Wednesday, 15 June 2016

Hackers Can Steal Your Facebook Account With Just A Phone Number

Hackers Can Steal Your Facebook Account With Just A Phone Number

Facebook CEO Mark Zuckerberg gestures while delivering the keynote address at the f8 Facebook Developer Conference Wednesday, April 30, 2014, in San Francisco. (AP Photo/Ben Margot)

Even where users have chosen strong passwords and taken extra securitymeasures, their Facebook accounts are not safe from hackers. Researchers have proven just that by taking control of a Facebook account with only a phone number and some hacking skills to exploit the SS7 network, a core piece of telecoms infrastructure shown to be vulnerable repeatedly over the last half decade.

What’s the problem with SS7? As the SS7 network trusts messages sent over it regardless of their origin, hackers can trick it into diverting calls and texts to their own devices. All they need is the phone number and some device details to initiate the silent snooping. Positive Technologies, which demoed the Facebook hack for FORBES, recently showed they could also hijack WhatsApp and Telegram accounts with similar tricks.

The Facebook hack takes the exploits a step further, only requiring a phone number. The attacker clicks on the “Forgot account?” link on the homepage. When asked for an email address or phone number linked to the target account, the hacker provides the legitimate number. By diverting the text message containing a one-time passcode to their own PC or phone, they can login to the account, as shown in the video below.



How A Digital Tool Helps A Five-Generation Family Farm Sow A Sustainable Future

The attack, of course, requires the user to have registered a phone number with Facebook and to have authorized Facebook Texts. Nevertheless, Positive’s work shows that any service that uses SMS to verify user accounts has left open an avenue for hackers to quickly target customers.

As hackers are already exploiting the flaws, and surveillance companies are selling $20 million SS7 snooping services to nation state spies, network operators are trying to roll out protections for customers. FORBES has learned that British intelligence service GCHQ is helping European providers improve their SS7 security, via CESG, the body’s information security arm. “The Government takes mobile network security and resilience extremely seriously,” a spokesperson for CESG said over email. “We are aware of the SS7 issue and will continue to support the work underway by the telecoms industry to tackle this issue and ensure customers remain protected.”

No comments:
Write comments