“Two-factor authentication” is a reassuring phrase. Setting it up feels like installing a brand-new, heavy-duty deadbolt on your door. Until you realize that there is a single building that stores the working keys for millions of deadbolts, paired with your name and address, and that that place is guarded by people who don’t understand locks very well.
That is basically the realization millions of Facebook users are having (or should be) as the result of the company’s latest massive security breach. In an Oct. 12 post cryptically and unhelpfully titled “An Update on the Security Issue,” Guy Rosen, Facebook’s VP of product management, wrote that for “15 million people, attackers accessed two sets of information—name and contact details (phone number, email, or both, depending on what people had on their profiles).”
That effectively compromises two-factor authentication for all of those users, not just on Facebook, but on any service that allows only text messages as the second form of authentication. (Here’s how to find out if you are affected.)
Security freaks have long been telling us not to rely on text messages for two-factor authentication. It might seem safe—your phone is Face ID’d, or has a long password, or an especially elaborate gesture thingy. But the technology that causes a text to get to you in the first place is not itself secure.
As Wired wrote in 2016, “Attacks on political activists in Iran, Russia, and even here in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe.” Last year, security researchers at Positive Technologies made a video in which they easily intercept SMS messages and gain access to the Gmail and Coinbase accounts of a hypothetical target, using just their name and phone number.
For the 15 million people mentioned, any service they are registered with that uses text messaging for two-factor authentication effectively has been reduced back to one factor—the bad old password. And that is the case for many services. Only days ago did Instagram, which is owned by Facebook, move away from using only text messages for 2FA.
The Facebook hackers would have at least the names and phone numbers or emails for those 15 million. But they have a lot more, too. The post continues:
For 14 million people, the attackers accessed the same two sets of information [as in name, number and/or email], as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
That has the makings of an epic phishing expedition. It might even be enough to answer other, more personal forms of authentication, like the “only you know the answer” security questions banks often use.
Facebook compromising text-based SMS is made even worse by the fact that, as was recently revealed, it allowed advertisers to target users based on their phone numbers, even if they had only shared those numbers with Facebook for the purpose of… setting up two-factor authentication.
It’s no wonder that, after that came to light, CEO Mark Zuckerberg couldn’t really answer when asked whether users should still trust his company.