“You need other elements to ensure fraud is prevented. “ Biometrics aren’t the same as passwords - they aren’t secret,” says Mr Lewis, a former technology specialist at GCHQ, the government’s electronic intelligence agency. Once Facebook has sent along an SMS message containing the one-time code used to access the account, the SS7 security flaw can then be exploited to divert this code to the attacker's own mobile device, granting them access to the victim's account.As more financial service providers launch new biometric identity-checking schemes - such as MasterCard’s so-called “selfie pay” service that lets people make mobile payments by photographing themselves, Wells Fargo’s eye vein scanning system, or HSBC’s Voice ID - experts say security will become a more pressing issue. All cyberattackers need to do is to follow the "Forgot account?" procedure through Facebook's homepage, and when asked for a phone number or email address, offer the legitimate phone number.
The security flaw lies within the network and how SS7 handles these requests, rather than a bug on Facebook's platform.
However, a network based on SS7 will, by default, trust messages sent over it - no matter where the message originated from. SS7 is a protocol developed in 1975 which is used worldwide to define how networks in a public switched telephone network (PSTN) exchange information over a digital signaling network.
0 kommentar(er)
