June 17, 2016 by

Hackers Can Breach a Facebook Account with a Phone Number

Security researchers have proven that a Facebook account can be compromised with an unauthorized individual taking control by merely using a phone number coupled with some basic hacking skills.

An outdated technology still used within core telecommunications infrastructure has proven vulnerable, with researchers taking control of a Facebook account armed with a phone number.

The SS7 network has notably been compromised repeatedly over past five years. The flaw in the network is its inherent way of trusting messages sent over the platform, irrespective of the source of the message. Quite simply, any hacker can bamboozle the network into diverting telephonic communications including calls and texts to their own devices. The phone number and the device details is all they will need to mirror the target’s calls and messages.

Here’s how it works:

  • The unauthorized attacker clicks on the “Forgot account?” link on the social media network’s homepage.
  • The attacker is then asked for an email address or, conveniently, a phone number. Hence, all the attacker really needs is the legitimate phone number.
  • The one-time passcode sent to the registered number is simply diverted to the hacker’s phone, at which point the account can easily be logged into.

While Facebook accounts are proven to be vulnerable against SS7 attacks, websites that allow user authentication through text-induced verification are also at risk. These include the likes of Gmail and popular social media platform, Twitter.

For its part, Facebook has denied any responsibility for the vulnerability, pointing out that it is due to a weakness in the telecom sector.

In an emailed statement to The Hacker News, a spokesperson stated:

Because this technique [SSL exploitation] requires significant technical and financial investment, it is a very low risk for most people.

Furthermore, the spokesperson recommends Facebook users to enable two-factor authentication called Login Approvals, a feature that disables account recovery through SMS.

The spokesperson added:

As an added precaution, we recommend turning on two-factor authentication, called Login Approvals, in your Facebook security settings.

Doing this will disable recovery via SMS on your account so even if someone has your phone number, they’ll still need your password to access your account.

Image credit: Flickr.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Reddit [Finally] Offers Two-Factor Authentication to All Users

One of the most popular, most-visited and most-populated websites in the world is switching on 2FA...

Read more arrow_forward

Hackers Steal $400,000 of Cryptocurrency in DNS Hijack

Unknown hackers have hijacked the DNS server for web-based wallet application BlackWallet, an online...

Read more arrow_forward

Banking Malware Spin-Off Targets Twitter, Facebook Accounts

A sophisticated strain of malware based on the Zeus trojan has been discovered monitoring and...

Read more arrow_forward