Facebook and SS7 – A Match Not Made In Heaven
Those in tech circles have known for awhile about the known flaws of Signaling System 7 (SS7 for short), and the dangers of eavesdropping it can bring. One big thing of late to make your web logins more secure is 2-factor authentication, which typically sends a 4-8 digit code to your cell phone, verifying who you are. Or at least who SS7 thinks you are.
The big problem with SS7 is it allows another party to “listen” to (and actually listen to) traffic going through your cell phone, landline, etc. This includes information using the SMS (text message) and MMS (pictures and video) sent between cell phones. And here is where this gets scary.
On Facebook, if you forget your password, and you have verified your cell phone, you can get a message that will allow you to change your password. So, if you want to take over someone’s Facebook account, all you need to know is their cell phone number, which is also needed for the SS7 security hole. They request, you and they get a message from Facebook, and they change your password before you are done scratching your head as to why you got the message in the first place.
Unfortunately, there isn’t a real solution to this problem. One of the best (and easiest to set up) ways to thwart an account takeover is through two factor authentication. The good news is that this is a limited threat case, meaning that not many people use this kind of hacking/espionage. The bad news? With things like this, the popularity may begin to grow.