Yes, your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!
Hackers with skills to exploit the SS7 network can hack your Facebook account. All they need is your phone number.
The weaknesses in the part of global telecom network SS7 not only let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale but also let them hijack social media accounts to which you have provided your phone number.
SS7 or Signalling System Number 7 is a telephony signaling protocol that is being used by more than 800 telecommunication operators worldwide to exchange information with one another, cross-carrier billing, enabling roaming, and other features.
However, an issue with the SS7 network is that it trusts text messages sent over it regardless of their origin. So, malicious hackers could trick SS7 into diverting text messages as well as calls to their own devices.
All they need is the target’s phone number and some details of the target’s device to initiate the silent snooping.
The researchers from Positive Technologies, who recently showed how they could hijack WhatsApp and Telegram accounts, now gave the demonstration of the Facebook hack using similar tricks, Forbes reported.
SS7 has long been known to be vulnerable, despite the most advanced encryption used by cellular networks. The designing flaws in SS7 have been in circulation since 2014 when the team of researchers at German Security Research Labs alerted the world to it.
Here’s How to Hack Any Facebook Account:
The attacker first needs to click on the "Forgot account?" link on the Facebook.com homepage. Now, when asked for a phone number or email address linked to the target account, the hacker needs to provide the legitimate phone number.
The attacker then diverts the SMS containing a one-time passcode (OTP) to their own computer or phone, and can login to the target’s Facebook account.
You can watch the video demonstration that shows the hack in action.
The issue affects all Facebook users who have registered a phone number with Facebook and have authorized Facebook Texts.
Besides Facebook, researchers’ work shows that any service, including Gmail and Twitter, that uses SMS to verify its user accounts has left open doors for hackers to target its customers.
Although the network operators are unable to patch the hole sometime soon, there is little the smartphone users can do.
- Do not link your phone number to social media sites, rather rely solely on emails to recover your Facebook or other social media accounts.
- Use two-factor authentication that does not use SMS texts for receiving codes.
- Use communication apps that offer "end-to-end encryption" to encrypt your data before it leaves your smartphone over your phone's standard calling feature.
"Because this technique [SSL exploitation] requires significant technical and financial investment, it is a very low risk for most people," Facebook spokesperson told The Hacker News.
"As an added precaution, we recommend turning on two-factor authentication, called Login Approvals, in your Facebook security settings. Doing this will disable recovery via SMS on your account so even if someone has your phone number, they'll still need your password to access your account."