Facebook Stole $120 From Me

Posted on May 27, 2010 by Scott Jennings| 26 Comments

I have two.. no, three of these charges on my bank account today.

upshot_TWiSJKRL.png

I have never purchased an ad on Facebook.

The “Facebook Ad Manager” for my account supports this.

More worryingly – I have never given Facebook my bank card information. I’ve never purchased anything from a Facebook game, or Facebook credits, or anything else.

So… you know? I’m kinda spooked right now. And the fact that the phone number Facebook has given with the charge leads only to instructions to fill out a web form (which then says “We’ll contact you in 48 hours”) fails to assuage my suspicions.

Update: I’ve had my bank card cancelled since it may well be a case of a stolen CCN… but that seems an awfully odd thing to spend money on.

This entry was posted in _. Bookmark the permalink.
  • http://virtualgunmen.com Noel

    Worrying. Possibly tied to having to set up the application for Broken Toys for Facebook connect?

  • http://www.facebook.com/ameggs Andrew Meggs

    Call your bank now to dispute the charges. Don’t wait 48 hours for FB, because many banks place a limit on how long you can go without notifying them and still get money refunded.
    It’s far, far likelier that a third party stole your credit card number and used it to buy $80 worth of something from Facebook, than that Facebook themselves stole $80. Facebook are the ones on the hook when there’s a chargeback from your CC company, and the fees and penalties with that are such that charging people from your own business account isn’t a remotely viable criminal enterprise.

  • Dana

    Honestly, that sounds like the issue isn’t with Facebook, but your credit card. I’d call the CC company and complain, they usually strike charges like this pretty fast.
    I’d also get a new credit card and cancel the existing one while I’m at it.

  • http://geldonsgaming.blogspot.com geldonyetich

    That is pretty creepy that Facebook is charging you for ad space when you didn’t even give them a means to charge you.  You might find some more information here.

  • http://www.somebits.com/weblog/ Nelson Minar

    Contact the fraud department for your credit card company immediately. Often CC thieves first “test” a card with some online purchase. I don’t know that Facebook is a popular testbed, but it seems possible.

  • Scott Jennings

    Andrew, I did exactly that. I find it hard to believe someone would steal my CCN and then use it to buy small amounts of facebook advertising, though!

  • Scot B.

    Actually, it makes perfect sense, if they can put up an ad leading to a fake site that will result in more card phishing.
    But if it’s YOUR Facebook account that was billed, I would assume they have owned your machine and any password or CCN you’ve used on that machine is now suspect.

  • http://stabbedup.blogspot.com/ Stabs

    Amusingly enough in my browser your post starts with the Recommend button (two people recommend being robbed by Facebook) and ends with a Connect with Facebook ad.
    On the right a selection of google ads offer various bank services for people who can’t keep hold of their money.
    I’m not unsympathetic Scott but the framing of your post with all these utterly insensitive plugs is rather funny.

  • Horse

    Maybe I’m confused here, but why would you assume that a bank transaction that says “Purchase Facebook.com Ads” was actually a payment to Facebook? If I was a scammer taking advantage of your stolen credit card number, I’d try to camouflage payments to my bank account with some suitably innocuous reference field entry.

  • JeremyT

    Scott:
    One of my credit cards was compromised recently, seemingly due to a data breach at an online retailer.
    What did they buy with those stolen credentials?
    A Steam game, and some software purchased through Microsoft TechNet.
     

  • FG

    It is relatively common (if you are dealing with professional thieves) to make a small charge with a stolen credit card to determine the validity, and then pump the card for all it is worth 1-7 days after the test charge.

  • http://www.antipwn.com/blog IainC

    Scot B.: Actually, it makes perfect sense, if they can put up an ad leading to a fake site that will result in more card phishing. But if it’s YOUR Facebook account that was billed, I would assume they have owned your machine and any password or CCN you’ve used on that machine is now suspect.

     

    That’s now what has happened as I understand Scott’s telling of it. His Facebook account has no mention of the ad buys, those entries are from his bank account. So they could be for any Facebook account or, as Horse says, it could be a red herring thrown in from any random CC transaction (although normally the CC handler is identified and those don’t generally allow you to populate the fields yourself).

    FG is right though, normally the thieves will test cards to see if they are still live before going for big-ticket stuff. If you’re lucky or paranoid you’ll spot that in time.

  • Boanerges

    Actually it probably was FB advertising. The results are immediate and FB scams are on the rise. In the last 2 weeks I’ve had 3 friends compromised by rogue apps that ask people to update their FB video player (it’s malware). So what better way to promote malware than with a stolen CC to buy ads for said malware? Max ROI for your stolen bucks (even thieves have to be frugal). If you want to know what they do with said malware, see Scott’s recent post on what Symantec found spelunking through the seedy underbelly of the Internet.
    Definitely file a chargeback with the bank. With the loopy way credit card transactions work (remember that, without a PIN, this is a credit card transaction) and bank laws too, you’ll get your money back faster than you can say “Myspace”.

  • http://joshdrescher.com Josh Drescher

    I’ve had two cases of ID theft in the past few years (thanks, travel to foreign lands!).  In one case, the person using my CCN initially bought a bunch of stuff on iTunes, then 24 hours later maxed out the card buying plane tickets to Africa.  According to the bank, it’s not unusual for the thief to make small online purchases to “test out” the new CCN before moving on to bigger stuff.

  • http://www.facebook.com/sjennings Scott Jennings

    Ironically, the form Facebook uses for disputing charges does not let you list YOUR email address anywhere – just fragments of the credit card number and the name on the card. So Facebook has no way to actually get to me if it is credit card fraud.
    So yeah, definitely, bank card is cancelled.

  • Andrew Best

    Should consider the possibility that its a phisher trying to setup an advertising account with Facebook so they can host some malware in their advertisements. Using stolen CC information to purchase the advertising would be the way to cover their tracks.

  • Andrew Best

    Yea, what Boanerges said. Must pay more attention when reading previous comments.

  • http://www.mainlyaboutgames.co.uk FreakyZoid

    > I find it hard to believe someone would steal my CCN and then use it to buy small amounts of facebook advertising, though!
     
    Less likely to be flagged up as fraud by the card company than big transactions. When my card details were stolen the thieves bought around £200 worth of cell phone credit in £10 and £20 chunks first. Then, since none of that had been refused, they went for a few big transactions (which were what eventually tipped off my bank, who notified me).

  • Centuri

    Any idea what the add “you” purchased was for?  It would be delicious irony if your CCN was stolen and used to purchase adds for gold sellers.

  • boley

    Scott, when you type bank card are you referring to a credit card (Visa, Master Card, Am Ex, etc) or an actual debit card (visa check card, atm card, etc)?  Hopefully it is the former, because you gotta be nuts to use a debit card just about anywhere nowadays (especially on the interwebs).  I don’t think many people realize how little fraud protection a debit card has.

  • http://Chrome.blogspot.com Chrome

    Have you tried  Google Buzz?  Much better privacy and more control by the user.

  • http://beafraid.com hellfire

    Apropos spam, Google. Well played.

  • wufiavelli

    Dispute it with your card also.  I know people who purchased Mortal Online (age of mourning meets darkfall) were able to cancel their pre order through their card.

  • sinij

    I am curious to find out what happened. Lum, any new developments or did you decide to let them have you hard-earned 40$?

  • http://kfsone.wordpress.com/ Oliver ‘kfs1′ Smith

    Ugh – I just got 3 x Norton charges – 2 months after getting my credit card replaced for … 3 x Norton Charges.
    NORTON *SOFTWARE  <REFERENCE F558300HZ000TF175> $146.13
    I haven’t bought anything from Norton in years, and I’ve been pretty damn careful with this CC. I guess one of my machines must have a trojan :(

  • Adam

    I just had this same thing happen to me.  After depositing $1.01 INTO my account, facebook then ripped me off for 370 dollars in 50 dollar increments.  The last one was 20 bucks to make sure they came in under my daily transaction limit.  I had a visa/debit card (canceled it immediately) but I never once bought a single thing on Facebook with it.  I don’t understand how Facebook got my information.  I know it can’t possibly be a cyber criminal because criminals who steal your account cannot use Facebook to DEPOSIT money into my account.  They could only use an accoun they have access to.  Therefore Facebook, or an employee within facebook, is responsible.  However this still doesn’t explain how they got my CCN.  I can only assume that Facebook is indeed (as many people feared) using their massive access to purchase and sell private information against the will of its users.  This is the only explaination I can come up with as facebook refuses any and all attempts at contacting them.  They have refused to return my phone calls.  I filed a police report and I have contacted CNN news and my congressperson about this issue.
    I have since gotten the money back but only because facebook credited me the money.  My money was stolen.  Facebook gave me back some other money but only because I DEMANDED it back.  They still refuse to answer any of my questions or even attempt to assuage my fears about this problem happening again.  I not longer trust facebook and I will not be using it anymore.  It makes me sad because I liked facebook.