Facebook has opened its users up to security risk, and potential theft, by allowing anyone on the platform to search for others using their phone numbers, which were only given to the social network for two-factor authentication security.
“For years social media Big Brother had been pestering its users to secure their account with two-factor authentication (2FA) by prompting them to enter their phone number so they could get a text with a security code login when logging into their account from a new device for the first time,” explained Fast Company, Sunday. “On the surface, Facebook prompting people to enable 2FA was a good thing–if you have 2FA enabled it’s much harder for someone who isn’t you to log in to your account. But this being Facebook, they’re not just going to do something that is only good for the user, are they?”
After inviting users to submit their phone numbers under the guise of better security, Facebook now allows “anyone to look up a user by their phone number, the same phone number that was supposed to be for security purposes only,” and won’t let users opt out of the feature — creating a security risk for the user.
“The most you can now do is limit who can look you up with the phone number you provided to ‘Friends,’ but you can’t hide it entirely,” Fast Company reported. “And remember, by default Facebook allows the whole world to find out who you are by entering your phone number.”
Lawyer and Adam Smith Institute fellow Preston Byrne pointed out on his blog that Facebook “just created a massive security hole which exposes every single one of its users to life-altering shitty hacks.”
“I’m frankly astonished nobody internally at that company thought about this before pushing this feature,” Byrne proclaimed. “The issue here is that your average workaday user who is even a little security-minded will not only use their cell phone to do two-factor authentication for their Facebook login, but will also use the same cell phone for every other two-factor login or password recovery system they have, including, for example, their e-mail account or their bank.”
Byrne then added, “even if you leave specific instructions with your provider to not port your SIM without a PIN and photo ID, smooth-talking criminals can still convince telco employees to do it anyway, with the result that the crook obtains control of your phone number – and can receive any communications sent to it.”
“Facebook’s new search feature will allow fraudsters to use Facebook to verify the identities of cell phone subscribers, even where Facebook users have locked down their cell phone numbers on their profiles to avoid this very outcome. In permitting anyone to search cell phone numbers, Facebook has compromised the security of every individual user of its service in the name of convenience,” he continued. “All someone needs to do, conceivably, to exploit this new ‘feature’ from Facebook is to punch in random cell phone numbers until they hit paydirt and discover a corresponding identity. If the user isn’t particularly security-minded, they’ll have birthdates and addresses publicly viewable, too.”
“After the target is identified, the hacker simply calls up the user’s cell service provider, and social engineers a SIM port,” Byrne explained. “Boom. All SMS-based 2FA that person used with that number, on any service, is now compromised. Including the 2FA for the user’s Facebook account.”