The Short Story

In short, your Facebook account, and most probably other accounts (Google, Twitter, etc…) can be hacked, no matter how strong and complex your password is.

Update: video Not available anymore https://youtu.be/wc72mmsR6bM

As if social engineering 2FA text messages is not enough to trick the users and hack their accounts. Hackers can exploit a design flow in the cellular networks SS7 (signaling protocol) to trick the cellular network system into diverting calls and text messages (SMS) into the attackers own devices.

SS7 or Signalling System Number 7 is a telephony signaling protocol that is being used by more than 800 telecommunication operators worldwide to exchange information with one another, cross-carrier billing, enabling roaming, and other features. – TheHackerNews.com

The Process

  • The Hacker uses to “Forgot Password?” feature for the targeted account.
  • Chooses Recover using SMS to Phone if available.
  • Provides the Legitimate Phone Number to the Targeted person (Assuming the hacker has it).
  • The attackers here as demonstrated using the Youtube Video exploits the flow in the Cellular Network SS7 Protocol/System to divert any SMS for his device.
  • Then he proceeds with Facebook sending a One-Time Passcode (OTP) by SMS, and uses it to reset the password of that account.

Stay Safe

Khandelwal, Swati from TheHackerNews.com suggested three recommendations to protect our accounts:

  • Do not use Phone Number as a Recovery methods with any account.
  • Use Two-Factor Authentication (2) with the OTP sent to an email for example and not by SMS.
  • Try to use communications apps that provides “end-to-end encryption” to encrypt the data leaving your smartphone.