Facebook users pwnd by phone with account recovery vulnerability

Monday 17th July 2017 10:53 GMT A K Stiles

Just incredible that the security of one of the most used systems in the world is so lax.

Also interesting to note that people regularly change their mobile numbers when they change phone / carrier. I've had the same number in the UK for about 17 years, but it's on the 5th new phone and 4th carrier in that time. Does no other country port numbers easily? (or is it an outside Europe thing?)

3 1 Reply
1. Monday 17th July 2017 11:09 GMT Stacy
  
  I kept mine in Holland as much as possible (I only changed once in 17 years as the company took over my contract and then went bankrupt - the phone company would only let me keep my number - with them, converting it to a private account again - if I paid my employers debt to them), and in the UK always kept the same number.
  
  But out of the people I know in both countries, I am in the minority. It seems (note: personal anecdotal evidence only :) ) many people think that it costs money or is somehow unsafe to keep the same number...
  
  0 0 Reply
2. Monday 17th July 2017 11:21 GMT Anonymous Coward
  
  Me to, had the same number for 16 years, first on One2One and then Cellnet, then Orange (and then EE).
  
  0 0 Reply
  1. Monday 17th July 2017 12:57 GMT Anonymous Custard
    
    I'd guess a fair percentage may actually have had changing their number as the reason to switch in the first place. Especially if the original had ended up on the various telemarketing cold-call databases that are used to spam us these days (PPI anyone?).
    
    2 0 Reply
3. Monday 17th July 2017 18:40 GMT Mark 85
  
  Wife and I have the same number after numerous phone and carrier changes. We're in the States. I guess I'm wondering why others change numbers?
  
  0 0 Reply
4. Monday 17th July 2017 22:07 GMT Anonymous Coward
  
  Incredible?
  
  Why do you find that incredible? They aren't protecting health or banking info, they're protecting a bunch of vacation pictures and 10 year old posts from three girlfriends ago. It is more important to have it be easy to use than to be secure. They offer multiple methods of 2FA for those who are concerned about security.
  
  0 0 Reply
  1. Tuesday 18th July 2017 11:21 GMT Anonymous Coward
    
    Re: Incredible?
    
    Their 2FA options require either a cell phone (to receive SMS), a physical U2F key, or a cell phone with NFC. Most users aren't going to buy the key, and a lot of phones don't have NFC. So while they offer "multiple methods", most users can't turn off SMS-based login.
    
    0 0 Reply
Monday 17th July 2017 10:55 GMT Joseph Haig

Nothing like good security!

I'm so glad I never succumbed to adding my phone number for extra security (allegedly).

9 0 Reply
Monday 17th July 2017 10:58 GMT DNTP

Let's be honest here

These types want phone numbers for marketing and perhaps surveillance, and any security "benefit" the user receives is mostly incidental to that.

10 0 Reply
Monday 17th July 2017 11:07 GMT Henry Minute

As my dear old mother used to say...

"Facebook said its practices mirrored those of other online services"

I suppose that if Tommy jumped off a cliff.....

6 0 Reply
Monday 17th July 2017 11:23 GMT Prst. V.Jeltz

"Many of my less tech-savvy friends never remove phone numbers, they just keep adding their new number when they switch carriers or move,"

Why the hell would you not take your previous number with you? Unless you're a serial spouse-cheater-onner , or some kind of criminal?

1 5 Reply
1. Monday 17th July 2017 15:29 GMT Anonymous Custard
  
  Cold caller spam?
  
  Are you sure you've never been mis-sold PPI or been in an accident recently?
  
  1 0 Reply
  1. Monday 17th July 2017 22:17 GMT John Brown (no body)
    
    "Cold caller spam?"
    
    And you can be sure that the previous owner of your new number didn't spaff that number all over the place?
    
    My company mobile number of 10 years was used by a previous employee who also used it for his own business. It was quite literally *years* before calls for him from his clients finally stopped.
    
    0 0 Reply
Monday 17th July 2017 11:26 GMT Prst. V.Jeltz

" I don't know of a single website other than Facebook that lets me recover an account with a phone number, and then not change the password."

Try Yahoo mail

2 0 Reply
1. Tuesday 18th July 2017 06:52 GMT jkmartindale
  
  Haha, I learned something new today. Thanks!
  
  0 0 Reply
Monday 17th July 2017 11:33 GMT Prst. V.Jeltz

So hows this "hack" work exactly ?

So hows this work? ... A determind scammer with a good scam up his sleave , just needs to access someones (anyones) facebook account to kick it off. Does he buy a load of phones hoping that one of the numbers he gets will have been used on facebook?

How does he know which account he has the phone for? Oh , im guessing facebook told the guy in their "come back!" text ?

Or can you just go on the site and click on "I forgot my Username but my phone number is..."

I can see theres some holes there but a ner-do-well would heve to get lucky... (which , yes i know , is not a valid security policy)

0 0 Reply
1. Tuesday 18th July 2017 06:53 GMT jkmartindale
  
  Re: So hows this "hack" work exactly ?
  
  If a scammer were to run this as an actual operation, they'd probably use some phone API like Twilio, which will dramatically reduce their costs. Then they would just request a new number, attempt to log into Facebook, and if the login is successful, take it over, rinse and repeat.
  
  While the "come back! text" tipped me off that this was possible, it's not necessary to know if an account exists that that given phone number.
  
  You are correct that there is an element of luck involved. But I stumbled across enough accounts in a row that I'm wondering if I'm either incredibly lucky, or there's a lot of accounts up for grabs.
  
  1 0 Reply
Monday 17th July 2017 12:07 GMT mike white 1

isn't this really just a rehash of the recycled email address from your ISP problem?

0 0 Reply
Monday 17th July 2017 13:04 GMT Gerry 3

Aah, that probably explains why I was woken up at 0610 the other day by a Facebook SMS asking me to validate my Facebook account. I've never had a Facebook account and never will.

2 0 Reply
1. Monday 17th July 2017 15:30 GMT Anonymous Custard
  
  No, but with a little effort you could have someone elses instead...
  
  6 0 Reply
Monday 17th July 2017 15:43 GMT Anonymous Coward

Want Facebook 2FA? SMS or physical key required

Looks like you can't use "just" an authenticator app for 2FA on Facebook - either a cellphone (which will receive a code via SMS allowing login *without* the authenticator code) or a physical key is required. And even if you still have that phone number, SMS messages aren't remotely secure. https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

1 0 Reply
Monday 17th July 2017 19:18 GMT bombastic bob

He's lucky if F-Bitch doesn't have him arrested

I wouldn't be surprised in the LEAST if FaceBitch's reaction to the exploit discover is to HAVE THE GREY-HAT HACKER ARRESTED!

After all, he ALTERED account parameters [by removing the phone number] !!!

I'm sure some DRM or obscure law could be used to PUNISH! THAT! GUY! with the full force of THE! LAW!!!

[it's the kind of "logic" Face-Bitch WOULD have. yeah]

0 4 Reply
1. Tuesday 18th July 2017 01:00 GMT Stevie
  
  Re: He's lucky if F-Bitch doesn't have him arrested
  
  Bob! Take your meds at once!
  
  3 0 Reply
Monday 17th July 2017 19:20 GMT scrubber

Facebook

Your security is just as important to us as your privacy.

4 0 Reply
Monday 17th July 2017 20:09 GMT PacketPusher

It takes two to tango

Yep. This is lousy security, but it is on the users as well as Facebook. Even if FB forced a PW change, that won't stop crackers from getting in. It might warn the user that something is going on or it might not. Either way, it reminds be about a saying about horses and barn doors. Users should also be held responsible for not keeping contract info up to date.

0 0 Reply