Hackers Can Breach a Facebook Account with a Phone Number

Security researchers have proven that a Facebook account can be compromised with an unauthorized individual taking control by merely using a phone number coupled with some basic hacking skills.

An outdated technology still used within core telecommunications infrastructure has proven vulnerable, with researchers taking control of a Facebook account armed with a phone number.

The SS7 network has notably been compromised repeatedly over past five years. The flaw in the network is its inherent way of trusting messages sent over the platform, irrespective of the source of the message. Quite simply, any hacker can bamboozle the network into diverting telephonic communications including calls and texts to their own devices. The phone number and the device details is all they will need to mirror the target’s calls and messages.

Here’s how it works:

  • The unauthorized attacker clicks on the “Forgot account?” link on the social media network’s homepage.
  • The attacker is then asked for an email address or, conveniently, a phone number. Hence, all the attacker really needs is the legitimate phone number.
  • The one-time passcode sent to the registered number is simply diverted to the hacker’s phone, at which point the account can easily be logged into.

While Facebook accounts are proven to be vulnerable against SS7 attacks, websites that allow user authentication through text-induced verification are also at risk. These include the likes of Gmail and popular social media platform, Twitter.

For its part, Facebook has denied any responsibility for the vulnerability, pointing out that it is due to a weakness in the telecom sector.

In an emailed statement to The Hacker News, a spokesperson stated:

Because this technique [SSL exploitation] requires significant technical and financial investment, it is a very low risk for most people.

Furthermore, the spokesperson recommends Facebook users to enable two-factor authentication called Login Approvals, a feature that disables account recovery through SMS.

The spokesperson added:

As an added precaution, we recommend turning on two-factor authentication, called Login Approvals, in your Facebook security settings.

Doing this will disable recovery via SMS on your account so even if someone has your phone number, they’ll still need your password to access your account.

Image credit: Flickr.