Facebook One-Time Passwords Can Be Stolen, Says Security Company

The security flaws of the Signaling System Seven (SS7) system used by wireless carriers to exchange information have been an open secret for many years. Recently, Congress members began taking notice of these vulnerabilities as well, although it’s not clear if anything will be done to push a fix for this issue.

Meanwhile, the SS7 vulnerabilities can be used to intercept any call, anywhere. Because online services are increasingly using SMS codes either as a “one-time password” (the way Facebook does) or as a two-step verification process (the way Apple, Google, and most services that offer two-factor authentication do), the codes can also be used to hack into people’s accounts.

Positive Technologies, a security company, confirmed that its researchers could exploit the SS7 system to hack into Facebook accounts that use one-time codes to log in. The way Facebook’s one-time passwords work is that you send an SMS with the word “otp” to 32665 (in the U.S.), and then Facebook will send you a six-character password back, which you can use to log into the service. Facebook will “know” it’s you, because you would first have to set up your phone number in your account’s settings.

However, whoever can hack the SS7 (which is apparently not that hard to do) could send the OTP request on your behalf and then log into your account. If you have “login approvals” set up, which is Facebook’s name for two-factor authentication, then you won’t be able to use one-time passwords anymore. Whoever can hack the SS7 could get your SMS second factor code just as easily, but they’d have to know your first factor (your password) as well to be able to log into your account.

“The fact that the SS7 network has security flaws is indisputable as has been proven by many researchers, including our own. The issue is that the telecoms industry, as a whole, appears to be turning a blind eye,” said Alex Mathews, technical manager EMEA of Positive Technologies.“Rather than fixing the underlying vulnerability, many services are being encouraged to add a layer of protection built on this flawed global telecommunications network. The result is that, instead of strengthened security, in some instances adding a mobile phone number actually introduces the door hackers can exploit. For example, with Facebook, if you do not elect to have a passcode sent to your phone then a hacker could not take over your account using the SS7 vulnerability,” he added.

We're seeing that SMS-based authentication is being encouraged not just by social media, chat applications, and email services, but also by banking services, which can expose users to financial fraud. What Positive Technologies’ new research demonstrates is that logging in with an SMS code to a service is not a safe thing to do, whether you’re using it as a one-time password or as a second factor for authentication.

Alternatives (for two-factor authentication) include mobile apps such as Google Authenticator, Authy, and other such apps, as well as hardware tokens such as the Nitrokey or the YubiKey (some models, such as the Yubikey Neo, even work with smartphones through NFC).

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Kimonajane
    Only Tools & Fools use Facebook & Twitter, now be a good little tool and "like" that corporation when you visit their FB page and don't forget to give FB all your sensitive/private information, fools.
  • zodiacfml
    I hope my bank gets an app auth. This SMS OTP is a pain to use especially when I'm abroad.
  • captaincharisma
    they must be called the captain obvious security company
  • hellwig
    "The fact that the SS7 network has security flaws is indisputable ... The issue is that the telecoms industry, as a whole, appears to be turning a blind eye"

    Yeah, a blind eye. More likely this is purposefully left unresolved at the request of the FBI and NSA, for "National Security" of course.