Slashdot Mirror
Facebook's Account Kit Login System Works Via Phone Numbers, No Passwords Needed (softpedia.com)
An anonymous reader writes: At this year's F8 developer conference, Facebook announced a new tool called Account Kit, which can be used by app developers to support phone number-based login systems. Every time the user wants to login, they have to enter their phone number. Facebook will then send them a verification code via SMS, which they have to enter on the site. The system was already tested live, and Facebook expects it to be widely adopted, allowing sites to offer users accounts that don't require them to memorize a new password. Each developer has a 100,000 free confirmation SMS messages per month quota. Facebook claims to support SMS login operations for over 230 countries and regions, and in 40 different languages.
Everything is being tied back to real identity and it's becoming more and more difficult to publish anything without leaving a trail back to yourself.
Passwords serve a useful purpose. People lose phones all too frequently, and many aren't well-secured. Passwords are a bad authentication mechanism on their own, but they do improve security in two factor authentication. Otherwise, it's possible to do a lot more damage from a lost phone. Knowing a password greatly increases your confidence that the person is who they say they are. I hate the idea of removing either factor in two factor authentication.
That it's possible to intercept SMS, either through the air or from the handset. Feck it, most android apps are spyware/adware with a bunch of permissions it they have no legitimate use for
I imagine that by giving them my number, I'll also be agreeing to have it passed onto "carefully selected partners" who will send me information about products I may be interested in.
Summation 2
great, so someone steals my phone and has automatic access to the logins too.
Great, it's not like there's a dozen ways to compromise this. From malware on the phone to duplicate SIM cards to intercepting the text message somewhere in transit ...
The user will receive a code via sms which then he will have to manually enter ? If that is so, it is a much worse - less practical - tactic than just entering my password. Unless, the app will automatically read the sms and enter the code. Plus I don't understand why this new method is needed, most apps and browsers offer the option to save my credentials, why would we need a new method ?
They don't even have to steal your phone. They could forge or order a duplicate SIM card, or install malware on your phone. You wouldn't know that someone is using your login.
This is the real reason FB keeps pestering me for my phone number.
Well, no!
I don't log in as is. Now that it's a process to do so, I doubt it will increase my use.
Why don't they use one of the existing 'single logon' providers that already offer than?
But of course Google and MS are somewhat the competition. And they don't get your phone number to start selling it to SMS advertizers.
The Phone company is hacked and bad dudes are receiving your login smses = Fail
This is the biggest backdoor snooping for 3-letter agencies ever.
Since they can (legally) intercept this kind of traffic, all they need is
a phone # and a way to respond to an un-encrypted SMS message
on that phone # to have access to that account. My cat can do that.
CAP === 'pigskin'
Congratulations. This is the dumbest idea. The SMS verification is only for extra security in normal places, not a replacement.
Yea, I really want to give out my cell phone number so you can further gather information to ket you and your selected partners send me 'valuable information I might be interested in" via SMS and voice calls. IIRC Google Boice can get SMS or get a cheap VOIP or Tracfone as a burner.
I'm a consultant - I convert gibberish into cash-flow.
Excuse me, but I don't have a phone. I don't intend to ever get one, either. Why should I?
Congratulations Farcebook. You've managed to re-define two-factor authentication for the new generation who's too damn lazy to actually create and remember a secure password.
Your version of 2FA is now something you have, coupled with something you have.
All I need to do now to impersonate someone online is have their phone in my possession.
And of course the way the professional world these days hangs your career on your social media responsibility, you'll be fired within the hour for something you could barely prove you didn't say or do online, since "Someone stole my phone and said nasty things about you boss, it wasn't me." will go over about as well as "The dog ate my homework."
The fundamental problem with passwords is that they're easily abused when in the hands of the unsavvy in a hostile environment... exactly like every other password replacement "technology" to date. So, what we really have is a people problem. And by their very nature, people problems are unfixable through technology alone.
You can see it here: Your handy-dandy facebook password is likely already on the phone lest you have to type it in every time, so losing a phone is at a first approximation indistinguishable from losing a phone registered to this fancy new (*cough*) system. Actually, this thing is harder to recover from since you might race home and dig up the password from a backup, if you don't remember it, and then change it, whereas a SIM is designed not to be clonable. So using "SMS verification", apart from all the privacy problems (for one, now your facebook account is linked to an account at a telco complete with location history for the past N years), makes recovery harder. And, of course, now all services demanding "SMS verification" can easily chat among themselves and compare notes. Same number, see. Very handy, that.
So again we see that the proponent of this very latest "better password", really isn't in this for your benefit. Just like all the other big corporations with similar designs on "eradicating passwords".
This doesn't seem like a simple way to send 100,000 to anyone who I might be wanting to abuse, does it?
In any case I hope they have tried to engineer some security and sanity checks into the system.
I would not want to be the unfortunate sod who has got a new cell phone and found out that the previous owner of that number has enabled this feature and forgot to update their facebook profile when they changed cell phones - getting random authentification texts via facebook for the rest of my life doesn't seem very pleasant.
No, facebook. You can't have my phone number....
yvan eht nioj
Great, it's not like there's a dozen ways to compromise this. From malware on the phone to duplicate SIM cards to intercepting the text message somewhere in transit ...
You say that as if there aren't a zillion ways to compromise password protection.
The numbering plan in the United States goes like this: Area codes are the first 3 digits of a 10-digit number. Inside each area code are several local calling areas, which roughly correspond to cities and towns. Land line calls within a local calling area are free even on plans that charge extra for long distance. Within each local calling area are several exchanges, roughly corresponding to the fourth and fifth (and sometimes sixth) digits of the phone number. Each exchange is assigned to a single phone company, but a number on an exchange can be "ported" (see Local Number Portability) to another phone company that serves the same local calling area. Cell phones share local calling areas with land lines but have separate exchanges unless ported. So with your U.S. phone number, anyone can run a search on its exchange and thereby know with what city it is associated.
With all four major carriers and their MVNOs offering nationwide access, it's possible to choose an exchange elsewhere in the country, but this has two drawbacks. First, a lot of phone companies require the subscriber to be physically present in a local calling area to establish service there. And second, calls from land lines to a number in a different local calling area will be billed as long distance calls.
but at least I can imagine one possible use case... someone's at granny's house and wants to log into FB on some big screen device (Smart-tv, PC, granny's tablet) to show off holiday snaps.. but can't log into FB there because they can't remember their extra-secure 17-digit password, so they get a "cumbersome, one-off" PW through the (possibly not even "smart") phone in their pocket.
not that it's not ridiculously insecure or anything...
That and even people who do have a phone may not be able to receive SMS on a land line. I tried associating my roommate's land line with my Twitter account but got a message that its carrier is not supported.
And even people who specifically have a cell phone are unlikely to be willing to pay upwards of 10 cents per received message.
.
How long will it be before facebook users never leave the facebook environment?
Sounds more like it because these are a lot of stupid people all in one place. Not like here. Nope. Not at all like here.
Facebook says this change is great because everybody hates passwords.
But entering your phone number, and then an sms code, contains everything that users hate about passwords and more.
I can imagine their train of thought... "Well the ui guys says people hate passwords, but maybe they just hate the word 'password'. So lets create something that's functionally equivalent and takes loger, but call it something else. Our word won't even begin with the letter 'p'! Quick, someone get a press release ready!
Dear facebook: If people can remember a phone number, they can remember a password.
I don't understand how you (=US) can accept to be charged for RECEIVING a message.
... that Facebook bought Whatsapp. Whatsapp has been using this verification scheme for years.
I am not your blowing wind, I am the lightning.
Facebook can now sell people's telephone numbers?
I work in a remote location, we have internet access but no cell phone coverage. That means Facebook would not let me in, because they couldn't send me an access code....
Very simple: The cell towers and infrastructure costs money to run, and I happily choose to pay for services received (talk time, message delivery in either direction) a-la-carte. I pay $0 a month, plus 10 cents per message or minute of voice; on average this costs me $6 a month. I have no desire for a far more expensive plan that gives me "free" incoming messages.
In the United States, the cell phone subscriber is charged for airtime whether making or receiving a call. This was done to preserve land line subscribers' expectations that calls from land lines to local numbers will remain without charge, as airtime is considered more scarce than time on a local land line.
As SMS-only or two-factor authentication becomes more common, you will likely end up receiving several text messages per day, one for each service that you're logging in to. Then you might not be able to count on it still costing you $6 per month.
Which carrier, if I might ask? I too am on a la carte service, but Virgin raised its minimum payment to keep an account going from $16.something to $22.something per 90 days, or equivalently about $5.50 to $7.50 per month.
This sort of authentication is very common in China, where your phone number is your identity for many purposes. With WeChat payments, your payment identity is even your phone number.
People who arrive at online connectivity via smartphones and messaging software don't have an email address and don't want one; their identity is their phone number. With all the problems that has, but those aren't problems they see at first (email also is not lacking in problems).
So this is Facebook aiming at being the auth service, and entry point to the Internet, for people who are newly connected to the Internet via smartphones. The next billion to be networked.
This is not aimed at anyone who uses slashdot - if you read this, you're just not one of the people described above.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Remember how it was such a big deal about HTTP to HTTPS with facebook?
Yet, they do auth on an insecure channel such as SMS. FAIL!
If everytime the user wants to login has to introduce only his login and a phone number and a number received by SMS, this is the most insecure login system in history.
Every bad people can enter any login and his own phone number and the number received.
I just hope the phone number is a substitute of the password field, but is only entered once by the user authenticated by password.
I haven't had a phone for about 10 years and won't get one for anything like this. What about people using POTS who can't even get SMS. I imagine this will be used as just an alternative login method, otherwise a lot of people won't even be able to use it at all.
Twinstiq, game news
Have they fixed this known problem yet?
I'm sure this isn't the only known SS7 vulnerability out there.
If this gets popular, I predict a rash of SS7 zero-days in the coming years.
Oh, and I haven't even mentioned vendor-specific vulnerabilities in the implementation of SS7, VoIP (where applicable), cell-tower, and cellphone-handset technology.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
i just had a WOW moment reading this post. Yesterday I used the account kit login to order some pizza and i was wondering what was that. Looks like iFood was quick to implement it. Kuddos for them.
"life is a joke, and someone is laughing at me"
Come on, people, how much more invasion of your privacy are you going to put up with before you say enough is enough? Do you really think they're going to keep your phone number private? No, they'll sell it to their 'partner' companies so you can be text message spammed and get marketing calls, which will be fully legal for them to do, because the terms of service will allow it, and you agreed to it just by using Facebook. Also as others have pointed out, now, if you weren't using your real name on Facebook, you may as well, because you can be traced to your phone number, which is in you real name. Fuck Zuckerberg, fuck Facebook, fuck 'social media' in general, it's Cancerous. Skip all of it, delete your accounts, never go back, start socializing with real people in person instead.
Especially when you have to wait for the SMS to show up. It's not guaranteed to be instantaneous. Your carrier could be busy.
What happens if you are someplace where the reception sucks and you can't get your SMS right away? Are they going to offer you an alternative way to log in? I'm only wondering because some applications and sites that currently use Facebook for access don't let you sign up/in with another method. Since I don't want Facebook tracking me I avoid those sites.
Jeez, just use an offline password manager and then all you need to do is have to remember one strong password.
"Facebook will then send them a verification code via SMS, which they have to enter on the site. " Uh... isn't that a "password"? And a much less convenient one at that.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Good Day
Do you need financial help? We offer all types of LOAN (Business, Personal, Car, house,and investments credit, etc.) Do you need a guaranteed credit of 2% interest,Do you need credit to pay your debts or bills or for business purpose? If yes, then contact us today via e-mail: msu.investmentsunit@gmail.com. All Email should be forwarded to: msu.investmentsunit@gmail.com
Thank
Mr ken