Facebook’s new 10-digit security hole

On Friday, we learned:

In so doing, Facebook has just created a massive security hole which exposes every single one of its users to life-alteringly shitty hacks. I’m frankly astonished nobody internally at that company thought about this before pushing this feature.

“What’s the issue?” I hear you ask. The issue here is that your average workaday user who is even a little security minded will not only use their cell phone to do two-factor authentication for their Facebook login, but will also use the same cell phone for every other two-factor login or password recovery system they have, including, for example, their e-mail account or their bank. This is not an intelligent approach to security, as using cell phones for two-factor authentication is, to put it mildly, not even remotely secure.

“How so?” You inquire. Well, the answer is because cell phone companies are run by idiots when it comes to security, so even if you leave specific instructions with your provider to not port your SIM without a PIN and photo ID, smooth-talking criminals can still convince telco employees to do it anyway, with the result that the crook obtains control of your phone number – and can receive any communications sent to it.

This is not a theoretical problem. Cast your mind back to mid-2017, coming off the back of the Bitcoin boom. One day, I get a really weird Twitter message from my friend @twobitidiot, aka Ryan Selkis, asking me if I can lend him some Bitcoin.

Now, as Ryan knows, I am probably the filthiest nocoiner – i.e. non-Bitcoin investor – in existence, in large part because (a) when I got into crypto I was poor and young and (b) 100% behind permissioned blockchain implementations, which the startup I co-founded invented. Investing in shitcoins would have been uncouth, a betrayal to my most deeply-held values and firm belief that global, systemically-important financial institutions love us and want us to prosper.

I was naturally suspicious of his inquiry. I had good reason to be:

This story was repeated over and over again last year. People got their phone numbers ported. The hackers logged in to all of their accounts. The hackers took all of their stuff. Lather, rinse, repeat.

Nobody has really gotten to the bottom of how these phone numbers were ported with such laser-like efficiency. Personally, I think Facebook’s service played a part. At the time, I remember that I and others were getting bombarded with friend requests from slick-looking fake CEOs with good hair claiming to helm fake startups in SE Asia. As a general rule, I don’t add people on Facebook who I haven’t met. Other people do, and a slick CEO of an edgy tech startup is a great person to make friends with, especially for folks in crypto looking to expand their networks. As these friend requests rolled in, they began to look increasingly credible as more and more crypto people I know appeared to be “friends” with these accounts.

Meaning that if crypto people had posted their cell phone numbers as “friends-only” or “friends of friends” on their accounts, the fraudsters had their numbers, too, and could start creeping their way towards the bit/shitcoin hoards these people were thought to hold on crypto exchanges and the like. This is some serious business.

Which brings us to the problem of Facebook making cell phone numbers searchable by default, even to a user’s friends only or “friends of friends,” even when the user wants to keep their phone number private (the “only me” setting). (Edit: the cell phone lookup is set to be shared with “everyone” by default, which is crazy; not that the most restrictive, friends-only, search function is protective enough, since fraudsters can and do find their way onto “friend” lists.)

Due to this, to be blunt, Facebook’s new search feature will allow fraudsters to use Facebook to verify the identities of cell phone subscribers, even where Facebook users have locked down their cell phone numbers on their profiles to avoid this very outcome. In permitting anyone to search cell phone numbers, Facebook has compromised the security of every individual user of its service in the name of convenience.

All someone needs to do, conceivably, to exploit this new “feature” from Facebook is to punch in random cell phone numbers until they hit paydirt and discover a corresponding identity. If the user isn’t particularly security-minded, they’ll have birthdates and addresses publicly viewable, too. After the target is identified, the hacker simply calls up the user’s cell service provider, and social engineers a SIM port. Boom. All SMS-based 2FA that person used with that number, on any service, is now compromised. Including the 2FA for the user’s Facebook account.

There are a couple of solutions a Facebook user can adopt, in the meantime, to help ameliorate this issue. One option is to remove your phone number and not use SMS 2FA, or switch to a service like Google Voice that is not susceptible to social engineering. Another is lock down the settings to the extent you can (searchable to friends-only) and hope that (a) your friends don’t get hacked and (b) that you haven’t friended anyone accidentally who is a hacker or a fake, which – at least for some of my buddies in crypto – is a day late and a dollar short.

What these solutions share is that most of Facebook’s userbase is blissfully unaware of the risks of SMS-based 2FA, so they won’t take these measures or won’t implement them effectively.

I’m pretty sure I’m not wrong about this, but if I am, I’ll be happy to discuss it on Dissenter. It strikes me that the engineering boffins over at FB are – not being cryptogeeks – almost totally blind to the risk they’ve just created for hundreds of millions of users as a result of SIM porting. It also strikes me that the best way to address that risk is to kill the feature.

After they do, we all need to seriously re-evaluate our relationship with any interactive service that asks us for our mobile phone numbers before we can use it, if a company of Facebook’s size can make an error so elementary that a lawyer who can barely program “hello world!” in Python picked up on it, but all their engineers and security professionals didn’t.