You probably assume hackers are using all sorts of devious viruses, obscure scripts, "exploits" (whatever that means, right?) and other complex means to break into accounts. But often the means of entry are stupid simple. Facebook has a huge one—and doesn't care about fixing it
There's a basic premise here that isn't a Facebook problem, but really an internet problem: it's super easy to reset someone's password. The web is an ornate, lumbering thing built on tiny little stilt legs, its foundation unfit for what came after it. It's complex stuff standing on simpler stuff. New on old. And often the old can't cut it: just ask Giz alum Mat Honan, whose online life was savaged because of the stupid-simple processes standing between assholes and us online. You don't need to be a hacker—you can just talk your way in:
Step one: Say you've forgotten your password.
Step two: Say you've forgotten your email address.
Step three: Use a security question or customer service rep to change over to a new email address—one you control.
Step four: Send a new password of your choosing to that new email address.
Step five: Log in.
This is the same lazy, methodical trick that hit Honan, breached @BurgerKing, and this past weekend, tried to crack my Facebook account. Again, and again, and again, because Facebook makes it so easy.
The crux of the problem is impossibly stupid: Facebook won't let you change your security question. The street you grew up on, the name of your first cat, your college mascot—these bits of dumb personal trivia are all it takes to claim complete control of someone else's Facebook account. You probably forgot the day you even entered yours. Luckily, it's so obvious, you'll never forget it. That's the simultaneous beauty and stupidity of the security question: eternally memorable.
But hey, what if someone happens to guess this extremely guessable piece of information about you, based on readily Google and Facebook-available details? What if they use the answer to this question to repeatedly attempt to break into your account—perhaps successfully? Shouldn't you be able to change that question to something that isn't already known by someone with clearly nefarious intentions?
You'd think so, and you'd be wrong. There's no way to manually switch your security question to something new if you're worried someone might have the answer. Or just to switch it up for the sake of switching it up, as we do with passwords. Facebook simply won't let you.
netizens left a footprint.