
Created a fake account and Facebook still figured out who I am. How? - 99percentfound
https://www.reddit.com/r/privacy/comments/am1hi0/a_created_a_fake_account_and_facebook_still/
======
bjt2n3904
I think there's a much simpler answer than some sort of "deep browser
fingerprinting" or other scary voodoo.

1) User requests account deletion. Facebook does not delete it, keeps track of
his phone number via shadow profiles. (Mike is still mike@gmail.com,
800-555-1234)

2) User creates a new Proton Mail address. (Fakey@protonmail.com)

3) One of his friends adds that email address to his contact. (Mike,
mike@gmail.com, fakey@protonmail.com, 800-555-1234). This user is on
Instagram, Facebook, or has some mobile app that uses their analytics.

4) Facebook makes the association after scraping his friends contact list.

Essentially, his friends betrayed him, likely unintentionally.

~~~
jklick
Hi, I'm the original poster on Reddit.

It's a great theory -- and I can see how this could easily happen to someone -
but it was not the case in this scenario. In fact, doing so would completely
defeat what I was trying to achieve. The email address I used for Facebook was
unique, not used for anything else, and not shared with anyone else. It was
completely isolated.

~~~
QuantumGood
So...cookies?
[https://www.reddit.com/r/privacy/comments/am1hi0/a_created_a...](https://www.reddit.com/r/privacy/comments/am1hi0/a_created_a_fake_account_and_facebook_still/efj6tz4/?context=3)
(suggested below by eridius)

And riverdan points you you didn't seem to clear browser cookies since you
last used you old personal FB account?

~~~
jklick
Yeah, that's what the running theory is. Kind of angry with myself if that's
the case. However, as I point out in my second update, the whole endeavor
seems to be awfully tricky. One misstep and privacy leaks.

------
11thEarlOfMar
Here's another, this time with LinkedIn.

I took an ambulance ride. The attendant in the back talked with me during the
ride to monitor whether I was remaining lucid. Did not know him, never met him
before, never saw him since.

A week later, I was scrolling through LinkedIn recommended connections and saw
a face I recognized, but could not place.... until I saw that they worked for
the ambulance company that I had ridden with.

Did LinkedIn track both of our locations and figure out that we rode in the
same vehicle at the same time? This is absolutely possible. Did LinkedIn use
voice prints to confirm that his voice came through my phone and mine through
his and therefore we had a conversation? Can do.

Did they?

Color me freaked out.

~~~
demygale
Most likely explanation: the ambulance attendant looked at your LinkedIn
profile.

~~~
michaelbuckbee
Attendant Google'd name of the patient -> clicked on LinkedIn profile. That
would be enough to get them suggested to you.

~~~
11thEarlOfMar
On the drive to my location... makes sense.

~~~
rco8786
Why would it have to happen on the drive?

~~~
aaron695
You could use it to find questions to check how lucid they are.

Equally they said something that piped the interest of employee to check
after.

------
driverdan
People suggesting outlandish, complex fingerprinting methods should read
through the post comments. OP admitted they didn't clear browser cookies since
they last used their old personal FB account. Mystery solved.

~~~
lupire
"complex fingerprinting methods" sounds spooky, but in 2018 that's just a pug
and play library, equivalent to cookies.

------
throwawayosiu1
While the user might have issues (like cookies and other features) - I can
guarantee you Facebook does all kinds of creepy stuff to identify who you are.
Worse yet, once they think they've successfully identified you - they share
your details with who they think you are. Personal example:

Recently I wanted to have a look at a few ex coworker profiles (who are not my
friends on FB). I didn't want to use my personal account because then it
suggests me to them (something I wanted to avoid, as I'd not been in touch
with them for almost a decade).

1\. I created a VM (Ubuntu 18.04 + Firefox + uBlock -> enabled everything in
uBlock).

2\. Tried to create an Fb account -> asks for phone number. I didn't want to
be identified so I could not continue.

3\. Tried another way to create a new account -> success.

4\. Fb obviously tried to figure out who I am -> was unable to do so at that
point -> Forced me to post a picture of myself (and suspended my account until
I did and they verified it).

5\. Posted a made up picture and got past the first hurdle

6\. Fb asked me for a phone number -> Logged out and used another means to log
in.

7\. Fb locked my account and asked for another picture (did similar in Step 5
once again)

8\. Looked up my ex co-workers.

9\. Until now, I've not been identified, I looked up a friend's profile (this
friend is also my personal friend on Fb). FB immediately identified me and
showed up my entire friends list as suggested friends).

10\. I immediately tried to delete that profile (took 30+ days and they asked
for Govt ID).

I've had multiple fake FB accounts, and FB's fingerprinting and data sharing
is insanely crazy - I recently logged out of one my fake accounts on iOS via
Safari Incognito (no FB app, Safari is always used as incognito) - it showed
my personal phone number in the log in field.

~~~
aboutruby
You can use disposable phone numbers to receive text messages

~~~
throwawayosiu1
FB blocks those numbers, I've tried those in the past. Almost all major
services that use phone verification ignore those numbers out right or act
like they accept it but either:

1\. don't bother sending texts

2\. shadowban you

------
rayvy
OP was probably not a very technical user, else he/she would've understood
that

1\. They should've deleted _all_ relevant cookies (in the browser, as well as
in the browsers cookie database)

2\. There are many 3rd party companies that sell data packs that derive
residential IPs from VPN IPs (we use some at work). A trusted/good VPN is a
must

3\. They probably came via the same User Agent (didn't mention changing
browsers)

IP + Cookie + User Agent = Fingerprint (not a good one, but will work for
Facebook's needs)

~~~
decebalus1
> 2\. There are many 3rd party companies that sell data packs that derive
> residential IPs from VPN IPs (we use some at work). A trusted/good VPN is a
> must

Are you implying that ProtonVPN is not trusted/good? I'm seriously interested
in what you know about this particular VPN provider as this is the one OP
mentions he's was using.

~~~
rayvy
Yea definitely don't take that as me insinuating anything about ProtonVPN.
However _absolutely_ take that as me saying "just because you're behind
[insert VPN name], doesn't mean someone can't derive your actual IP" (however
that may happen). There are companies that sell this service. Again, I
specifically mention this because this is how we at [large, known ad tech
company] deal with user VPN traffic

~~~
wonderingly
Can you say what companies? or at least how to find them? I tried searching
but only found junk.

------
whizzkid
There are tens of attributes that can be used to identify you and generate a
unique id of it. Cookies are just the 101.

Canvas fingerprinting, extensions, screen resolution and etc.

I read it somewhere that FB is pre-creating profiles for those who haven't
even created a FB account yet (Face recognition and etc).

Avoid using it.

~~~
cascada
I've heard that a man and women are having sex, facebook already pre-creates a
profile for their future child.

------
mnmapplications
I know for sure if you make a second account and sign into a device like a
phone or tablet where you've already signed onto another account - it will
realize the connection and start suggesting you friends from your original
account.

I'm not sure if that's taking MAC address of the device or the phone number
into consideration or what - but it's definitely a bit creepy

------
wideasleep1
If he ever accessed FB by phone, that was the rat.FB is built into most
popular apps, and those rat you out many times an hour...in some cases like
Spotify, every song change.

------
craftoman
Of course it's possible, they use tools similiar to
[https://github.com/Valve/fingerprintjs2](https://github.com/Valve/fingerprintjs2)
. I found a way to "confuse" such algorithms using a browser called Palemoon,
yet there lot of factors that could affect anything, a simple mistake and
everything will be screwed up.

------
ben174
If he uploaded his photo maybe it was facial recognition associating him with
group pictures in his friends accounts.

------
megous
Browsing just/mostly the profiles of people you know is enough, I suppose.
You'd have to browse the FB randomly and hide true intentions in the noise.

~~~
smt88
Don't forget data-sharing relationships with major digital retailers

------
m3kw9
IP address, keystrokes fingerprinting, and more

------
meetuu
cameradust, browser fingerprinting, graphic/sound card canvas, memory canvas
mouse usage, keyboard usage, cpu serial number, MAC, router MAC, system logs,
telemetry

~~~
albeebe1
cameradust? that's clever if it means what i think it means, aka looking at
artifacts in a photo caused by "gunk" on your lens.

~~~
meetuu
yes it does, there is also acoustic analysis of keyboard noise, quite a lot
and this all happens at the time of account creation and early account use
until the FB AI thinks it knows who you are, there is no need for constant
listening or watching,

~~~
debatem1
Do you have a source for this? I've done a reasonable amount of work on
weaponizing these sorts of attacks and it's definitely nontrivial. I'd be
shocked to find out that Facebook had successfully deployed them at scale.

~~~
zucksablackhat
nontrivial is in the eyes of the beholder. FB does a lot of things quite
shocking, and uses zero days, and soc eng like jack the bear, dont forget
zucks roots, he did this stuff from day one. BTW im not abou to distribute
hack source on HN, pearls among swine goes nowhere here.

~~~
debatem1
Let's please not hypothesize exotic attack capability without evidence. It
makes it difficult to get people to pay attention when we really need them to
be concerned about sophisticated adversaries.

------
ohWARisme
after reading through this thread, i find some very concerning things. The use
of the word nontrivial is one thing. Calling something nontrivial does not
mean you have expertise, there are a number of analytic tools that are being
called non trivial or too complex, and that means it is non trivial to the
caller. The rest of us who use these techniques as often as breathing find
them trivial to say the least. The lack of knowldege regarding just how
extensively big data reaches into our platform is another. lets look at
google, the practice of asking permission for something mundane like sorting
pictures according to location can be accomplished by scraping exif data, but
google uses this for an opportunity to turn on location tracking in the
background. Facebook most definately does not refrain from background
permission jacking. The tools and API's laying around in the open for any one
to take advantage of is another. win10 telemetry provides an intimate snapshot
of a win10 instance, and any one can use that telemetry to fingerprint your
hardware. Even encrypted telemetry is a highly individual number that doesnt
need to be decrypted to indicate an individual machine across the internet.

The title of this forum "hackernews" is concerning, there seem to be no
hackers here at all. All of the "non trivial" actions here are non trivial to
those that know very little about CS in general, or have an extremely
antiquated perspective on the nature and extent of system penetration as it
stands today. A "normie" is not likely to know anything about lockpicking, but
even an apprentice locksmith finds it extremely trivial, its just a matter of
perfecting dexterity over a couple of months to be quick and slick about it.

Facebook is one of the biggest threats to national security we have in our
back yard, and the lackadaisical attitudes displayed here regarding security,
only set that threat in stone and perpetuity.

~~~
SketchySeaBeast
>after reading through this thread, i find some very concerning things. The
use of the word nontrivial is one thing. Calling something nontrivial does not
mean you have expertise, there are a number of analytic tools that are being
called non trivial or too complex, and that means it is non trivial to the
caller. The rest of us who use these techniques as often as breathing find
them trivial to say the least. The lack of knowldege regarding just how
extensively big data reaches into our platform is another. lets look at
google, the practice of asking permission for something mundane like sorting
pictures according to location can be accomplished by scraping exif data, but
google uses this for an opportunity to turn on location tracking in the
background. Facebook most definately does not refrain from background
permission jacking. The tools and API's laying around in the open for any one
to take advantage of is another. win10 telemetry provides an intimate snapshot
of a win10 instance, and any one can use that telemetry to fingerprint your
hardware. Even encrypted telemetry is a highly individual number that doesnt
need to be decrypted to indicate an individual machine across the internet.
>The title of this forum "hackernews" is concerning, there seem to be no
hackers here at all. All of the "non trivial" actions here are non trivial to
those that know very little about CS in general, or have an extremely
antiquated perspective on the nature and extent of system penetration as it
stands today. A "normie" is not likely to know anything about lockpicking, but
even an apprentice locksmith finds it extremely trivial, its just a matter of
perfecting dexterity over a couple of months to be quick and slick about it.

>Facebook is one of the biggest threats to national security we have in our
back yard, and the lackadaisical attitudes displayed here regarding security,
only set that threat in stone and perpetuity.

I see meetuu, zucksablackhat, and ohWARisme all posting in succession in the
same places - are you all the same user? edit: Threw in parents post in case
of deletion.

------
prewett
We all send out packets with our MAC address, which is supposed to be unique,
so it seems like it would be easy to correlate the two profiles, since the MAC
address is the same.

Makes me think there’s not going to be an effective technological means of
resisting tracking.

~~~
detaro
The MAC address doesn't leave the local network, an internet service can't see
it. (Sometimes IPv6 addresses are derived from it, but any modern OS should
use privacy extensions, which create randomized addresses)

