Thursday, 14 October 2010

The problem with facebook one-time passwords

I popped onto facebook this morning to see a former colleague @basexperience post the following:

‎#Facebook facerapers! Grab your friends' phone and text "otp" to 32665 to get a password for their Facebook account for 20 mins!

Clearly, I was interested. I hadn't really given much thought to the announcment made by facebook, but I assumed given the recent pressure on Facebook they would have thought about it a bit more.


Taking aside the obvious issues about the fact that most people will already be logged into facebook because their password has been 'remembered' (both mobile and desktop browsers), and, let's not forget the fact that if you've got a facebook app on your phone you're probably logged in too. Let's put them to one side for a second.

So what facebook have basically done is create a mechanism for anyone to get into a facebook account by (in authentication terms) - "getting something you have". That's all. One factor authentication. If they added say a PIN - "something you know" - to the SMS you send to the short message number to get the one-time password that would at least prevent random people getting into your account if you leave your phone on your desk. I won't go into some of the other issues about exactly how they're identifying you - by your MSISDN? (phone number?)...

The more annoying thing for me about this is that it has happened before. In America. To a celebrity. To Paris Hilton no less (Register readers delight):
http://www.theregister.co.uk/2005/02/21/paris_hacked/ . In that case, the password provided was a reminder to access the backed-up photos and numbers etc. on the sidekick servers.

Coming back briefly to the 'remembered' passwords, to launch my attack today, this helped me as when you first go in you have to enable mobile access for that device by linking the MSISDN to the facebook account.

Thanks to my mate @basexperience for the post.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.