Meta brushes off risk of account theft via number recycling The Register

The core problem is that telecom companies recycle phone numbers that have been abandoned after a brief waiting period - at least 45 days in the US. That can become a problem because many online services require a phone number to identify users and/or send one-time passwords for two-factor authentication.
Users who abandon a number, and forget to update their new number, are therefore at risk of malicious account reset attempts by whoever gets access to their old numbers.
The findings were disclosed to telecom carriers in October 2020, and various measures were put into place to make it more difficult to hijack telecom accounts.
It appears this vulnerability persists with other online services that rely on mobile phone numbers for multi-factor authentication.
Enter one of Big Tech's least favorite activists.
The post omits some details that clarify how this might work - The Register has not verified that all the services cited above can be compromised as claimed.
If, for example, a Facebook user changes phone numbers but fails to note that change in Facebook or other accounts that use it for authentication, the recipient of the old, recycled number can try to login to the Facebook account still linked to that number.
Not having the password isn't necessarily a barrier.
The phone number may be sufficient to reset the password and access it despite multi-factor authentication.
In some login flows for a new sign-in, like the one used by DoorDash, an email address is required first, though isn't necessary thereafter.
In this instance, controlling the phone number provides account access without need for concurrent email validation.
Procedural variations aside, initiating a password reset without permission to hijack an online account is against the law in the US, the UK, and elsewhere, Hanff wrote in his reply, in addition to being a privacy intrusion.
There are situations where phone numbers expire that are made available to someone other than the original owner.
If a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset.
If that number is still associated with the user's Facebook account, the person who now has that number could then take over the account.
While this is a concern, this isn't considered a bug for the bug bounty program.
Facebook doesn't have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.
Hanff, in a LinkedIn post, argued this is unacceptable.
Hanff said he has reported Meta to the Irish Data Protection Commission for alleged violations of Articles 5, 25 and 32 of Europe's General Data Protection Regulation.
Meta did not immediately respond to a request for comment, nor did AT&T, T-Mobile, and Verizon.


This Cyber News was published on www.theregister.com. Publication date: Wed, 14 Feb 2024 00:59:04 +0000


Cyber News related to Meta brushes off risk of account theft via number recycling The Register

Meta brushes off risk of account theft via number recycling The Register - The core problem is that telecom companies recycle phone numbers that have been abandoned after a brief waiting period - at least 45 days in the US. That can become a problem because many online services require a phone number to identify users ...
10 months ago Theregister.com
31 Alarming Identity Theft Statistics for 2024 - Identity theft is a prevalent issue that affects millions of people annually. Although the numbers are startling, we've selected the 31 most concerning identity theft statistics to help you understand how to secure your identity. In 2022, the FTC ...
11 months ago Pandasecurity.com
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
11 months ago Techtarget.com
Privacy at Stake: Meta's AI-Enabled Ray-Ban Garners' Mixed Reactions - There is a high chance that Meta is launching a new version of Ray-Ban glasses with embedded artificial intelligence assistant capabilities to revolutionize wearable technology. As a result of this innovation, users will have the ability to process ...
11 months ago Cysecurity.news
Meta sues ex VP of Infrastructure for 'trade secret theft' The Register - Over the course of his 12-year employment at the Facebook giant, Dipinder Singh Khurana - also known as T.S. Khurana - rose to the rank of vice-president of infrastructure. He left the mega-corp in June 2023 to take a position as senior veep of ...
9 months ago Go.theregister.com
Master Security by Building on Compliance with A Risk-Centric Approach - In recent years, a confluence of circumstances has led to a sharp rise in IT risk for many organizations. That's why a proactive approach to seeing, understanding, and acting on risk is key to improving the effectiveness of defenses in place to meet ...
11 months ago Cyberdefensemagazine.com
The Latest Identity Theft Methods: Essential Protection Strategies Revealed - Identity theft has evolved far beyond the days of stolen mail and dumpster diving. Today's identity thieves employ sophisticated techniques, including account takeovers and government benefit fraud, making it essential for you to stay vigilant to ...
10 months ago Hackread.com
ProcessUnity Introduces Industry's All-In-One Third-Party Risk Management Platform - PRESS RELEASE. BOSTON-(BUSINESS WIRE)- ProcessUnity, provider of comprehensive end-to-end third-party risk management and cybersecurity solutions to leading enterprises, today announced the completed integration of the Global Risk Exchange. The newly ...
10 months ago Darkreading.com
As Meta rolls out end-to-end encryption, police warn keeping children safe 'no longer possible' - The move will ensure that Meta's users are protected from abusive legal requests from non-democratic governments. Globally the company receives hundreds of thousands of government requests for user data annually, according to its transparency center ...
1 year ago Therecord.media
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Key elements for a successful cyber risk management strategy - In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution. Nathaniel ...
11 months ago Helpnetsecurity.com
Key Takeaways from the Gartner® Market Guide for Insider Risk Management - Insider risk incidents are on the rise and becoming more costly to contain. As a result, earlier this year, Gartner predicted that 50% of all medium to large enterprises would adopt insider risk programs. The report reveals several key findings about ...
1 year ago Securityboulevard.com
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
6 months ago Cisa.gov
Unmasking Identity Theft: Detection and Mitigation Strategies - In an increasingly digital world, the threat of identity theft looms large, making it imperative for individuals to be proactive in detecting potential breaches and implementing effective mitigation measures. This article delves into key strategies ...
11 months ago Cybersecurity-insiders.com
Three Things to Know About the New SEC Rules on Sharing Information and Breach Disclosure Deadlines - Recently, the Securities and Exchange Commission adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents ...
10 months ago Cyberdefensemagazine.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
How to Complete an IT Risk Assessment - An effective security strategy needs to put managing risk at the heart of its approach. An IT risk assessment process is used by organizations to identify and prioritize the most pressing risks to their IT environment. Naturally, it focuses on IT ...
1 year ago Heimdalsecurity.com
Critical Start Implements Cyber Risk Assessments With Peer Benchmarking and Prioritization Engine - PRESS RELEASE. PLANO, Texas, Jan. 11, 2024 /PRNewswire/ - Today, Critical Start, a leading provider of Managed Detection and Response cybersecurity solutions and pioneer of Managed Cyber Risk Reduction, announced general availability of Critical ...
11 months ago Darkreading.com
Third-Party Security Assessments: Vendor Risk Management - As businesses rely more heavily on external vendors to provide critical services and support, the importance of effective vendor risk management strategies becomes paramount. This article explores the significance of third-party security assessments, ...
10 months ago Securityzap.com
Facebook's New Privacy Nightmare: 'Link History' - Facebook is doubling down on tracking your behavior, despite the efforts of regulators worldwide. Its new Link History app feature is yet another AdTech privacy dark pattern. Meta's Mister Zuckerberg pretends it's all for the good of Facebook users. ...
11 months ago Securityboulevard.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
The ONE Thing All Modern SaaS Risk Management Programs Do - Reducing SaaS risk is, without a doubt, a difficult challenge. Gaining visibility into all the SaaS apps used across an enterprise is hard enough, but it becomes an even greater challenge when only a portion of the apps go through the company's ...
8 months ago Securityboulevard.com
New Phishing Scam Hooks META Businesses with Trademark Threats - The phishing scam falsely asserts that the victim's Facebook page will be permanently deleted due to a post allegedly infringing on trademark rights. There is no actual infringement; it's all part of the scammer's malicious plan. In a recent wave of ...
11 months ago Hackread.com
CyberCrime & Doing Time: Classic Baggie: Part Three - He claimed he was selected as an independent contractor to rebuild a fleet of airplanes for KLM Royal Dutch Airlines, who had wired him $3.5 Million Euros into his Swiss bank account at Neue Privat Bank. His attorney, Phillip Richardson, said that he ...
11 months ago Garwarner.blogspot.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)