Facebook locked out users for failing to enable Facebook Protect

Cal Jeffrey

Posts: 3,570   +1,074
Staff member
Facepalm: Meta made some recent changes regarding certain Facebook account holders. To notify those who needed to take action, Meta composed a suspiciously worded email and spammed it out to relevant users. Naturally, recipients treated the spam as such and are finding themselves locked out of their accounts for not taking the sketchy-looking email seriously.

Meta's latest ill-conceived notion goes by the name Facebook Protect. The idea itself is not completely bad. It looks to add a layer of protection for specific groups more likely to be targeted by hackers such as journalists, human rights defenders, and government officials.

Facebook Protect monitors these accounts for hacking attempts and turns on two-factor authentication (2FA) by default. Unfortunately, Meta has implemented it very poorly, and now many users are finding themselves locked out of their accounts.

It all started in earlier this month with Meta's poorly thought out idea of notifying these account holders via an email that sounded scammy. The email originates from "security@facebook.com" with the subject line reading, "Your account requires advanced security from Facebook Protect." The body instructs users to turn on Facebook Protect by clicking a link in the email by a specific deadline (March 17), or else they would lose access to their account.

It is an almost perfect model of the typical phishing email people have been conditioned to ignore, which many people did. Since Facebook had no other contingencies in place, like, oh, I don't know, maybe a popup notification on logging in, these account holders had no other reason to believe the email was legit.

But wait, there's more. Meta also fumbled implementing Facebook Protect's 2FA system correctly. Users who did manage to activate Facebook Protect are flooding Twitter, saying that 2FA refuses to accept their codes as entered despite several attempts.

Meta has not acknowledged the situation on any of its Twitter accounts except for a brief tweet about six hours ago directing people to its "Why is my personal Facebook account disabled" help page, which is not that helpful in this situation.

Permalink to story.

 

Plutoisaplanet

Posts: 759   +1,201
I hate when websites use damned proprietary 2FA apps. Why would I download it when there's already a great standard out there? The culprits include Duo (my work uses it and it doesn't let me use another authenticator app), Steam (Steam Guard), and E*Trade (Symantec VIP Access). Twitch used to use Authy as the only option, but have since opened it up.
 

p51d007

Posts: 3,289   +2,883
I hate when websites use damned proprietary 2FA apps. Why would I download it when there's already a great standard out there? The culprits include Duo (my work uses it and it doesn't let me use another authenticator app), Steam (Steam Guard), and E*Trade (Symantec VIP Access). Twitch used to use Authy as the only option, but have since opened it up.

Would you rather have captcha?
Click on every motorcycle, crosswalk, streetlight, mountain, bus etc? ;)
 

Hexic

Posts: 1,244   +1,950
TechSpot Elite
March 1 was my one-year anniversary of being Facebook-free. I don't miss it.

I'm at almost 2 years myself man, and I gotta say it's been a very healthy switch. I don't even think about logging into any of that junk; and after awhile it's surprising how much time you find you have free to yourself - instead of uselessly burying your time in Facebook.
 

Sausagemeat

Posts: 1,597   +1,422
I used to use Facebook as a way of keeping in touch with people but now I no longer care, if people really want to stay in touch they make an effort.

The platform is dying, they keep banning their users or locking them out. Eventually most of us will just get fed up.

The company itself - meta is amongst the most repulsive entities I have ever seen in the tech world. They even threaten governments.
 

Rocky4040

Posts: 101   +136
Facebook security is a joke about 3 years ago I used to have a business account on FB and turned on 2FE which was supposed to send a code to my phone or email. Well it worked for a while about a year. Then one day I tried logging in and it would not go in and said I had to enter a 2FE code that was sent to my phone and email. Well never got it and said oh ok well resend it so they did still did not get it either to the phone or the email. I got a hold of tech support explained all of this and never heard anything back. SI sent another support ticket never heard anything back yet again. Third times a charm right nope. It then said when I tried to login that email does not exist and to try again or contact support.
I tried support again no joy never heard back from them so I said frack it and and made a new business account without 2FE emailed all of my customers in the list about 250 of them and had them move over to the new page and remove themselves from the old page.

About a week later the option came up on my personal account to ad 2FE I said no fracking way this crap is buggy and does not work right...lol
 

Theinsanegamer

Posts: 3,513   +5,920
I hate when websites use damned proprietary 2FA apps. Why would I download it when there's already a great standard out there? The culprits include Duo (my work uses it and it doesn't let me use another authenticator app), Steam (Steam Guard), and E*Trade (Symantec VIP Access). Twitch used to use Authy as the only option, but have since opened it up.
Standards like what? You want everyone to use a third party source for their authentication?

I cant see how that would be an issue, say if that one target was hacked. Nope, no issue there at all.
 

Plutoisaplanet

Posts: 759   +1,201
Standards like what? You want everyone to use a third party source for their authentication?

I cant see how that would be an issue, say if that one target was hacked. Nope, no issue there at all.
Here’s the standard, it’s called TOTP but is more commonly known as app-based two-factor authentication. Every general purpose authenticator app supports it: https://tools.ietf.org/html/rfc6238

It doesn’t use a third party source, but a cryptographic shared secret scanned with a QR code, and the current time as the other parameter. That generates a new six digit code every thirty seconds to be entered as the one-time code.
 
Last edited:
Last week I wrote a letter to my State Representative:


AOh14GhmqbkZsgN5HLVJVNOwLeP7Dsxf-MheM0bd51PX_w=s40


Dear Susan,

Thanks for chatting with me today. Facebook purports that its Protect feature protects users. However, they utilize a proxy server with VPN that allows FB to track *all* of a users' web surfing. A computer programmer friend informed me that FB and Google have been doing this for years. If this isn't bad enough in and of itself they are now *requiring* me to activate it or lose access to my account on March 17th.

I am not a "high profile" user. Indeed, I've found that others who have been hit with this requirement have similarly been sent to Zuckatraz (my coined term for Facebook Jail (I submitted it to Urban Dictionary). One example of how FB overreaches is in November 2020 a hilarious meme with Jeffrey Dahmer's picture circulated widely. It was captioned "No one is going to tell me how many people I can have for Thanksgiving." I posted it on my timeline and into a few groups. There was no problem until a friend made some Easter Dahmer joke; I replied with the meme. BAM! 30 days in Zuckatraz for posting "Dangerous Individual or Organization." I tried to appeal to its Oversight Board, but they refused to hear my case.

Fast forward to February 22; I receive a notification from FB that my account will be restricted for 90 days BECAUSE OF THE SAME MEME! That's right... if Alex Trebek was alive today I'm sure he'd be appalled that I'm living in Double Jeopardy. I've appealed again to the Oversight Committee but they haven't accepted yet.

Please forward this info to the Cybersecurity Task force and let them know I'm more than willing to speak with them about Facebook's inadequate monitoring, heavy use of bots with poor algorithms and virtually non-existent appeal process. This is in addition to their use of extortion tactics on its members. I have other FB friends who could tell similar horror stories.

Regards,

Jeff
 

letsgoiowa

Posts: 81   +156
Facebook security is a joke about 3 years ago I used to have a business account on FB and turned on 2FE which was supposed to send a code to my phone or email. Well it worked for a while about a year. Then one day I tried logging in and it would not go in and said I had to enter a 2FE code that was sent to my phone and email. Well never got it and said oh ok well resend it so they did still did not get it either to the phone or the email. I got a hold of tech support explained all of this and never heard anything back. SI sent another support ticket never heard anything back yet again. Third times a charm right nope. It then said when I tried to login that email does not exist and to try again or contact support.
I tried support again no joy never heard back from them so I said frack it and and made a new business account without 2FE emailed all of my customers in the list about 250 of them and had them move over to the new page and remove themselves from the old page.

About a week later the option came up on my personal account to ad 2FE I said no fracking way this crap is buggy and does not work right...lol
"2FE"
 

letsgoiowa

Posts: 81   +156
ITT: nobody understands basic MFA.
Yes, Facebook made a pretty phishy-looking email, but MFA is standard these days and it shouldn't be shocking to people. Why are people saying you need a unique Facebook authenticator app for this? It shows right in the linked tweet that you have standard TOTP based options like Authy, Duo, etc that you already have probably a dozen accounts linked to.
Now if it's not working properly, that's a bigger problem and it shouldn't mean "lol nobody should have MFA on their accounts."
 
So here it is in June, I'm locked out of my facebook account and they STILL have not posted a resolution for this? I have literally thousands of proprietary videos and photos of indie bands and freely promote our local music scene and have spent years developing a page typically seen by 20,000 people a month and I can no longer post, reply, or update local shows. Seriously I take offense at Facebook having my material while I am banned from it so I either need to be reinstated or else I need to delete my account. HELP !