Using SMS as a security measure is broken in more than one way. SMS messages are broadcast across the world, and it only takes one corrupt phone company anywhere to intercept them.
Meta says risk of account theft after phone number recycling isn't its problem to solve
Meta has acknowledged that phone number reuse that allows takeovers of its accounts "is a concern," but the ad biz insists the issue doesn't qualify for its bug bounty program and is a matter for telecom companies to sort out. The core problem is that telecom companies recycle phone numbers that have been abandoned after a …
COMMENTS
-
-
Tuesday 13th February 2024 09:16 GMT Paul Crawford
SMS / phone number should not be the only means - it is acceptable as the '2' in 2FA where something more robust is the primary authentication, but not here where your allocated (and reused) phone number is all you need to get in to an account.
They won't fix it most likely as they are more concerned about making it easy to sign up for whoring to advertisers.
-
Wednesday 14th February 2024 11:27 GMT 0laf
Worse than that SMS is less worthy as a 2FA factor since the SMS is not tied to a physical device tightly enough. SIM Swap fraud is relatively easy to do since you only need to social engineer the person in a retail phone shop which brings the entire retail arm of the supplier into your personal attack surface. And that is much easier to do than intercept the SMS or steal a phone.
SMS is a better than nothing additional factor. 10yr ago we were referring to it as a half factor because of this.
Banks etc use SMS as MFA because it's cheaper than signing up to use an app based system, your security is not the primary concern.
-
Wednesday 14th February 2024 23:38 GMT Sora2566
"Signing up to use an app based system"?
I coded a TOTP implementation in my spare time years ago after reading some blogs online. My employer's site was automatically compatible with Google Authenticator, Microsoft Authenticator, Authy...
Completely free on our part (I didn't even charge for my time), and my implementation has been largely untouched since being implemented... except that years later the CEO suddenly realized how important it was and mandated that everyone in the business use it.
-
-
-
-
-
-
Wednesday 14th February 2024 10:40 GMT hoola
Re: Well if Meta are going to get roasted for this one
This actually is the critical issue that is completely ignored.
So much is accessed from a mobile device now and that same device is also the 2FA device. This is nothing to do with texts, but all the Authentication apps that are used as well.
Essentially, the entire point of 2FA has been lost.
-
Wednesday 14th February 2024 15:50 GMT diguz
Re: Well if Meta are going to get roasted for this one
well not entirely. Yes my phone can have all the factors for the login (like the password saved in the keychain and the mfa token-generating app), but each of those factors require an additional authentication step, be it biometric scanning or another password. You might say that even a biometric scanner can be cracked, but afaik that requires specialized equipment, so the normal facebook account thief won't target the average john doe.
-
Wednesday 14th February 2024 16:09 GMT Anonymous Coward
Re: Well if Meta are going to get roasted for this one
"Essentially, the entire point of 2FA has been lost."
Not at all. If someone gets ahold of the username and password, that's not enough to break into the account - they also need to either get the physical device (much harder) or pull a SIM-swap attack. So proper 2FA (like an authenticator app) does protect against, say, hackers in another country trying to access an account. But not someone stealing your phone first.
-
-
-
Tuesday 13th February 2024 10:43 GMT Doctor Syntax
Re: Well if Meta are going to get roasted for this one
It's rather worse for nothing on two accounts. As I've written here before, if this is being relied on then whoever has your phone or your phone number is you, even if it's not you. That opens the door to a variety of mechanisms for fraud. Secondly, it's an indication of sloppy thinking around security which should start you wondering what other sloppy thinking is going on.
-
-
Tuesday 13th February 2024 11:25 GMT jmch
Re: Well if Meta are going to get roasted for this one
The main problem though, is that 2FA should be 2-factor. Gaining access to an account when controlling *only* the second factor is complete bullshit security design. Using a username/password as factor 1 and sms as factor 2 should work OK in most cases*. But companies are so desperate to get users logged-in (to get eyeballs on paying ads) and/or buying stuff that it's all one-click or zero-click procedures, security sacrificed for supposed user convenience.
*always considering a good password hygiene
-
Tuesday 13th February 2024 18:35 GMT DS999
Re: Well if Meta are going to get roasted for this one
There is security design and usability design. Meta has a billion plus users, and people are forgetting their passwords every day.
Let's say I forget my Facebook password, how can I can reset it without Meta employees having to become involved? The only information it has about me is my email address (I never gave them a phone number) so they would have to email me a reset code. But likely a lot of people have changed email providers since they started on Facebook (especially long time users who used a school account that's no longer valid) so phone number will be all there is for many. You might say "well how about a Facebook friend vouching for you" but then if your Facebook friend's account is hijacked so is yours!
Even if Meta did staff up some call centers so you could call them and say "I forgot my password I need to have it reset", how are they going to verify it is you? Ask you questions about when your birthday is, which is either public on Facebook or probably available somewhere on the web unless like me you've lied about your birth date and year - but offhand I'm not sure if it is Jan. 1 1900 or Jan. 1 1904, or Jan. 1 1910, though I'm pretty sure it is one of those. If you were working a call center asking someone to identify themselves and they said "I'm pretty sure I was born in one of the three following years" would you approve a password reset? Hopefully not!
Maybe Meta should have something that shows up on login telling people "here are the following ways we will allow your account's password to be reset if it is forgotten" that shows the phone number and email it would use. Tell people that if that phone number or email is no longer valid, or you switch them in the future, you should either update your information or uncheck those boxes to disable those methods. If they disable both methods make them approve a warning "if you forget your password you will permanently lose access to your account" and let them take that risk if they so choose.
-
Tuesday 13th February 2024 19:01 GMT AlexanderHanff
Re: Well if Meta are going to get roasted for this one
None of this is relevant - none of it absolves Meta of their legal obligations and all of it completely fails to take into account the fact that there are multiple solutions available to resolve this issue. Meta created this problem through bad design, not through bad users.
-
Wednesday 14th February 2024 09:31 GMT imanidiot
Re: Well if Meta are going to get roasted for this one
If you can keep a phone number up to date, you can keep an email address up to date. Being allowed to change a password in a 2FA scenario without requiring a 2nd authentication factor (email and phone for instance) is just silly. What's the point of having 2FA if you can defeat it by bypassing one of them with a single compromised authentication factor?
-
Wednesday 14th February 2024 11:00 GMT gnasher729
Re: Well if Meta are going to get roasted for this one
About the “changed email provider”. I just left BT. I have to keep paying them £7.50 a month for my email (up to 10 email addresses of which I use three, but changing them would be such an absolute pain).
Apple would give me free email as long as I have an Apple ID. But I can’t get my name without a number (like johnsmith123). Vodaphone is nice enough to let me keep my landline number for free for incoming calls; all my wife’s mates use it; and you _can_ use it for outgoing calls but it costs. Like if you forgot your mobile at a mates house.
-
Wednesday 14th February 2024 12:33 GMT Anonymous Coward
Re: Well if Meta are going to get roasted for this one
"I just left BT. I have to keep paying them £7.50 a month for my email (up to 10 email addresses of which I use three, but changing them would be such an absolute pain)."
Hold on, this is the Reg, and you're admitting to relying on ISP email? Noooo. At the moment you're being charged twice as much as you need be, which you may not care about but you're still at the mercy of BT. Several other ISPs have already stopped issuing ISP email addresses, and a few have closed down altogether. The proportion of customers using ISP email is trivial these days - when VM announced the stopping of new customer email addresses a year or two back, they let it be known that regularly used accounts were about 1% of their total customer base. BT might be a bit higher, but it's probably still in "nuisance to provide" territory, so sooner or later BT will conclude that either email is loss making for them, or simply insufficiently profitable, and then it's lights out time.
Why not take the pain and buy a domain and email package from Ionos or any good value alternative hosting service? Around £3 a month for five addresses inc free domain whilst you're with them. If need be at some future stage you find another hosting/email supplier and take the domain and email addresses with you. For a single email address you just buy a domain and use the included single email, that's about a quid a month, billed annually. If you've got two initials, then there's a fair chance that combined with your surname a .com or .co.uk address will be available. For example, a quick check says jbgnasher.com and jbgnasher.co.uk are available. Your emails would then be something like john<at>jbgnasher.com which sounds better than btinerent to me. And whilst I can't prove it, it seems from observation that Ionos take account security a whole lot more seriously than any ISP email service does.
Others might suggest running your own email server, which is fine for those who enjoy such things, but is a complexity I wouldn't go to, and you'd still need to pay for a domain.
-
Wednesday 14th February 2024 16:14 GMT Anonymous Coward
Re: Well if Meta are going to get roasted for this one
An aside about ISP-provided email:
I have a small, not-externally-facing home server, configured to send me my daily logwatch via email. It uses my ISP's email and password to do it. I set this up probably 6 years ago.
I changed ISPs a year and a half ago - and never updated the server to use the new ISP (or some other account). I'm still receiving my daily logwatch in my "real" (non-ISP) email address, being sent from my former ISP's email. I wonder how long they'll allow that?
-
-
-
-
Wednesday 14th February 2024 11:31 GMT 0laf
Re: Well if Meta are going to get roasted for this one
If you can authenticate using only one of two available factors then it's a single factor login in.
For access to personal information this should be considered abreach of the GDPR under article 32. And MFA is certainly not state of the art by any means
-
-
Tuesday 13th February 2024 11:49 GMT JulieM
Re: Well if Meta are going to get roasted for this one
Have you taken a look in the Google Play Store or Apple App Store for an authenticator app lately?
I had occasion, recently, to search for a reputable authenticator app by name. What I found was a plethora of dodgy apps, all including at least advertisements (probably supplied from some dodgy third-party advertising networks, so already at risk of malware even if no-one thinks it is worth the effort specifically to attack an app which might well hold a list of TOTP keys). Some even claimed to include in-app purchases, which sounds like the perfect mechanism for holding users to ransom by insisting on a payment before they can view their 2FA codes. (Though probably not before said users have already given the app a good review.) I did not dare try to install any of them, so I don't know what extraneous permissions they might be asking for.
And while I like to think I'm not daft enough personally to fall for it, I can't imagine a thoroughly nasty "2FA" app, if its installation process had already filtered out the half-savvy users, would necessarily set off too many alarm bells if it were just to ask users casually for their passwords along with any QR codes they scun, and send them -- along with the usernames, site addresses and TOTP keys extracted from said QR codes; the keys to the kingdom, in other words -- to criminal gangs.
I actually felt quite ill seeing this mess. As much as I would be in favour, ordinarily, of healthy competition in a marketplace, it is clear that not a single one of these parasitic apps adds anything worthwhile, and the potential exists for them to be downright harmful. I consider Google and Apple complicit in any damage, for not including a 2FA app in the default distributions of their operating systems.
I would honestly recommend anyone who knows how to, to get the SDK for their phone, and either write their own 2FA app from scratch, or download an Open Source one from Github. Failing that, as much as it sticks in my craw, use Google Authenticator or Microsoft Authenticator. Or use SMS precisely because it means you don't have to risk installing a malicious app.
-
-
Tuesday 13th February 2024 15:34 GMT JulieM
Re: Well if Meta are going to get roasted for this one
I looked around, but I could not find the Source Code for download. That is a complete dealbreaker, as far as any kind of security software is concerned. How can anyone be sure it isn't doing something naughty behind the scenes, without being able to inspect it properly?
-
Wednesday 14th February 2024 09:37 GMT imanidiot
Re: Well if Meta are going to get roasted for this one
Would you ever be able to fully inspect it? Would you build it yourself from source? If not, how are you going to be certain the compiled code you install is the same as the source? Open source is nice, but in the end imho, trusting the source of the programming is more important.
-
Thursday 15th February 2024 11:15 GMT JulieM
Re: Well if Meta are going to get roasted for this one
I would, because I know how TOTP works, and I know the things an authentication app does *not* need to do. If there was anything in the Source Code that I did not think belonged, I would try removing it and seeing if it still built without it. And then I'd make my fork available.
In any case, once I had gone to the effort of building the source, even if the resulting binary matched the one they were supplying, I might as well install my version.
-
-
-
Wednesday 14th February 2024 19:03 GMT Anonymous Coward
Re: Well if Meta are going to get roasted for this one
Authy were sadly already in the process of withdrawing their desktop apps in a few months' time (which would otherwise be, umm, handy if your phone was damaged, lost or stolen), but have suddenly just shat on their users further and reduced the shutdown period for the desktop apps to just over a month from now. Nice. Not. (And you need to give them your phone number, too, which many people aren't comfortable with.)
On the free/open source side of things FreeOTP is a bit basic, but it works well enough.
-
-
Tuesday 13th February 2024 12:13 GMT AlexanderHanff
Re: Well if Meta are going to get roasted for this one
I have been using TOTP authenticator for years with zero issues - the problem you highlighted is a non-issue if the platforms themselves point users to an open source, safe authentication app.
But I do agree that actually it is perfectly viable for OS companies to include a TOTP app directly in the OS - I will mention this to Apple next time I meet with them - then we just have to watch the war where Company X sues OS Company Y because their TOTP app is the default and is therefore an abuse of market power impacting competing apps....
-
Tuesday 13th February 2024 14:10 GMT JulieM
Re: Well if Meta are going to get roasted for this one
TOTP authentication is an example of something to which no value can possibly be added -- but from which a lot of value can be subtracted, by a particularly bad product. The state of the market, and the prevalence of dodgy apps, proves it.
Nobody would stand for cars being sold without seat belts fitted at the factory, empowering drivers to choose from a range of competing suppliers' products -- most of which included something unwanted, and some of which happened to be designed in such a way as to extort money, fail to provide protection in the event of an accident or even cause your car to crash -- under a legal régime that required customers to accept the manufacturer's word at face value, and criminalised any attempt by owners to inspect them, or by independent parties to publish their own assessments.
-
Wednesday 14th February 2024 17:26 GMT doublelayer
Re: Well if Meta are going to get roasted for this one
That's why most services offering TOTP either built their own app to issue the codes or recommend one specific, reputable authenticator app, usually either Microsoft's or Google's. The benefit of something like it is that it is open. While email may have gotten some "value reduction" as you call it by being an open standard, it is still better than alternatives because it can be used nearly anywhere. I prefer TOTP to a mandated single provider because I get to decide where the authenticator is. I don't need to install their app on my phone if I'm not using the service there and I can move keys to a different one as I choose. If I want to use an authenticator that has more security precautions, I can do it without begging them to support it.
-
Wednesday 14th February 2024 19:10 GMT Anonymous Coward
Re: Well if Meta are going to get roasted for this one
Unfortunately, Microsoft and Google are not organisations which I, personally, would regard as "reputable", and there is no way I would have apps from either of them on my phone (although I realise that not everyone would agree!). I even only half-trust Apple (although having rented my soul to them, I guess I sadly have no choice)…
-
Thursday 15th February 2024 00:43 GMT doublelayer
Re: Well if Meta are going to get roasted for this one
And, with a protocol like TOTP, you don't have to. Do you think Google and Microsoft are doing something nefarious in their apps? Okay, use a different one. It even works to use a non-Microsoft authenticator on your Microsoft accounts and a non-Google one on your Google accounts. The recommendations of these are because they're available, likely to be supported for some time, known to come from secure sources, and believed to be trustworthy. You are free to disagree with these assumptions, although I don't, and having an open protocol means you can manage with that easily.
-
-
-
-
-
-
Wednesday 14th February 2024 19:51 GMT DS999
Re: Well if Meta are going to get roasted for this one
There is no app, it is built in. If you are logging in on an iPhone or other Apple device that's synced via iCloud the 2FA happens automatically (you will need to look at your iPhone to get Face ID to recognize you)
If you are logging in on another device you go to Settings/Passwords and click on the website and it'll give you the code. Or you can ask Siri "what's my password for xxx.com" and it'll be brought up on the screen.
Ease of setup depends on how well the website supports the RFC and what method it uses (QR code or numeric code) for the initial sync.
-
-
-
-
Tuesday 13th February 2024 18:43 GMT DS999
Re: Well if Meta are going to get roasted for this one
You don't need a third party app. Both iPhone and Android support TOTP based on RFC 6238. More third parties like Facebook need to offer that as an option for stuff like handling lost passwords.
Sure, if someone gets ahold of your phone and can unlock it they could steal your Facebook account, but if you're like me you would worry 100000% more about someone getting your phone and being able to unlock it as well as able to bypass Face ID. A compromised Facebook account would not even matter at that point compared to what they could do with full access to my phone.
-
-
-
Tuesday 13th February 2024 09:11 GMT aerogems
My guess
If the EU agency involved decided to pick this up and investigate, it's going to cost Facebook a lot more than it would have if they'd just paid the bounty and figured out some way to address the issue. You'd think, given the number of times Facebook has been dragged over hot coals for privacy and security issues, they'd default towards just paying the bounty in situations like this and then using it as part of a PR campaign to claim how they are proactively working to address issues.
-
Tuesday 13th February 2024 09:45 GMT AlexanderHanff
Re: My guess
I am not even remotely interested in a bounty and if one was issued I would simply donate it to an NGO doing privacy work. As I explained to Tom, this was simply the easiest way to report this issue due to Meta's complete obstruction to users being able to contact them.
To be clear, they didn't even evaluate this (I am guessing the response was AI generated) as they literally closed the ticket within seconds of me submitting it - it would have taken longer than that for a human to even read the submission, let alone evaluate it.
-
Tuesday 13th February 2024 10:03 GMT Roland6
Re: My guess
If the EU really pick this up, the outcome going to impact everyone who uses a phone number as part of their security: HMRC, banks, …
It is also a reminder to people that simply ditching a phone number, is no longer simple, particularly if you have associated any online accounts with it. (Which given how many want a phone number, is going to be a lot).
However, if we make it too secure, then it will become too difficult to regain legitimate access to an account and the public will respond accordingly.
-
Wednesday 14th February 2024 16:21 GMT Anonymous Coward
Re: My guess
Seems like the obvious answer is "don't use a phone number for security"!
If for some reason it's strictly necessary, then the company should CALL it, ask for the first name on the account, and then ask other questions (like confirming email address) to verify the person appears to be the actual account owner.
If you get such a call without expecting it, it's either a scam or a wrong number. If you're expecting a call and get it, it's almost certainly legit.
-
Tuesday 13th February 2024 11:38 GMT jmch
Re: My guess
"If the EU agency involved decided to pick this up and investigate...."
...maybe the EU should also put in a few more regulations on the telecom side that (a) restricts telephone number reuse* and (b) enforces more stringent identification for purposes of switching a number to a new SIM.
*just taking the UK, mobile number formats are 07y xx xxx xxx. The 'y' has some historical implications and only 7 digits are in use, but otherwise there are 100 million numbers for each y digit, theoretically up to 700 million numbers. The UK has less than 70 million residents. There really should be no reason to ever re-use a number** within the foreseeable future (ie there should always be a fresh unused number available, or, when they have all be used, start re-using the ones that have been longest out of service, which should go back decades rather than months)
**the other issue is the rise of 'data-only' sims or vSims for IoT devices that need one eg smart meters. But arguably these numbers should have a separate larger allocation than currently (079112... and 079118...) eg 04... and 06... are currently unused.
-
Tuesday 13th February 2024 11:51 GMT AlexanderHanff
Re: My guess
Your reasoning is flawed as numbers are not allocated on a 1:1 basis. For example, companies may have hundreds of numbers assigned to just a few dozen employees depending on different use cases and of course, anyone (including companies) can change their numbers at any time.
We all thought there would be more than enough IPV4 addresses at one point too but hey look where we are...
You also fail to recognise that whereas there might only be 70 million people in the UK, that doesn't account for the cumulative population variance, where people die (and thus no longer need a phone number) and people are born and eventually get a new number - so that 70m number is not actually 70m at all when it comes to phone numbers.
Then of course, the biggest flaw in your argument - UK phone numbers are not only provided to UK residents... anyone traveling to the UK can purchase a UK sim card or as many UK sim cards as they like and in fact from an EU perspective this might be a good choice for travellers given that UK carriers are no longer under the umbrella of EU law (see Brexit...) and thus are not obligated not to charge roaming fees for the many millions of people who visit the UK from the EU every year... let alone people who are from outside the EU and in most cases would buy a local sim upon arrival to keep costs down... so once again, that 70m population number becomes moot very quickly.
-
Tuesday 13th February 2024 12:16 GMT jmch
Re: My guess
All good points, but still not enough to have to reallocate a number just 45 days after it being released as described in the article (though not clear if that case described was UK). Even accounting for companies having large blocks of numbers reserved, vast numbers of foreigners having UK numbers, and a vast increase in IoT devices requiring a SIM, you're still coming to maybe 4X or 5X the 70 million population number.
Given the theoretical availability of 700 million numbers, there ought to be at least a couple of hundred million free ones available. The other possibility, of course, is that there is some further allocation restriction by which mobile companies have a much more limited number space than the space of "all available numbers" (and if that is the case, that is something that could be released by ofcom or whichever other regulators)
-
Tuesday 13th February 2024 12:32 GMT AlexanderHanff
Re: My guess
If you read the article it is clear that that case was not the UK (it was stated that this was in the US which has a lot more than 70m residents).
Also on your argument that even then there are plenty of numbers available - again this is short sighted and exactly why we have had issues in the past with things like IPV4.
I can give you another example, back in the day I used to work for ITSA in the UK (an executive agency of the Department of Work and Pensions) working on NUBBS2 (National Unemployment Benefit System 2) where some dude in Whitehall, when tasked with the question - "How much storage do we need for this system" and responded with "Well we will never go above 3.3m unemployed so lets go with that..." 3 years later I am tasked with working over the entire Christmas break (including Christmas day) to do regression testing on an emergency patch because we were rapidly approaching that magical figure at which point the entire system would collapse and 3.5 million giros would need to be hand written - leaving people with no money over the christmas/new year period.
Eventually your 700m numbers will be used up so what then, you go to 800m? 900m? Eventually these will all be used up as well - it is not future proof and as such it shouldn't even be considered - because short term fixes almost always end up becoming long term policy and to be utterly frank - the couple of hours of coding and deployment it would take Meta and other online platforms to simply not base security on something as fragile a damn phone number - is a lot cheaper and a lot faster than changing the entire international infrastructure for cellular network numbers.
-
Tuesday 13th February 2024 13:16 GMT Brewster's Angle Grinder
Re: My guess
You've got sidetracked into an argument about hard limits. The request is not that we set aside numbers forever, but that we maximise the delay before they are re-used. (With reuse measured in years, not days.)
This has the advantage that it reduces risk for all sites. I don't know how hard it is in practice, but these are changes that apply to a handful of large companies which operate in our legal jurisdiction, instead of world+dog. Even if what you say in other comments pans out, it seems a reasonable "defence in depth" strategy to do it anyway.
(Aside: I haven't used an TOTP app: If my only device is a phone, what happens if my phone gets stolen? My mum recently convinced her provider to issue her a new SIM using the existing number? Then what?)
-
Tuesday 13th February 2024 13:27 GMT AlexanderHanff
Re: My guess
You are not getting the point - phone numbers are not reliable identifiers - period - it doesn't matter how many there are or how long the delay before they are recycled, they are quite simply not suitable as reliable identifiers; so companies need to stop treating them as if they are and meet (at least in the EU) their legal obligations to design systems based on data protection by design and by default.
This is not optional, this is the law and no amount of excuses will change that very simple fact.
Meta are aware of this risk (they have admitted so) and as such they are legally obligated to design their services not to be susceptible to this risk - end of discussion.
By forcing Meta to comply with their legal obligations, it will set an example for other platforms to follow.
-
Tuesday 13th February 2024 14:23 GMT jmch
Re: My guess
"phone numbers are not reliable identifiers - period"
If you mean a phone number cannot reliably identify a unique human being over the lifetime of either, then yes of course. Except that if you want a reliable identifier for a person, other alternatives have their own drawbacks. Using email as an identifier means that a person's email address is a single point of failure - an attacker getting access to someone's email can take over everything (and this is indeed often the case since many sites actually do use email as an identifier). Using a government-issued ID number has it's own drawbacks, starting by which, that in the UK there is no such thing. And in any case, for many use cases, an identifier isn't enough, it needs to also be some sort of 'communication channel identifier' by which a service provider can contact a customer.
Phone numbers in this respect have some drawbacks, but also a number of advantages. And one of the drawbacks can be mitigated if every released number goes to the back of the queue of numbers that are waiting to be reused instead of almost immediately being reissued.
-
Wednesday 14th February 2024 19:40 GMT Alan Brown
Re: My guess
"phone numbers are not reliable identifiers - period"
They were never INTENDED to be.
The IETF said as much when standardising on limiting telephone numbers to 11-digits globally over 45 years ago. By the time you factor in routing digits there simply aren't enough numbers left for high population density areas. Just like IP addresses, phone numbers are intended to be a sparse numbering space (red/black routing trees) and shoehorning in ways of "filling out the gaps" is a recipe for disaster (see: IPv4)
Using phone numbers as a "reliable" identifier is as stupid as using birth certificates as identification documents when they're explicitly NOT intended for that purpose (many countries put wording to the effect "this is not an identity document" on birth certificates because of such widespread abuse
A phone number can be a TEMPORARY personal identifier, but it MUST be periodically rechecked and expired if idle
-
-
Tuesday 13th February 2024 15:29 GMT Doctor Syntax
Re: My guess
"My mum recently convinced her provider to issue her a new SIM using the existing number? Then what?"
I've done this in the past, changing from a regular account to PAYG. Admittedly O2's outsourced Indian customer disservice team didn't make this easy although the problem was quickly solved when I asked for a PAC to jump ship and I ended up talking to someone in Leeds.
-
-
Wednesday 14th February 2024 19:31 GMT Alan Brown
Re: My guess
> and responded with "Well we will never go above 3.3m unemployed so lets go with that..."
My starting point for such responses is 10 times the estimated number (if not 100), assuming I have to hardcode a limit at all
Such systems have a nasty tendency to become used for many other purposes than originally envisaged
-
-
-
-
-
Tuesday 13th February 2024 09:27 GMT Tubz
Meta, no profit in it for us, no action. The bounty not be paid isn't the problem, it's Meta's ignorant handling of the notification. They had the opportunity here to say, yes this is big problem and we are going to use our vast resources to fix it for the industry and finally get some privacy/security brownie points back, but no, open mouth, insert foot, kick self in ass.
-
Tuesday 13th February 2024 09:46 GMT Test Man
This is a Meta issue whether they like it or not. It's been well known right from when mobiles started to become popular in the 80s and 90s that numbers get recycled in much the same way that landlines do, yet companies like Meta use them for identification without coming up with a solution for number recycling. It is they who need to find a solution, not telecoms companies.
-
Tuesday 13th February 2024 09:55 GMT mark l 2
Its mainly because even when services do allow better forms of 2FA such as TOTP they still require you provide a mobile number to 'prove identity'.
Paypal do this even though i have 2FAset up with TOTP they often still require i prove i am 'real' by having them send me a SMS which considering i don't get a phone signal in my office means i have to go outside an wave my mobile about like a madman to do something i have already done by logging in with a much more secure 2FA method
-
-
Tuesday 13th February 2024 10:22 GMT Headley_Grange
Re: How *is* this Meta's problem?
I'm not sure about this either. Many of the sites which use my phone for 2FA bug me every few months to confirm my details, which is an annoying-but-good thing. I'm not on any Meta apps, so I don't know, but I think that the only way that Meta could be criticized is if they make it difficult to change your phone number.
-
Tuesday 13th February 2024 10:34 GMT Munehaus
Re: How *is* this Meta's problem?
Because it's Meta that asked for the number in the first place. People lose numbers for many reasons outside their control. Moving house, health issues etc. For those same reasons they may also not be able to login for some time, even if they wanted to update their number and knew they should.
Once the number is lost someone else can access your Meta accounts before you get a chance to update them, if you can even login or know you need to. Every part of that is Meta's problem, not the user that only gave a number because they were asked.
-
Tuesday 13th February 2024 10:41 GMT AlexanderHanff
Re: How *is* this Meta's problem?
The way Meta have designed the login and password resets opens them up to a security risk as a result of re-provisioning of cell phone numbers. That is why this is their issue to resolve - under the GDPR they are legally obligated to identify and resolve security risks where possible - clearly here it is possible to remove this risk by designing login and password resets in a way which is not open to this risk - they have failed to do that and as such are in breach of Article 5(1)(f) (the principle of security), Article 25 (data protection by *design* and by *default*) and Article 32(1)(b) and 32(2) (security of processing based on risks).
So whereas you think Meta shouldn't be responsible, the law disagrees with you. The fact that they are aware of these risks but have chosen not to do anything to counter them, is a breach of their legal obligations.
-
Tuesday 13th February 2024 10:52 GMT Doctor Syntax
Re: How *is* this Meta's problem?
"Surely it is up to individual users to update their details properly when they change numbers?"
In order to do that you have to be in control of the old number - which will be used to verify you - while already knowing the new one. This isn't necessarily going to happen. OTOH it is going to happen if someone has stolen your own phone and is transferring your number to theirs.
-
-
Tuesday 13th February 2024 10:27 GMT ExampleOne
Setting aside the questions around SMS 2FA (which I don't think is the core of the problem here), the question is "Who is responsible for a user maintaining correct contact details?".
As I see it, the complaint seems to be Meta provided the password reset details to the contact details the user asked them to provide them to. Why can Meta be held liable if the user fails to update those contact details? I am pretty sure we have seen similar stories when domain names have been recycled, and the new owner of the domain started receiving email for the previous owner. I know I still receive post for previous residents of my current home, some of whom last lived here over 20 years ago!
-
Tuesday 13th February 2024 10:57 GMT Doctor Syntax
Let's conduct a thought experiment.
Your phone number has been changed. How do you go about changing contact details if they want to send an SMS to the old one to verify you?
Another:
Your phone has been stolen. How do you persuade them to block it's number for verification if they want to send an SMS to it to verify it's you calling?
-
Tuesday 13th February 2024 14:21 GMT doublelayer
The latter is a valid concern and Facebook should have to change their system so that just having the second factor is not sufficient to gain access to the account. I'm not entirely sure how this process works as I do not have any accounts at Meta, but it sounds like there is a significant design fault in it if just having a phone is enough to reset the password (that's where you make someone use all the factors).
The former is the user's problem: if you change your phone number voluntarily, you remove it from accounts before relinquishing it, not hoping to do so afterward. The same applies to literally any other contact mechanism. If you stop using an email address, physical address, domain name, private key, or any other thing that is used to identify or authenticate you, you should activate the new one before deactivating the old one or risk getting locked out and you should deactivate the old one so it can't be used to compromise the account.
-
This post has been deleted by its author
-
Tuesday 13th February 2024 15:38 GMT Fred Daggy
Even worse was a bank, where I was logged in with 2FA via Authenticator app.
Said App then requested verification code via SMS for a transaction. Account contact details had been updated and showed the correct current number. SMS was sent to a old, old, ancient, Moses was a boy when this was used number. Examining the account settings, there was no way to correct this detail, no user interface could help me and I didn't feel like calling the Call Center that day (It was also shut at the time, which is another factor).
-
-
-
Tuesday 13th February 2024 18:19 GMT Cav
"Your phone has been stolen. How do you persuade them to block it's number for verification if they want to send an SMS to it to verify it's you calling?"
Use your provider's mechanism for locking the phone and then verify your account by other means. I've had to reestablish ownership of Facebook accounts for my teens on a number of occasions when they've needed to change their numbers, usually due to stalkers. You aren't limited to a single verification method. If you ask to verify by another method, at the point of trying to get back into your account, not when setting it up, then you can specify a list of friends who can verify you, you can provide your date of birth and identify friends based on their photos. or you can be presented with a number of photos and asked which ones you might have posted to your account. You can also use another device that Facebook will recognize. e.g. I login to Facebook on phone and desktop. If my phone is stolen, Facebook still knows about my desktop and will let me recover an account from that device.
Facebook doesn't need a phone number at all so why are people providing them? I don't have mine associated with my account which appears to worry Meta as they constantly bug me to add one. I use an authenticator app and an email address that I've had for decades and will keep for the rest of my life.
-
-
-
Tuesday 13th February 2024 11:11 GMT mpi
> Hanff, in a LinkedIn post, argued this is unacceptable.
"We do not say 'Well we know that passwords with low entropy can be hacked very quickly, but we are not responsible for people using password busting technology so we will continue to allow four-character passwords consisting of only lower-case letters in the first half of the alphabet,'" he wrote.
No, but we do say: "Well, if your email address is your 2nd factor, and you are using an email provider that allows bad passwords and set yourself a bad password, and get hacked because of this, then that's not our problem."
Services have control over their password requirements.
Services don't have control over external providers.
How are services supposed to deal with a proble that is actually caused by something they don't have ANY control over like, for example, telcom providers reusing numbers? The only way I can think of, is by disabling Phone Number based password recovery methods altogether.
Which is fine by me, I'll be the first one to say that SMS 2FA is a *really* bad idea, and always was. Problem is, what do you offer instead that is similarly low barrier and easy to use?
-
Tuesday 13th February 2024 11:17 GMT AlexanderHanff
Re: > Hanff, in a LinkedIn post, argued this is unacceptable.
The solution is simple - do not allow phone numbers to be used for security purposes - they are transient and should not be considered as unique to an individual. The most appropriate way to manage this is MFA via an app such as TOTP.
-
Wednesday 14th February 2024 09:08 GMT mpi
Re: > Hanff, in a LinkedIn post, argued this is unacceptable.
> The solution is simple
I'm listening...
> The most appropriate way to manage this is MFA via an app such as TOTP
Ahh, so we went from "simple" to "appropriate". Well done, because now we have arrived at the crux of the matter.
Note that I never advocated for the use of phone numbers as a 2nd factor. The problem here is: Having your customers install a separate app on their phone to authenticate with their service, raises the barrier of entry. This is something that people in IT tend to overlook: Most people are not tech savy. Understanding why that 2nd app would be a good idea to have is a really hard sell when one of the design principles of your service is that it can be used by as many people as possible.
-
Wednesday 14th February 2024 10:24 GMT imanidiot
Re: > Hanff, in a LinkedIn post, argued this is unacceptable.
"they are transient and should not be considered as unique to an individual". Isn't that exactly the same as an email adres? Doesn't that have exactly the same issue? Yet afaik nobody so far has ever made a problem of password recovery/reset via email.
-
-
Tuesday 13th February 2024 15:33 GMT Doctor Syntax
Re: > Hanff, in a LinkedIn post, argued this is unacceptable.
"How are services supposed to deal with a proble that is actually caused by something they don't have ANY control over like, for example, telcom providers reusing numbers?"
The choice of whether or not to use phone number or any other external provider as identity was entirely in their control.
-
Wednesday 14th February 2024 09:10 GMT mpi
Re: > Hanff, in a LinkedIn post, argued this is unacceptable.
> was entirely in their control.
Except no, it really isn't. Market forces exist. Having more sophisticated MFA mechanisms in place raises the barrier of entry. We are not talking about administrative software for professionals here, we are talking about social media logins. Their competition favors a design that is as simple as possible to the end user. SMS is simple, it comes with your phone. The fact that it sucks from a security point of view isn't relevant in the mindspace of most consumers.
-
Wednesday 14th February 2024 14:39 GMT AlexanderHanff
Re: > Hanff, in a LinkedIn post, argued this is unacceptable.
Nothing you said has any relevance - it is the law, Meta are obligated to follow it. They know this, they have chosen not to, they know the potential consequences for not complying and have decided they would rather take that route than obey the law. it is as simple as that, and your personal opinion has zero impact on these facts.
-
Wednesday 14th February 2024 17:32 GMT doublelayer
Re: > Hanff, in a LinkedIn post, argued this is unacceptable.
The law does not say "using phone numbers for login is forbidden". You probably have a point if, as I understand your report, the phone number alone can reset all other factors and allow taking over the account. However, you're going a lot further than that by claiming that the law forbids them using phone numbers as an identifier or security method at all, and it clearly doesn't. Lots of services use a phone number as a true second factor, where it AND something else are required to make changes, and that has never been the subject of any GDPR penalty. Nor is there necessarily a reason why it should. Using a phone for MFA isn't great, but it is more secure than not using it, and GDPR does not say that not having MFA is forbidden either. I'm not sure the valid point is going to be accepted, but your other one certainly will not.
-
-
-
-
-
Tuesday 13th February 2024 11:15 GMT JulieM
I can't understand why WhatsApp is tolerated
I really cannot understand why mobile companies put up with WhatsApp.
What Meta are doing is the equivalent of setting up a stall outside a telegraph office; encouraging would-be customers to take a telegraph form and fill it in using a pencil from the office; and then sending a youngster on a bicycle to pedal along under the telegraph lines and deliver it to the intended recipient, who for want of knowing any better will imagine it to be a telegram.
Meta don't have to build any telegraph offices of their own, lay any wires of their own, or even supply any stationery of their own. They just take what the telegraph companies make available for free anyway to the bona fide customers they are poaching, get to read the contents of the messages (and sell to the highest bidder any nuggets of valuable information they might contain), and slip in advertisements -- for which they are paid rather more than just the few shiny coppers their "couriers" get.
How is this anything but straight-up parasitism?
-
Tuesday 13th February 2024 14:29 GMT doublelayer
Re: I can't understand why WhatsApp is tolerated
I'm not really sure why this is relevant, but I'm willing to discuss it anyway. Mobile providers don't have to allow it; they offer a network and this is a thing you can use on a network. They don't really get a choice to permit or forbid such things. If they took actions to block communications methods like this, they would likely be punished by the law because it would be considered an anticompetitive action, an abuse of monopoly powers, and, where common carrier status is part of the law, it would violate the regulations on them and risk stripping them of that status.
They also have no reason to do so. Users of such applications are still using the mobile providers to send their traffic. When they choose to do so, they must pay the mobile providers for the network traffic they send. It doesn't matter that the providers can no longer read the messages because they agreed to provide a service delivering bytes and the user has purchased and used that service. Your analogies are mostly if not entirely flawed; the sender and recipient know well that SMS and WhatsApp messages are not the same, the deliveries use the same network rather than an alternative, and there is no cost to whatever telegraph forms were supposed to be (they both construct their own message packets and making packets is effectively free and the costs are borne by the user's device anyway).
-
Wednesday 14th February 2024 09:13 GMT mpi
Re: I can't understand why WhatsApp is tolerated
> I really cannot understand why mobile companies put up with WhatsApp.
Because, and this is a very good thing, telcom providers don't get to decide what data their users send over their wires, or what applications they run on the devices attached to their infrastructure.
-
-
Tuesday 13th February 2024 11:21 GMT Corin
How do users go from having a new number to knowing the account iD?
Let's suppose I get a new phone number; 0711223344. How do I possibly determine that it belongs to the Facebook account of "John Smith" and compromise it?
Perhaps it's the ability to log in with phone number that's a problem here, and that would indeed make it Meta's problem? Or am I missing a trick here?
-
Tuesday 13th February 2024 11:28 GMT AlexanderHanff
Re: How do users go from having a new number to knowing the account iD?
That is the entire point - you do not need to know this. The way Instagram and Facebook are currently setup you can login with phone number rather than name/username/email and you can have a link sent to reset the password directly to a phone number.
So basically anyone who gets a new phone number can go around all of the popular online platforms and just go down the password reset route using just the phone number. They then receive the link, go to the link, perform the password reset and login with the phone number and the new password.
That is why this is such a serious issue and it is trivial for Meta to fix, simply by not permitting phone number to be used for security purposes.
-
Tuesday 13th February 2024 13:02 GMT Roland6
Re: How do users go from having a new number to knowing the account iD?
> trivial for Meta to fix, simply by not permitting phone number to be used for security purposes.
As the only security factor.
Other services might send security codes to a phone, it will also ask for one or more of email address associated with account, other phone numbers associated with account etc. even mothers maiden name would prevent easy reset/takeover by an unrelated third-party.
-
-
Wednesday 14th February 2024 09:00 GMT sabroni
Re: How do users go from having a new number to knowing the account iD?
My initial reaction was the same as Corin's, "How are they finding the user ID from a phone number?"
It's great that Alex has explained that you can log in to facebook with a phone number. Pity that fact isn't made clearer in the article though, seems kind of fundamental to the exploit....
-
-
Tuesday 13th February 2024 11:22 GMT Anonymous Coward
Call me old fashioned
Mainly because I am, but;
Who the heck gives companies like FB their phone number anyway?
Having been born long before the Internet, it has always been my primary objective to never share PI with untrustworthy sites.
Except for trusted parties like the government and my bank.
-
Tuesday 13th February 2024 11:30 GMT AlexanderHanff
Re: Call me old fashioned
The simple fact is, it has become increasingly difficult (and in many cases, impossible) to sign up to online platforms without providing your phone number. I am also a dinosaur but this is not 1995 any more when you can just sign up with an email address. This is data grab century and all these platforms want your phone number because then they can say to the people the sell your data to that they know exactly who you are because they have your phone number...
Get with the times man... ;)
-
Tuesday 13th February 2024 12:00 GMT AlexanderHanff
Re: Call me old fashioned
You also need to keep in mind that phone number is one of the fields in Meta's many "lookalike" advertising products and even though they are not legally supposed to use phone numbers which are collected for "security" reasons (which is why they ask for the phone number) for other purposes (yet another breach of the GDPR) we know for a fact they do. You can verify this by simply setting up a Facebook business account and using their "Custom Audiences" product which will require you to provide them with a spreadsheet of data about your customers (which includes phone number) so that facebook/Instagram can then compare that data with the users they have (based on the same identifiers) and guarantee to the advertising customer that they are targeting the correct user or the user's social graph...
It is all one giant adtech con.
Meta would not be able to ask for phone number if they couldn't use the "security" argument as it would breach the data minimisation principle (yet another breach of Article 5 of the GDPR) and then they wouldn't be able claim that they can match your customer data with their users...
-
Tuesday 13th February 2024 15:11 GMT Gene Cash
Re: Call me old fashioned
Google has hammered me for my phone number for at least 10 years now, including stuff like offering a Google+ vanity URL back when that was a thing.
A friend recently retired, and to stay in contact, I decided to finally get a FB account.
Their response was that I wasn't using my real name and I needed to send them a driver's license or birth certificate!
My response to that is not repeatable here, but I know a LOT of people who would have complied without a second thought.
-
-
Tuesday 13th February 2024 12:58 GMT Anonymous Coward
I'm glad that here in France, due to local regulations, it's trivial to change phone company while keeping the same phone number.
I've even changed twice in the same week once, because the mail gateway of my first choice would not talk to my MX, and thus I couldn't receive the contract. I must have had 5 or 6 different phone companies with my current number over more than a decade.
-
-
Wednesday 14th February 2024 04:22 GMT Trixr
Thanks Meta
I'm just glad my mother knows absolutely zilch re social networking, after some jumped-up little scrote at H*rv*y N*rm*n in NZ told her that it was "impossible" to transfer her phone number to a new phone he inveigled her into buying (despite local legislation mandating that it must be be done on demand, free of charge). The first I heard about it was when she called me to tell me her number of over a decade had been changed.
She had enough hassle updating it with various govt entities - I hate to think of the effects if she'd been using it to sign onto internet-facing services.
-
Wednesday 14th February 2024 10:49 GMT Autonomous Comrade
If we're not going to move away from SMS 2FA, surely mobile providers could come together to offer an API/service that announces when phone numbers are going to be recycled for these sorts of services, so that they can unlink those phone numbers. There could be some spam issues, but maybe they could hash the numbers (and salt them? although this may make it too inconvenient for legitimate sites to use) so that they'd be harder to figure out (although I'm sure a brute force on the entire number space wouldn't be that hard, just inconvenient). Or have them send in a number when the user logs in and it reports the last time it was reissued.
Although I doubt this will actually happen in practice unless a regulator feels like doing something about it.
-
Wednesday 14th February 2024 18:36 GMT Stu J
I don't think that broadcasting which numbers have changed hands is a particularly safe or sensible approach.
However, there should be an API which companies with legitimate requirements can query - they send a phone number and the last date/time they validated it, and the API responds with a simple "valid", "invalid", or "unknown" depending on whether the number has migrated to a different SIM since they last verified it.
-
-
Wednesday 14th February 2024 11:18 GMT gnasher729
I thought about this. My mobile is 07xxx yyyyyy. Reasonably short. There are hundreds of millions of those but not infinitely many. And since all my mates have that number I want to keep it.
My suggestion: Add three more digits, so my “real” number is 07xxx yyyyyy 001. The phone system has an automatic translation so calling my number adds 001. Whoever uses it for 2FA enquires the last digit and never changes it, so for 2FA they use 07xxx yyyyyy 001.
If I give up my number and it is reassigned, the last digits change to 002. So for 2FA the number is never reused. Facebook would have a number that just doesn’t work anymore. 2Fa wouldn’t message the new owner.
And you can have a number with 100 to 999 added. They are _never_ reused. They would be less popular because they are harder to type and remember. But a company can get many of them with different purpose.
Old systems would not need changing but would remain insecure. Clever phone software would remember the complete number but not display it, and they would be able to find that a number is reassigned.