“Incorrect E-mail/Password Combination.”
The pastel-red box on the normal blue and white Facebook page usually means the password was misspelled or the wrong e-mail address was used. The inability to login to the social networking site often can be chocked up to clumsy fingers and nothing more. Matasha Allen, a recent graduate student of music at Eastern Michigan University, thought that was exactly what happened and didn’t worry much about that red box reading, “Incorrect E-mail/Password Combination.”
In the early days of October 2009, Allen didn’t lose sleep about not accessing her Facebook account. She contacted the Web site’s offices, but received no reply from the social media titan. In the second week of October, a similar message appeared on her Yahoo! e-mail login: “Invalid ID or password.” Retyping her correct username and password several more times, Allen began to feel something might be off.
Everything came together for Allen when a phone call from her family raised concerns about her Facebook page.
“I was told that someone was sending instant messages through my Facebook account that were uncharacteristic of me. Just did not sound like the type of person I am,” Allen said, recalling the phone call from the second week of October. “That’s when I found out something was wrong.”
Allen, 28, was a substitute teacher at the time, teaching music as well as elementary classes. Her only outlet to the Internet was limited to libraries and public computer labs, where she would check her accounts, look through e-mail and stay in touch with friends on Facebook. It was during one of these trips to the computers that it happened, Allen deduced. She thinks her Facebook account wasn’t completely logged off, or the computer didn’t log out. However it happened, someone found their way onto Allen’s accounts and took complete control.
Identity theft has evolved from stealing credit card numbers or submitting applications for loans in someone else’s name. The newest way to steal an identity is through social media identity theft: the hijacking of someone’s social networking account. It might not seem like much, but with the information kept on the average Facebook page (name, age, addresses, e-mail accounts and passwords, maybe even a credit card number), a thief wouldn’t have much trouble taking advantage of you and others.
“Social media is built on the honor system. There are no checks and balances to prove who is who. Anyone can pose as you and blog as you. This makes for social media identity theft,” said Robert Siciliano, a security consultant for Intelius.com and a speaker on preventing identity theft.
Siciliano has been educating people on identity theft for the past 25 years. His focus on how people can prevent theft and violence in the physical and virtual worlds has landed him spots on the Montel show, ABC News and others. Knowing just how much damage social media identity theft can cause, Siciliano explained how it could happen.
“The problem with social media identity theft is that when it takes over your account, all the people that you communicate with within your account may believe the identity thief is you. And when that identity thief begins to ask for money, from your friends and from your family and your coworkers, then they may actually pull money out of their pocket and send it via Western Union to the imposter. They think that you’ve actually come into the trouble that the identity thief is saying you’re in.”
“I was very hurt,” Allen said in reaction to finding out her Facebook and e-mail accounts had been stolen. “It was definitely devastating because I try to do the best I can to be on good terms with people and to know that someone’s out there pretending to be you, doing things uncharacteristic of you is very hard.”
In Allen’s case, her identity theft didn’t escalate to the thief asking for money from friends, but the thief was malicious. Messages were sent to friends and family, using profanity and insults. One of the incidents Allen related was toward an organization focusing on eliminating poverty in children. The identity thief sent the organization a message reading, “I hate children. I hope they all starve.”
“I’m an evangelist at my church and I didn’t want people to think that this person out there was me and think that I was a hypocrite and I wasn’t practicing what I preach,” admitted Allen.
To avoid an incident like Allen’s, Siciliano suggests steering clear of public computers whenever possible, or at least not accessing accounts or sites that require passwords. There’s no way of knowing if that computer has spyware or who might see you leave your accounts unattended for a brief amount of time. Also, understand the privacy settings on your accounts. Some settings allow the account to logout as soon as you click to a separate Web site, which will be safer if you often forget to log out.
While the user should always be aware of what they’re accessing and where they’re doing so, some places are taking the initiative by offering protection tools. Eastern Michigan University’s Information Security Analyst Justin Sherenco explained how computer labs on campus are trying to keep users safe.
“Most of the labs use software that reimages the computers nightly,” Sherenco said. This is a way of wiping the computers clean of private information, and it keeps other users from stumbling on your records.
EMU also requires the user to change their login passwords every 180 days, offers warnings if a user stumbles across a malicious site and requires challenge questions to ensure the user is who they say they are.
However, the university can’t protect the user 100 percent in the computer labs. Lynn Dorendorf, EMU’s director of IT Security, can’t make users be smart about their online security. Common mistakes with security are making challenge questions with answers easily found on the Internet or sharing your password with others.
“EMU’s policy is anything done with your account, you are responsible for,” Dorendorf said.
Password theft at EMU doesn’t occur too often, but it could wreak havoc on someone’s school life, like inappropriate messages sent to professors or tampering with payroll.
“With the couple of cases we have had,” Dorendorf said, “it has caused a lot of work for those whose password has been compromised.”
If a password has been compromised at EMU, the first thing you should do is contact the help desk. Bring some ID to identify yourself and they’ll direct you on the actions necessary to reclaim your password.
In the end, the best way to stay safe on a computer that is not yours is to be careful with your passwords and always log out, no matter what.
“I realized that even if you’re careful and you take precautions, it never hurts to double check that you’ve completely logged out of your email, anything you have to log into,” Allen said.
Allen was eventually able to warn people about the imposter on her e-mail and Facebook page, and she now has the Washtenaw County sheriff’s office involved in her case. Though this has been a stressful time for her, Allen is hopeful her story will help others avoid this situation.
“Just the fact that when it comes to things like this, it can be devastating but you can move on from it, you can overcome it,” she said.