Security researchers showed this week that a hacker could break into a Facebook account using only a phone number. The hack exploits SS7, a wildly outdated part of the telecom infrastructure created in 1975 that sets up phone calls, performs phone number translation, prepaid billing, SMS and more.
How does the hack work? It’s pretty simple: SS7 trusts all messages sent over it regardless of where they’re coming from, so hackers can easily trick it into diverting calls and texts to their own devices. From that point, it’s easy to break into Facebook. All a hacker has to do is click on the “Forgot account?” link on Facebook’s home page, and then provide the phone number for the account that the hacker is targeting. Facebook sends a text message with the account log-in credentials, and the hacker diverts the text to their own phone. And just like that, they have access to your account using only your phone number.
Thankfully, there are many simple steps that users can take to protect themselves from this security flaw. First, the hack only works if you have your phone number registered with Facebook and if you’ve authorized Facebook to send you texts. You can switch to a two-factor authentication in Facebook’s security settings and turn off the option to recover your account by text. It only takes a second, but it’s a significant way to improve your profile’s security. It’s also good idea to not publish your number on Facebook. Using Facebook’s Code Generator from their mobile application is more secure because it doesn’t rely on SMS two-factor authentication.