back to article Meta says risk of account theft after phone number recycling isn't its problem to solve

Meta has acknowledged that phone number reuse that allows takeovers of its accounts "is a concern," but the ad biz insists the issue doesn't qualify for its bug bounty program and is a matter for telecom companies to sort out. The core problem is that telecom companies recycle phone numbers that have been abandoned after a …

  1. Dinanziame Silver badge

    Using SMS as a security measure is broken in more than one way. SMS messages are broadcast across the world, and it only takes one corrupt phone company anywhere to intercept them.

    1. Paul Crawford Silver badge

      SMS / phone number should not be the only means - it is acceptable as the '2' in 2FA where something more robust is the primary authentication, but not here where your allocated (and reused) phone number is all you need to get in to an account.

      They won't fix it most likely as they are more concerned about making it easy to sign up for whoring to advertisers.

    2. 0laf Silver badge

      Worse than that SMS is less worthy as a 2FA factor since the SMS is not tied to a physical device tightly enough. SIM Swap fraud is relatively easy to do since you only need to social engineer the person in a retail phone shop which brings the entire retail arm of the supplier into your personal attack surface. And that is much easier to do than intercept the SMS or steal a phone.

      SMS is a better than nothing additional factor. 10yr ago we were referring to it as a half factor because of this.

      Banks etc use SMS as MFA because it's cheaper than signing up to use an app based system, your security is not the primary concern.

      1. Sora2566 Bronze badge

        "Signing up to use an app based system"?

        I coded a TOTP implementation in my spare time years ago after reading some blogs online. My employer's site was automatically compatible with Google Authenticator, Microsoft Authenticator, Authy...

        Completely free on our part (I didn't even charge for my time), and my implementation has been largely untouched since being implemented... except that years later the CEO suddenly realized how important it was and mandated that everyone in the business use it.

    3. Anonymous Coward
      Anonymous Coward

      All the more reason

      The push by some to force people to use passcodes makes things less secure despite all the BS claiming they are more secure.

  2. Anonymous Coward
    Anonymous Coward

    Well if Meta are going to get roasted for this one

    They're going to have a lot of company because so many services have taken the 2FA = SMS route. I've got far more accounts (including banks) that use SMS than an authenticator app. for instance.

    1. aerogems Silver badge

      Re: Well if Meta are going to get roasted for this one

      It is better than no 2FA, but that's not really saying much, so...

      1. Paul Crawford Silver badge

        Re: Well if Meta are going to get roasted for this one

        Oh it is much better than nothing, but only really if both are not on the same device (e.g. 2nd to 1st = saved password on your phone) as then all keys lie with whoever has accesses to it.

        1. hoola Silver badge

          Re: Well if Meta are going to get roasted for this one

          This actually is the critical issue that is completely ignored.

          So much is accessed from a mobile device now and that same device is also the 2FA device. This is nothing to do with texts, but all the Authentication apps that are used as well.

          Essentially, the entire point of 2FA has been lost.

          1. diguz

            Re: Well if Meta are going to get roasted for this one

            well not entirely. Yes my phone can have all the factors for the login (like the password saved in the keychain and the mfa token-generating app), but each of those factors require an additional authentication step, be it biometric scanning or another password. You might say that even a biometric scanner can be cracked, but afaik that requires specialized equipment, so the normal facebook account thief won't target the average john doe.

          2. Anonymous Coward
            Anonymous Coward

            Re: Well if Meta are going to get roasted for this one

            "Essentially, the entire point of 2FA has been lost."

            Not at all. If someone gets ahold of the username and password, that's not enough to break into the account - they also need to either get the physical device (much harder) or pull a SIM-swap attack. So proper 2FA (like an authenticator app) does protect against, say, hackers in another country trying to access an account. But not someone stealing your phone first.

      2. Doctor Syntax Silver badge

        Re: Well if Meta are going to get roasted for this one

        It's rather worse for nothing on two accounts. As I've written here before, if this is being relied on then whoever has your phone or your phone number is you, even if it's not you. That opens the door to a variety of mechanisms for fraud. Secondly, it's an indication of sloppy thinking around security which should start you wondering what other sloppy thinking is going on.

        1. Sora2566 Bronze badge

          Re: Well if Meta are going to get roasted for this one

          Yes, but your threat vector is now "the people in the same building as me", not "anyone with an internet connection anywhere in the world".

          Physical security is important too.

    2. jmch Silver badge

      Re: Well if Meta are going to get roasted for this one

      The main problem though, is that 2FA should be 2-factor. Gaining access to an account when controlling *only* the second factor is complete bullshit security design. Using a username/password as factor 1 and sms as factor 2 should work OK in most cases*. But companies are so desperate to get users logged-in (to get eyeballs on paying ads) and/or buying stuff that it's all one-click or zero-click procedures, security sacrificed for supposed user convenience.

      *always considering a good password hygiene

      1. DS999 Silver badge

        Re: Well if Meta are going to get roasted for this one

        There is security design and usability design. Meta has a billion plus users, and people are forgetting their passwords every day.

        Let's say I forget my Facebook password, how can I can reset it without Meta employees having to become involved? The only information it has about me is my email address (I never gave them a phone number) so they would have to email me a reset code. But likely a lot of people have changed email providers since they started on Facebook (especially long time users who used a school account that's no longer valid) so phone number will be all there is for many. You might say "well how about a Facebook friend vouching for you" but then if your Facebook friend's account is hijacked so is yours!

        Even if Meta did staff up some call centers so you could call them and say "I forgot my password I need to have it reset", how are they going to verify it is you? Ask you questions about when your birthday is, which is either public on Facebook or probably available somewhere on the web unless like me you've lied about your birth date and year - but offhand I'm not sure if it is Jan. 1 1900 or Jan. 1 1904, or Jan. 1 1910, though I'm pretty sure it is one of those. If you were working a call center asking someone to identify themselves and they said "I'm pretty sure I was born in one of the three following years" would you approve a password reset? Hopefully not!

        Maybe Meta should have something that shows up on login telling people "here are the following ways we will allow your account's password to be reset if it is forgotten" that shows the phone number and email it would use. Tell people that if that phone number or email is no longer valid, or you switch them in the future, you should either update your information or uncheck those boxes to disable those methods. If they disable both methods make them approve a warning "if you forget your password you will permanently lose access to your account" and let them take that risk if they so choose.

        1. AlexanderHanff

          Re: Well if Meta are going to get roasted for this one

          None of this is relevant - none of it absolves Meta of their legal obligations and all of it completely fails to take into account the fact that there are multiple solutions available to resolve this issue. Meta created this problem through bad design, not through bad users.

        2. imanidiot Silver badge

          Re: Well if Meta are going to get roasted for this one

          If you can keep a phone number up to date, you can keep an email address up to date. Being allowed to change a password in a 2FA scenario without requiring a 2nd authentication factor (email and phone for instance) is just silly. What's the point of having 2FA if you can defeat it by bypassing one of them with a single compromised authentication factor?

        3. gnasher729 Silver badge

          Re: Well if Meta are going to get roasted for this one

          About the “changed email provider”. I just left BT. I have to keep paying them £7.50 a month for my email (up to 10 email addresses of which I use three, but changing them would be such an absolute pain).

          Apple would give me free email as long as I have an Apple ID. But I can’t get my name without a number (like johnsmith123). Vodaphone is nice enough to let me keep my landline number for free for incoming calls; all my wife’s mates use it; and you _can_ use it for outgoing calls but it costs. Like if you forgot your mobile at a mates house.

          1. Anonymous Coward
            Anonymous Coward

            Re: Well if Meta are going to get roasted for this one

            "I just left BT. I have to keep paying them £7.50 a month for my email (up to 10 email addresses of which I use three, but changing them would be such an absolute pain)."

            Hold on, this is the Reg, and you're admitting to relying on ISP email? Noooo. At the moment you're being charged twice as much as you need be, which you may not care about but you're still at the mercy of BT. Several other ISPs have already stopped issuing ISP email addresses, and a few have closed down altogether. The proportion of customers using ISP email is trivial these days - when VM announced the stopping of new customer email addresses a year or two back, they let it be known that regularly used accounts were about 1% of their total customer base. BT might be a bit higher, but it's probably still in "nuisance to provide" territory, so sooner or later BT will conclude that either email is loss making for them, or simply insufficiently profitable, and then it's lights out time.

            Why not take the pain and buy a domain and email package from Ionos or any good value alternative hosting service? Around £3 a month for five addresses inc free domain whilst you're with them. If need be at some future stage you find another hosting/email supplier and take the domain and email addresses with you. For a single email address you just buy a domain and use the included single email, that's about a quid a month, billed annually. If you've got two initials, then there's a fair chance that combined with your surname a .com or .co.uk address will be available. For example, a quick check says jbgnasher.com and jbgnasher.co.uk are available. Your emails would then be something like john<at>jbgnasher.com which sounds better than btinerent to me. And whilst I can't prove it, it seems from observation that Ionos take account security a whole lot more seriously than any ISP email service does.

            Others might suggest running your own email server, which is fine for those who enjoy such things, but is a complexity I wouldn't go to, and you'd still need to pay for a domain.

            1. Anonymous Coward
              Anonymous Coward

              Re: Well if Meta are going to get roasted for this one

              An aside about ISP-provided email:

              I have a small, not-externally-facing home server, configured to send me my daily logwatch via email. It uses my ISP's email and password to do it. I set this up probably 6 years ago.

              I changed ISPs a year and a half ago - and never updated the server to use the new ISP (or some other account). I'm still receiving my daily logwatch in my "real" (non-ISP) email address, being sent from my former ISP's email. I wonder how long they'll allow that?

      2. 0laf Silver badge

        Re: Well if Meta are going to get roasted for this one

        If you can authenticate using only one of two available factors then it's a single factor login in.

        For access to personal information this should be considered abreach of the GDPR under article 32. And MFA is certainly not state of the art by any means

    3. JulieM Silver badge
      Alert

      Re: Well if Meta are going to get roasted for this one

      Have you taken a look in the Google Play Store or Apple App Store for an authenticator app lately?

      I had occasion, recently, to search for a reputable authenticator app by name. What I found was a plethora of dodgy apps, all including at least advertisements (probably supplied from some dodgy third-party advertising networks, so already at risk of malware even if no-one thinks it is worth the effort specifically to attack an app which might well hold a list of TOTP keys). Some even claimed to include in-app purchases, which sounds like the perfect mechanism for holding users to ransom by insisting on a payment before they can view their 2FA codes. (Though probably not before said users have already given the app a good review.) I did not dare try to install any of them, so I don't know what extraneous permissions they might be asking for.

      And while I like to think I'm not daft enough personally to fall for it, I can't imagine a thoroughly nasty "2FA" app, if its installation process had already filtered out the half-savvy users, would necessarily set off too many alarm bells if it were just to ask users casually for their passwords along with any QR codes they scun, and send them -- along with the usernames, site addresses and TOTP keys extracted from said QR codes; the keys to the kingdom, in other words -- to criminal gangs.

      I actually felt quite ill seeing this mess. As much as I would be in favour, ordinarily, of healthy competition in a marketplace, it is clear that not a single one of these parasitic apps adds anything worthwhile, and the potential exists for them to be downright harmful. I consider Google and Apple complicit in any damage, for not including a 2FA app in the default distributions of their operating systems.

      I would honestly recommend anyone who knows how to, to get the SDK for their phone, and either write their own 2FA app from scratch, or download an Open Source one from Github. Failing that, as much as it sticks in my craw, use Google Authenticator or Microsoft Authenticator. Or use SMS precisely because it means you don't have to risk installing a malicious app.

      1. Tanaka

        Re: Well if Meta are going to get roasted for this one

        Use Authy. It syncs between your devices.

        1. JulieM Silver badge

          Re: Well if Meta are going to get roasted for this one

          I looked around, but I could not find the Source Code for download. That is a complete dealbreaker, as far as any kind of security software is concerned. How can anyone be sure it isn't doing something naughty behind the scenes, without being able to inspect it properly?

          1. imanidiot Silver badge

            Re: Well if Meta are going to get roasted for this one

            Would you ever be able to fully inspect it? Would you build it yourself from source? If not, how are you going to be certain the compiled code you install is the same as the source? Open source is nice, but in the end imho, trusting the source of the programming is more important.

            1. JulieM Silver badge

              Re: Well if Meta are going to get roasted for this one

              I would, because I know how TOTP works, and I know the things an authentication app does *not* need to do. If there was anything in the Source Code that I did not think belonged, I would try removing it and seeing if it still built without it. And then I'd make my fork available.

              In any case, once I had gone to the effort of building the source, even if the resulting binary matched the one they were supplying, I might as well install my version.

        2. Anonymous Coward
          Anonymous Coward

          Re: Well if Meta are going to get roasted for this one

          Authy were sadly already in the process of withdrawing their desktop apps in a few months' time (which would otherwise be, umm, handy if your phone was damaged, lost or stolen), but have suddenly just shat on their users further and reduced the shutdown period for the desktop apps to just over a month from now. Nice. Not. (And you need to give them your phone number, too, which many people aren't comfortable with.)

          On the free/open source side of things FreeOTP is a bit basic, but it works well enough.

      2. AlexanderHanff

        Re: Well if Meta are going to get roasted for this one

        I have been using TOTP authenticator for years with zero issues - the problem you highlighted is a non-issue if the platforms themselves point users to an open source, safe authentication app.

        But I do agree that actually it is perfectly viable for OS companies to include a TOTP app directly in the OS - I will mention this to Apple next time I meet with them - then we just have to watch the war where Company X sues OS Company Y because their TOTP app is the default and is therefore an abuse of market power impacting competing apps....

        1. JulieM Silver badge

          Re: Well if Meta are going to get roasted for this one

          TOTP authentication is an example of something to which no value can possibly be added -- but from which a lot of value can be subtracted, by a particularly bad product. The state of the market, and the prevalence of dodgy apps, proves it.

          Nobody would stand for cars being sold without seat belts fitted at the factory, empowering drivers to choose from a range of competing suppliers' products -- most of which included something unwanted, and some of which happened to be designed in such a way as to extort money, fail to provide protection in the event of an accident or even cause your car to crash -- under a legal régime that required customers to accept the manufacturer's word at face value, and criminalised any attempt by owners to inspect them, or by independent parties to publish their own assessments.

          1. doublelayer Silver badge

            Re: Well if Meta are going to get roasted for this one

            That's why most services offering TOTP either built their own app to issue the codes or recommend one specific, reputable authenticator app, usually either Microsoft's or Google's. The benefit of something like it is that it is open. While email may have gotten some "value reduction" as you call it by being an open standard, it is still better than alternatives because it can be used nearly anywhere. I prefer TOTP to a mandated single provider because I get to decide where the authenticator is. I don't need to install their app on my phone if I'm not using the service there and I can move keys to a different one as I choose. If I want to use an authenticator that has more security precautions, I can do it without begging them to support it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Well if Meta are going to get roasted for this one

              Unfortunately, Microsoft and Google are not organisations which I, personally, would regard as "reputable", and there is no way I would have apps from either of them on my phone (although I realise that not everyone would agree!). I even only half-trust Apple (although having rented my soul to them, I guess I sadly have no choice)…

              1. doublelayer Silver badge

                Re: Well if Meta are going to get roasted for this one

                And, with a protocol like TOTP, you don't have to. Do you think Google and Microsoft are doing something nefarious in their apps? Okay, use a different one. It even works to use a non-Microsoft authenticator on your Microsoft accounts and a non-Google one on your Google accounts. The recommendations of these are because they're available, likely to be supported for some time, known to come from secure sources, and believed to be trustworthy. You are free to disagree with these assumptions, although I don't, and having an open protocol means you can manage with that easily.

        2. DS999 Silver badge

          Re: Well if Meta are going to get roasted for this one

          I will mention this to Apple next time I meet with them

          And they will tell you "it was added in iOS 15 over two years ago"

          1. Anonymous Coward
            Anonymous Coward

            Re: Well if Meta are going to get roasted for this one

            Re: TOTP app directly in the OS

            «And [Apple] will tell you "it was added in iOS 15 over two years ago"»

            I didn't know that. Umm, where is the app? (Genuine question.)

            1. DS999 Silver badge

              Re: Well if Meta are going to get roasted for this one

              There is no app, it is built in. If you are logging in on an iPhone or other Apple device that's synced via iCloud the 2FA happens automatically (you will need to look at your iPhone to get Face ID to recognize you)

              If you are logging in on another device you go to Settings/Passwords and click on the website and it'll give you the code. Or you can ask Siri "what's my password for xxx.com" and it'll be brought up on the screen.

              Ease of setup depends on how well the website supports the RFC and what method it uses (QR code or numeric code) for the initial sync.

      3. DS999 Silver badge

        Re: Well if Meta are going to get roasted for this one

        You don't need a third party app. Both iPhone and Android support TOTP based on RFC 6238. More third parties like Facebook need to offer that as an option for stuff like handling lost passwords.

        Sure, if someone gets ahold of your phone and can unlock it they could steal your Facebook account, but if you're like me you would worry 100000% more about someone getting your phone and being able to unlock it as well as able to bypass Face ID. A compromised Facebook account would not even matter at that point compared to what they could do with full access to my phone.

      4. Anonymous Coward
        Anonymous Coward

        Re: Well if Meta are going to get roasted for this one

        I use Authenticator Pro on my Android. It doesn't have permission to use internet access. And my firewall confirms 0 attempted connections after a couple of years of use.

  3. Anonymous Coward
    Anonymous Coward

    Anyone who ever bought a new phone...

    ...knows how easy it is to transfer a number.

    SMS based authentication is a terrible idea.

  4. aerogems Silver badge

    My guess

    If the EU agency involved decided to pick this up and investigate, it's going to cost Facebook a lot more than it would have if they'd just paid the bounty and figured out some way to address the issue. You'd think, given the number of times Facebook has been dragged over hot coals for privacy and security issues, they'd default towards just paying the bounty in situations like this and then using it as part of a PR campaign to claim how they are proactively working to address issues.

    1. Richard 12 Silver badge

      Re: My guess

      You're assuming a greater level of competence than prior evidence would indicate.

    2. AlexanderHanff

      Re: My guess

      I am not even remotely interested in a bounty and if one was issued I would simply donate it to an NGO doing privacy work. As I explained to Tom, this was simply the easiest way to report this issue due to Meta's complete obstruction to users being able to contact them.

      To be clear, they didn't even evaluate this (I am guessing the response was AI generated) as they literally closed the ticket within seconds of me submitting it - it would have taken longer than that for a human to even read the submission, let alone evaluate it.

      1. Pascal Monett Silver badge
        Thumb Up

        In any case, thank you for contributing and trying to make the world a safer place.

    3. Roland6 Silver badge

      Re: My guess

      If the EU really pick this up, the outcome going to impact everyone who uses a phone number as part of their security: HMRC, banks, …

      It is also a reminder to people that simply ditching a phone number, is no longer simple, particularly if you have associated any online accounts with it. (Which given how many want a phone number, is going to be a lot).

      However, if we make it too secure, then it will become too difficult to regain legitimate access to an account and the public will respond accordingly.

      1. Doctor Syntax Silver badge

        Re: My guess

        "If the EU really pick this up, the outcome going to impact everyone who uses a phone number as part of their security"

        Or more precisely, their insecurity.

      2. Anonymous Coward
        Anonymous Coward

        Re: My guess

        Seems like the obvious answer is "don't use a phone number for security"!

        If for some reason it's strictly necessary, then the company should CALL it, ask for the first name on the account, and then ask other questions (like confirming email address) to verify the person appears to be the actual account owner.

        If you get such a call without expecting it, it's either a scam or a wrong number. If you're expecting a call and get it, it's almost certainly legit.

    4. jmch Silver badge

      Re: My guess

      "If the EU agency involved decided to pick this up and investigate...."

      ...maybe the EU should also put in a few more regulations on the telecom side that (a) restricts telephone number reuse* and (b) enforces more stringent identification for purposes of switching a number to a new SIM.

      *just taking the UK, mobile number formats are 07y xx xxx xxx. The 'y' has some historical implications and only 7 digits are in use, but otherwise there are 100 million numbers for each y digit, theoretically up to 700 million numbers. The UK has less than 70 million residents. There really should be no reason to ever re-use a number** within the foreseeable future (ie there should always be a fresh unused number available, or, when they have all be used, start re-using the ones that have been longest out of service, which should go back decades rather than months)

      **the other issue is the rise of 'data-only' sims or vSims for IoT devices that need one eg smart meters. But arguably these numbers should have a separate larger allocation than currently (079112... and 079118...) eg 04... and 06... are currently unused.

      1. AlexanderHanff

        Re: My guess

        Your reasoning is flawed as numbers are not allocated on a 1:1 basis. For example, companies may have hundreds of numbers assigned to just a few dozen employees depending on different use cases and of course, anyone (including companies) can change their numbers at any time.

        We all thought there would be more than enough IPV4 addresses at one point too but hey look where we are...

        You also fail to recognise that whereas there might only be 70 million people in the UK, that doesn't account for the cumulative population variance, where people die (and thus no longer need a phone number) and people are born and eventually get a new number - so that 70m number is not actually 70m at all when it comes to phone numbers.

        Then of course, the biggest flaw in your argument - UK phone numbers are not only provided to UK residents... anyone traveling to the UK can purchase a UK sim card or as many UK sim cards as they like and in fact from an EU perspective this might be a good choice for travellers given that UK carriers are no longer under the umbrella of EU law (see Brexit...) and thus are not obligated not to charge roaming fees for the many millions of people who visit the UK from the EU every year... let alone people who are from outside the EU and in most cases would buy a local sim upon arrival to keep costs down... so once again, that 70m population number becomes moot very quickly.

        1. jmch Silver badge

          Re: My guess

          All good points, but still not enough to have to reallocate a number just 45 days after it being released as described in the article (though not clear if that case described was UK). Even accounting for companies having large blocks of numbers reserved, vast numbers of foreigners having UK numbers, and a vast increase in IoT devices requiring a SIM, you're still coming to maybe 4X or 5X the 70 million population number.

          Given the theoretical availability of 700 million numbers, there ought to be at least a couple of hundred million free ones available. The other possibility, of course, is that there is some further allocation restriction by which mobile companies have a much more limited number space than the space of "all available numbers" (and if that is the case, that is something that could be released by ofcom or whichever other regulators)

          1. AlexanderHanff

            Re: My guess

            If you read the article it is clear that that case was not the UK (it was stated that this was in the US which has a lot more than 70m residents).

            Also on your argument that even then there are plenty of numbers available - again this is short sighted and exactly why we have had issues in the past with things like IPV4.

            I can give you another example, back in the day I used to work for ITSA in the UK (an executive agency of the Department of Work and Pensions) working on NUBBS2 (National Unemployment Benefit System 2) where some dude in Whitehall, when tasked with the question - "How much storage do we need for this system" and responded with "Well we will never go above 3.3m unemployed so lets go with that..." 3 years later I am tasked with working over the entire Christmas break (including Christmas day) to do regression testing on an emergency patch because we were rapidly approaching that magical figure at which point the entire system would collapse and 3.5 million giros would need to be hand written - leaving people with no money over the christmas/new year period.

            Eventually your 700m numbers will be used up so what then, you go to 800m? 900m? Eventually these will all be used up as well - it is not future proof and as such it shouldn't even be considered - because short term fixes almost always end up becoming long term policy and to be utterly frank - the couple of hours of coding and deployment it would take Meta and other online platforms to simply not base security on something as fragile a damn phone number - is a lot cheaper and a lot faster than changing the entire international infrastructure for cellular network numbers.

            1. Brewster's Angle Grinder Silver badge

              Re: My guess

              You've got sidetracked into an argument about hard limits. The request is not that we set aside numbers forever, but that we maximise the delay before they are re-used. (With reuse measured in years, not days.)

              This has the advantage that it reduces risk for all sites. I don't know how hard it is in practice, but these are changes that apply to a handful of large companies which operate in our legal jurisdiction, instead of world+dog. Even if what you say in other comments pans out, it seems a reasonable "defence in depth" strategy to do it anyway.

              (Aside: I haven't used an TOTP app: If my only device is a phone, what happens if my phone gets stolen? My mum recently convinced her provider to issue her a new SIM using the existing number? Then what?)

              1. AlexanderHanff

                Re: My guess

                You are not getting the point - phone numbers are not reliable identifiers - period - it doesn't matter how many there are or how long the delay before they are recycled, they are quite simply not suitable as reliable identifiers; so companies need to stop treating them as if they are and meet (at least in the EU) their legal obligations to design systems based on data protection by design and by default.

                This is not optional, this is the law and no amount of excuses will change that very simple fact.

                Meta are aware of this risk (they have admitted so) and as such they are legally obligated to design their services not to be susceptible to this risk - end of discussion.

                By forcing Meta to comply with their legal obligations, it will set an example for other platforms to follow.

                1. jmch Silver badge

                  Re: My guess

                  "phone numbers are not reliable identifiers - period"

                  If you mean a phone number cannot reliably identify a unique human being over the lifetime of either, then yes of course. Except that if you want a reliable identifier for a person, other alternatives have their own drawbacks. Using email as an identifier means that a person's email address is a single point of failure - an attacker getting access to someone's email can take over everything (and this is indeed often the case since many sites actually do use email as an identifier). Using a government-issued ID number has it's own drawbacks, starting by which, that in the UK there is no such thing. And in any case, for many use cases, an identifier isn't enough, it needs to also be some sort of 'communication channel identifier' by which a service provider can contact a customer.

                  Phone numbers in this respect have some drawbacks, but also a number of advantages. And one of the drawbacks can be mitigated if every released number goes to the back of the queue of numbers that are waiting to be reused instead of almost immediately being reissued.

                2. Alan Brown Silver badge

                  Re: My guess

                  "phone numbers are not reliable identifiers - period"

                  They were never INTENDED to be.

                  The IETF said as much when standardising on limiting telephone numbers to 11-digits globally over 45 years ago. By the time you factor in routing digits there simply aren't enough numbers left for high population density areas. Just like IP addresses, phone numbers are intended to be a sparse numbering space (red/black routing trees) and shoehorning in ways of "filling out the gaps" is a recipe for disaster (see: IPv4)

                  Using phone numbers as a "reliable" identifier is as stupid as using birth certificates as identification documents when they're explicitly NOT intended for that purpose (many countries put wording to the effect "this is not an identity document" on birth certificates because of such widespread abuse

                  A phone number can be a TEMPORARY personal identifier, but it MUST be periodically rechecked and expired if idle

              2. Doctor Syntax Silver badge

                Re: My guess

                "My mum recently convinced her provider to issue her a new SIM using the existing number? Then what?"

                I've done this in the past, changing from a regular account to PAYG. Admittedly O2's outsourced Indian customer disservice team didn't make this easy although the problem was quickly solved when I asked for a PAC to jump ship and I ended up talking to someone in Leeds.

            2. Alan Brown Silver badge

              Re: My guess

              > and responded with "Well we will never go above 3.3m unemployed so lets go with that..."

              My starting point for such responses is 10 times the estimated number (if not 100), assuming I have to hardcode a limit at all

              Such systems have a nasty tendency to become used for many other purposes than originally envisaged

      2. katrinab Silver badge
        Megaphone

        Re: My guess

        "The UK has less than 70 million residents"

        But the average resident in the UK has 1.2 mobile phone numbers and 0.48 landline numbers. I have two mobile and one landline.

  5. Tubz Silver badge
    Facepalm

    Meta, no profit in it for us, no action. The bounty not be paid isn't the problem, it's Meta's ignorant handling of the notification. They had the opportunity here to say, yes this is big problem and we are going to use our vast resources to fix it for the industry and finally get some privacy/security brownie points back, but no, open mouth, insert foot, kick self in ass.

  6. Test Man

    This is a Meta issue whether they like it or not. It's been well known right from when mobiles started to become popular in the 80s and 90s that numbers get recycled in much the same way that landlines do, yet companies like Meta use them for identification without coming up with a solution for number recycling. It is they who need to find a solution, not telecoms companies.

  7. mark l 2 Silver badge

    Its mainly because even when services do allow better forms of 2FA such as TOTP they still require you provide a mobile number to 'prove identity'.

    Paypal do this even though i have 2FAset up with TOTP they often still require i prove i am 'real' by having them send me a SMS which considering i don't get a phone signal in my office means i have to go outside an wave my mobile about like a madman to do something i have already done by logging in with a much more secure 2FA method

    1. katrinab Silver badge
      Black Helicopters

      "they often still require i prove i am 'real' by having them send me a SMS"

      The reason they do that is because it is a lot more difficult to get millions of phone numbers than it is to get millions of email addresses, so it makes setting up bulk accounts much more difficult.

  8. localzuk

    How *is* this Meta's problem?

    Surely it is up to individual users to update their details properly when they change numbers? How could Meta even know that you've changed number in some way to deal with this?

    1. Headley_Grange Silver badge

      Re: How *is* this Meta's problem?

      I'm not sure about this either. Many of the sites which use my phone for 2FA bug me every few months to confirm my details, which is an annoying-but-good thing. I'm not on any Meta apps, so I don't know, but I think that the only way that Meta could be criticized is if they make it difficult to change your phone number.

    2. Munehaus

      Re: How *is* this Meta's problem?

      Because it's Meta that asked for the number in the first place. People lose numbers for many reasons outside their control. Moving house, health issues etc. For those same reasons they may also not be able to login for some time, even if they wanted to update their number and knew they should.

      Once the number is lost someone else can access your Meta accounts before you get a chance to update them, if you can even login or know you need to. Every part of that is Meta's problem, not the user that only gave a number because they were asked.

    3. AlexanderHanff

      Re: How *is* this Meta's problem?

      The way Meta have designed the login and password resets opens them up to a security risk as a result of re-provisioning of cell phone numbers. That is why this is their issue to resolve - under the GDPR they are legally obligated to identify and resolve security risks where possible - clearly here it is possible to remove this risk by designing login and password resets in a way which is not open to this risk - they have failed to do that and as such are in breach of Article 5(1)(f) (the principle of security), Article 25 (data protection by *design* and by *default*) and Article 32(1)(b) and 32(2) (security of processing based on risks).

      So whereas you think Meta shouldn't be responsible, the law disagrees with you. The fact that they are aware of these risks but have chosen not to do anything to counter them, is a breach of their legal obligations.

    4. Doctor Syntax Silver badge

      Re: How *is* this Meta's problem?

      "Surely it is up to individual users to update their details properly when they change numbers?"

      In order to do that you have to be in control of the old number - which will be used to verify you - while already knowing the new one. This isn't necessarily going to happen. OTOH it is going to happen if someone has stolen your own phone and is transferring your number to theirs.

      1. Pascal Monett Silver badge

        So what you're saying basically is that this "security" basically guarantees that the hacker wins ?

        How nice.

  9. ExampleOne

    Setting aside the questions around SMS 2FA (which I don't think is the core of the problem here), the question is "Who is responsible for a user maintaining correct contact details?".

    As I see it, the complaint seems to be Meta provided the password reset details to the contact details the user asked them to provide them to. Why can Meta be held liable if the user fails to update those contact details? I am pretty sure we have seen similar stories when domain names have been recycled, and the new owner of the domain started receiving email for the previous owner. I know I still receive post for previous residents of my current home, some of whom last lived here over 20 years ago!

    1. Doctor Syntax Silver badge

      Let's conduct a thought experiment.

      Your phone number has been changed. How do you go about changing contact details if they want to send an SMS to the old one to verify you?

      Another:

      Your phone has been stolen. How do you persuade them to block it's number for verification if they want to send an SMS to it to verify it's you calling?

      1. doublelayer Silver badge

        The latter is a valid concern and Facebook should have to change their system so that just having the second factor is not sufficient to gain access to the account. I'm not entirely sure how this process works as I do not have any accounts at Meta, but it sounds like there is a significant design fault in it if just having a phone is enough to reset the password (that's where you make someone use all the factors).

        The former is the user's problem: if you change your phone number voluntarily, you remove it from accounts before relinquishing it, not hoping to do so afterward. The same applies to literally any other contact mechanism. If you stop using an email address, physical address, domain name, private key, or any other thing that is used to identify or authenticate you, you should activate the new one before deactivating the old one or risk getting locked out and you should deactivate the old one so it can't be used to compromise the account.

        1. This post has been deleted by its author

          1. Fred Daggy Silver badge
            FAIL

            Even worse was a bank, where I was logged in with 2FA via Authenticator app.

            Said App then requested verification code via SMS for a transaction. Account contact details had been updated and showed the correct current number. SMS was sent to a old, old, ancient, Moses was a boy when this was used number. Examining the account settings, there was no way to correct this detail, no user interface could help me and I didn't feel like calling the Call Center that day (It was also shut at the time, which is another factor).

      2. Cav Bronze badge

        "Your phone has been stolen. How do you persuade them to block it's number for verification if they want to send an SMS to it to verify it's you calling?"

        Use your provider's mechanism for locking the phone and then verify your account by other means. I've had to reestablish ownership of Facebook accounts for my teens on a number of occasions when they've needed to change their numbers, usually due to stalkers. You aren't limited to a single verification method. If you ask to verify by another method, at the point of trying to get back into your account, not when setting it up, then you can specify a list of friends who can verify you, you can provide your date of birth and identify friends based on their photos. or you can be presented with a number of photos and asked which ones you might have posted to your account. You can also use another device that Facebook will recognize. e.g. I login to Facebook on phone and desktop. If my phone is stolen, Facebook still knows about my desktop and will let me recover an account from that device.

        Facebook doesn't need a phone number at all so why are people providing them? I don't have mine associated with my account which appears to worry Meta as they constantly bug me to add one. I use an authenticator app and an email address that I've had for decades and will keep for the rest of my life.

    2. katrinab Silver badge
      Mushroom

      Indeed, there is a lot of facebook stuff sent to a non-existent mailbox in my email server logs. You would think that after about 5 years of consistent bounces, they might get the message, but apparently not.

  10. mpi Silver badge

    > Hanff, in a LinkedIn post, argued this is unacceptable.

    "We do not say 'Well we know that passwords with low entropy can be hacked very quickly, but we are not responsible for people using password busting technology so we will continue to allow four-character passwords consisting of only lower-case letters in the first half of the alphabet,'" he wrote.

    No, but we do say: "Well, if your email address is your 2nd factor, and you are using an email provider that allows bad passwords and set yourself a bad password, and get hacked because of this, then that's not our problem."

    Services have control over their password requirements.

    Services don't have control over external providers.

    How are services supposed to deal with a proble that is actually caused by something they don't have ANY control over like, for example, telcom providers reusing numbers? The only way I can think of, is by disabling Phone Number based password recovery methods altogether.

    Which is fine by me, I'll be the first one to say that SMS 2FA is a *really* bad idea, and always was. Problem is, what do you offer instead that is similarly low barrier and easy to use?

    1. AlexanderHanff

      Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

      The solution is simple - do not allow phone numbers to be used for security purposes - they are transient and should not be considered as unique to an individual. The most appropriate way to manage this is MFA via an app such as TOTP.

      1. mpi Silver badge

        Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

        > The solution is simple

        I'm listening...

        > The most appropriate way to manage this is MFA via an app such as TOTP

        Ahh, so we went from "simple" to "appropriate". Well done, because now we have arrived at the crux of the matter.

        Note that I never advocated for the use of phone numbers as a 2nd factor. The problem here is: Having your customers install a separate app on their phone to authenticate with their service, raises the barrier of entry. This is something that people in IT tend to overlook: Most people are not tech savy. Understanding why that 2nd app would be a good idea to have is a really hard sell when one of the design principles of your service is that it can be used by as many people as possible.

      2. imanidiot Silver badge

        Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

        "they are transient and should not be considered as unique to an individual". Isn't that exactly the same as an email adres? Doesn't that have exactly the same issue? Yet afaik nobody so far has ever made a problem of password recovery/reset via email.

    2. Doctor Syntax Silver badge

      Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

      "How are services supposed to deal with a proble that is actually caused by something they don't have ANY control over like, for example, telcom providers reusing numbers?"

      The choice of whether or not to use phone number or any other external provider as identity was entirely in their control.

      1. mpi Silver badge

        Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

        > was entirely in their control.

        Except no, it really isn't. Market forces exist. Having more sophisticated MFA mechanisms in place raises the barrier of entry. We are not talking about administrative software for professionals here, we are talking about social media logins. Their competition favors a design that is as simple as possible to the end user. SMS is simple, it comes with your phone. The fact that it sucks from a security point of view isn't relevant in the mindspace of most consumers.

        1. AlexanderHanff

          Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

          Nothing you said has any relevance - it is the law, Meta are obligated to follow it. They know this, they have chosen not to, they know the potential consequences for not complying and have decided they would rather take that route than obey the law. it is as simple as that, and your personal opinion has zero impact on these facts.

          1. doublelayer Silver badge

            Re: > Hanff, in a LinkedIn post, argued this is unacceptable.

            The law does not say "using phone numbers for login is forbidden". You probably have a point if, as I understand your report, the phone number alone can reset all other factors and allow taking over the account. However, you're going a lot further than that by claiming that the law forbids them using phone numbers as an identifier or security method at all, and it clearly doesn't. Lots of services use a phone number as a true second factor, where it AND something else are required to make changes, and that has never been the subject of any GDPR penalty. Nor is there necessarily a reason why it should. Using a phone for MFA isn't great, but it is more secure than not using it, and GDPR does not say that not having MFA is forbidden either. I'm not sure the valid point is going to be accepted, but your other one certainly will not.

  11. JulieM Silver badge

    I can't understand why WhatsApp is tolerated

    I really cannot understand why mobile companies put up with WhatsApp.

    What Meta are doing is the equivalent of setting up a stall outside a telegraph office; encouraging would-be customers to take a telegraph form and fill it in using a pencil from the office; and then sending a youngster on a bicycle to pedal along under the telegraph lines and deliver it to the intended recipient, who for want of knowing any better will imagine it to be a telegram.

    Meta don't have to build any telegraph offices of their own, lay any wires of their own, or even supply any stationery of their own. They just take what the telegraph companies make available for free anyway to the bona fide customers they are poaching, get to read the contents of the messages (and sell to the highest bidder any nuggets of valuable information they might contain), and slip in advertisements -- for which they are paid rather more than just the few shiny coppers their "couriers" get.

    How is this anything but straight-up parasitism?

    1. doublelayer Silver badge

      Re: I can't understand why WhatsApp is tolerated

      I'm not really sure why this is relevant, but I'm willing to discuss it anyway. Mobile providers don't have to allow it; they offer a network and this is a thing you can use on a network. They don't really get a choice to permit or forbid such things. If they took actions to block communications methods like this, they would likely be punished by the law because it would be considered an anticompetitive action, an abuse of monopoly powers, and, where common carrier status is part of the law, it would violate the regulations on them and risk stripping them of that status.

      They also have no reason to do so. Users of such applications are still using the mobile providers to send their traffic. When they choose to do so, they must pay the mobile providers for the network traffic they send. It doesn't matter that the providers can no longer read the messages because they agreed to provide a service delivering bytes and the user has purchased and used that service. Your analogies are mostly if not entirely flawed; the sender and recipient know well that SMS and WhatsApp messages are not the same, the deliveries use the same network rather than an alternative, and there is no cost to whatever telegraph forms were supposed to be (they both construct their own message packets and making packets is effectively free and the costs are borne by the user's device anyway).

    2. mpi Silver badge

      Re: I can't understand why WhatsApp is tolerated

      > I really cannot understand why mobile companies put up with WhatsApp.

      Because, and this is a very good thing, telcom providers don't get to decide what data their users send over their wires, or what applications they run on the devices attached to their infrastructure.

  12. Corin

    How do users go from having a new number to knowing the account iD?

    Let's suppose I get a new phone number; 0711223344. How do I possibly determine that it belongs to the Facebook account of "John Smith" and compromise it?

    Perhaps it's the ability to log in with phone number that's a problem here, and that would indeed make it Meta's problem? Or am I missing a trick here?

    1. AlexanderHanff

      Re: How do users go from having a new number to knowing the account iD?

      That is the entire point - you do not need to know this. The way Instagram and Facebook are currently setup you can login with phone number rather than name/username/email and you can have a link sent to reset the password directly to a phone number.

      So basically anyone who gets a new phone number can go around all of the popular online platforms and just go down the password reset route using just the phone number. They then receive the link, go to the link, perform the password reset and login with the phone number and the new password.

      That is why this is such a serious issue and it is trivial for Meta to fix, simply by not permitting phone number to be used for security purposes.

      1. Roland6 Silver badge

        Re: How do users go from having a new number to knowing the account iD?

        > trivial for Meta to fix, simply by not permitting phone number to be used for security purposes.

        As the only security factor.

        Other services might send security codes to a phone, it will also ask for one or more of email address associated with account, other phone numbers associated with account etc. even mothers maiden name would prevent easy reset/takeover by an unrelated third-party.

    2. sabroni Silver badge

      Re: How do users go from having a new number to knowing the account iD?

      My initial reaction was the same as Corin's, "How are they finding the user ID from a phone number?"

      It's great that Alex has explained that you can log in to facebook with a phone number. Pity that fact isn't made clearer in the article though, seems kind of fundamental to the exploit....

  13. Anonymous Coward
    Anonymous Coward

    Call me old fashioned

    Mainly because I am, but;

    Who the heck gives companies like FB their phone number anyway?

    Having been born long before the Internet, it has always been my primary objective to never share PI with untrustworthy sites.

    Except for trusted parties like the government and my bank.

    1. AlexanderHanff

      Re: Call me old fashioned

      The simple fact is, it has become increasingly difficult (and in many cases, impossible) to sign up to online platforms without providing your phone number. I am also a dinosaur but this is not 1995 any more when you can just sign up with an email address. This is data grab century and all these platforms want your phone number because then they can say to the people the sell your data to that they know exactly who you are because they have your phone number...

      Get with the times man... ;)

      1. Roland6 Silver badge

        Re: Call me old fashioned

        I tend to use false phone numbers for services/companies that I don’t care about - just ensures they can only contact me by email (if their email gets passed the spam and junk filters).

        In some cases it does fail, so you have to use a real one…

        1. Doctor Syntax Silver badge

          Re: Call me old fashioned

          So it's your SMS spam I'm getting?

          1. Roland6 Silver badge
            Joke

            Re: Call me old fashioned

            Please provide your phone number so I can check and add it to my do not use list :)

        2. Alan Brown Silver badge

          Re: Call me old fashioned

          I don't use a "false" one, but it is very expensive for those who want to use it to contact me

    2. AlexanderHanff

      Re: Call me old fashioned

      You also need to keep in mind that phone number is one of the fields in Meta's many "lookalike" advertising products and even though they are not legally supposed to use phone numbers which are collected for "security" reasons (which is why they ask for the phone number) for other purposes (yet another breach of the GDPR) we know for a fact they do. You can verify this by simply setting up a Facebook business account and using their "Custom Audiences" product which will require you to provide them with a spreadsheet of data about your customers (which includes phone number) so that facebook/Instagram can then compare that data with the users they have (based on the same identifiers) and guarantee to the advertising customer that they are targeting the correct user or the user's social graph...

      It is all one giant adtech con.

      Meta would not be able to ask for phone number if they couldn't use the "security" argument as it would breach the data minimisation principle (yet another breach of Article 5 of the GDPR) and then they wouldn't be able claim that they can match your customer data with their users...

    3. Gene Cash Silver badge

      Re: Call me old fashioned

      Google has hammered me for my phone number for at least 10 years now, including stuff like offering a Google+ vanity URL back when that was a thing.

      A friend recently retired, and to stay in contact, I decided to finally get a FB account.

      Their response was that I wasn't using my real name and I needed to send them a driver's license or birth certificate!

      My response to that is not repeatable here, but I know a LOT of people who would have complied without a second thought.

  14. Anonymous Coward
    Anonymous Coward

    I'm glad that here in France, due to local regulations, it's trivial to change phone company while keeping the same phone number.

    I've even changed twice in the same week once, because the mail gateway of my first choice would not talk to my MX, and thus I couldn't receive the contract. I must have had 5 or 6 different phone companies with my current number over more than a decade.

  15. Strahd Ivarius Silver badge
    Devil

    The only proper solution is to have your login tatooed on your forehead as a barcode, and iris based recognition for the password.

    1. ecofeco Silver badge

      666 for the win!

  16. claimed Silver badge

    Everything old is new

    Had the same argument years ago when a client was using email address === person… I pointed out that no it doesn’t, and they were unconcerned.

    1 year later yahoo started recycling email addresses!

    Got my change request approved though

  17. Trixr

    Thanks Meta

    I'm just glad my mother knows absolutely zilch re social networking, after some jumped-up little scrote at H*rv*y N*rm*n in NZ told her that it was "impossible" to transfer her phone number to a new phone he inveigled her into buying (despite local legislation mandating that it must be be done on demand, free of charge). The first I heard about it was when she called me to tell me her number of over a decade had been changed.

    She had enough hassle updating it with various govt entities - I hate to think of the effects if she'd been using it to sign onto internet-facing services.

  18. Timto

    Phone companies should public lists of phone numbers that have been deactivated monthly and tech companies could check against that list

  19. Autonomous Comrade

    If we're not going to move away from SMS 2FA, surely mobile providers could come together to offer an API/service that announces when phone numbers are going to be recycled for these sorts of services, so that they can unlink those phone numbers. There could be some spam issues, but maybe they could hash the numbers (and salt them? although this may make it too inconvenient for legitimate sites to use) so that they'd be harder to figure out (although I'm sure a brute force on the entire number space wouldn't be that hard, just inconvenient). Or have them send in a number when the user logs in and it reports the last time it was reissued.

    Although I doubt this will actually happen in practice unless a regulator feels like doing something about it.

    1. Stu J

      I don't think that broadcasting which numbers have changed hands is a particularly safe or sensible approach.

      However, there should be an API which companies with legitimate requirements can query - they send a phone number and the last date/time they validated it, and the API responds with a simple "valid", "invalid", or "unknown" depending on whether the number has migrated to a different SIM since they last verified it.

      1. Autonomous Comrade

        That's a much more sensible suggestion and seems like it'd be harder to abuse. Thanks

  20. gnasher729 Silver badge

    I thought about this. My mobile is 07xxx yyyyyy. Reasonably short. There are hundreds of millions of those but not infinitely many. And since all my mates have that number I want to keep it.

    My suggestion: Add three more digits, so my “real” number is 07xxx yyyyyy 001. The phone system has an automatic translation so calling my number adds 001. Whoever uses it for 2FA enquires the last digit and never changes it, so for 2FA they use 07xxx yyyyyy 001.

    If I give up my number and it is reassigned, the last digits change to 002. So for 2FA the number is never reused. Facebook would have a number that just doesn’t work anymore. 2Fa wouldn’t message the new owner.

    And you can have a number with 100 to 999 added. They are _never_ reused. They would be less popular because they are harder to type and remember. But a company can get many of them with different purpose.

    Old systems would not need changing but would remain insecure. Clever phone software would remember the complete number but not display it, and they would be able to find that a number is reassigned.

  21. Rich 2 Silver badge

    Surprised?

    Why is anyone surprised by this? Why would anyone expect Faecesbook to suddenly decide to take responsibility for anything?

  22. Binraider Silver badge

    Tools to transfer accounts from one number to another?

    It's annoying enough to do for one email address let alone a 2FA arrangement. Genuinely easier to close accounts entirely and start new. Probably not that bad an idea either tbh...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like