While most of the people usually find it hard to get a way to hack into someone’s Facebook account, researchers just proved how easy it is to hack a Facebook account with fewer efforts. Researchers got success in taking control of a Facebook account with target account’s phone number. It does not matter how strong your password is, you will be hacked just by phone number. Not just Facebook, this way can also be used to hack other kinds of accounts including Gmail and Twitter.
The researcher found a weakness on the part of global telecom network SS7. It allows hackers listen to personal phone calls, intercept SMSes. This SS7 or Signalling System Number 7 protocol is being used by more than 800 telecommunication operators worldwide to exchange information.
The issue is that it trusts text messages sent over it regardless of their origin. Hackers trick SS7 into diverting text messages and phone calls to their own devices. For this, all they need is the target’s phone number and some details of the target’s device. Now I am sure you can guess how they hacked into accounts with the just phone number.
The attacker first needs to click on “Forgot account?” link on Facebook and it will ask to provide the phone number or email linked with the account. Here, the attacker needs to put the legitimate phone number. Facebook will now send a one-time passcode (OTP) the target number. But attacker has already delivered the SMS to his computer to receive the OTP.
This issue affects all Facebook users who have added a phone number to their account.
As the exploit has nothing to do with Facebook, it can also be used to hack any other social media accounts and email accounts which offer the way to recover accounts by sending OTP on the phone number.
The worst thing is that network operators will take the time to patch this issue and you cannot expect this coming anytime soon. Now, it is a very tough decision for most of the users. Phone number and 2-factor authentication were an important part of account security. But, it has become a risk to account security.
Watch this video to know how the whole process works.
Source: Forbes
