Making a fake passport or ID to hack into someone else's Facebook account takes only a few minutes, thanks to online tutorials that are a simple Google search away.
Last week, someone took control of the Facebook account of Aaron Thompson, a 23-year-old from Pontiac, Michigan, by tricking Facebook's support to disable all security on his account after showing them a fake, photoshopped, passport.
The hack exposed a major flaw in the way Facebook, and other online providers, verify that we are who we really claim we are.
As it turns out, there are several free online tutorials, and even apps, to learn how to make fake IDs on your computer. A Google search for "bypass facebook government ID" turns out thousands of hits, including YouTube tutorials specifically made with the goal of circumventing Facebook's government ID requirements.
"Today I will show you how you can make own fake government id proof to bypass facebook verification," reads one.
If Photoshop and image editing isn't your forte, you can automate most of these steps thanks to apps like Fake ID Generator, which has been downloaded more than 17,000 times, according to Google Play. While the app isn't marketed specifically to avoid Facebook's verification, it could clearly be used for that, though the app reminds potential users that "these IDs are for entertainment only." And it's worth keeping in mind that using fake passports or IDs is a crime in most countries.
It's unclear how many people use forged documents on Facebook, but it's likely that the incident last week is not the first time that happens. But a source who claims to have been using photoshopped fake IDs on Facebook for years, told Motherboard that Facebook's controls aren't very effective.
"They never catch you," the cybercriminal, who declined to be identified, said.
"They never catch you."
All these sites and tools, however, don't seem to worry Facebook. In response to last week's hack, the company admitted its mistake in handing over Thompson's account, saying that "accepting this [fake] ID was a mistake that violated our own internal policies and this case is not the norm."
It's unclear what policies Facebook uses, but in response to a questions related to these sites and tools that teach people how to circumvent Facebook's ID verification process, a spokesperson told me this week that government IDs "are just one aspect of verification," and that the company also uses "other signals" such as IP address, account history, and others.