fake, or the purchaser is fake, it's still | money to Facebook. If the Facebook data customer is getting | ripped off, what incentive does Facebook have to police the | situation as long as they still get their cut? | tinus_hn wrote: | You can't stop Facebook from collecting information about you | by just not having an account. | nojvek wrote: | There's many things that stand out | | 1) Google Playstore allowing someone to impede on the TikTok | brand. | | 2) The app getting 10k+ fake reviews. At this point can you trust | the review system if it can be so easily manipulated? | | 3) "Strangely enough this is possible without getting any emails | from Facebook." Facebook security is weak here. You shouldn't be | able to change ownership without explicit 2fa verification. oauth | tokens can be easily phished. password + 2fa device is much much | harder. | | In general the trend I see is that Facebook and Google are driven | to making ad purchasing as frictionless as possible. Having | scammers, click-farms, fake reviews on their platform is good for | them, it helps them make more money. They'll happily tradeoff | human oversight/support and security for automated algorithms | that optimize $$$ growth. | | Apple AppStore is polarizing. Some feel it has too much control, | but on the other hand I find a lot less scammy apps in Apple | AppStore than Google Playstore. | jrochkind1 wrote: | If I understand right, the scam was a phishing attempt, that | succesfully got their facebook credentials (or an Oauth token? | they might not be sure?) and used them to buy ads on facebook in | that amount? | Tade0 wrote: | Wasn't PSD2[0] created for the purpose of preventing such scams? | | [0] https://eur-lex.europa.eu/legal- | content/EN/TXT/HTML/?uri=CEL... | rvnx wrote: | TL;DR: guy clicked on a link promising him 3000 usd out of thin | air if he gives access to his account linked to PayPal. Malicious | user used his account to buy digital items (ads). | heavyset_go wrote: | And people chastise those who use ad blockers when ad networks | refuse to police their own content for malicious ads and code. ___________________________________________________________________ (page generated 2020-09-14 23:00 UTC)