Facebook Hack Shows It’s Time to Upgrade Our Method of Verifying Identity
All you need to get around two-factor authentication is Photoshop.
On Monday, a Facebook user lost control of his personal account, as well as several business pages, for almost a full day, after a hacker was able to convince Facebook to change his password, email address, and even disable two-factor authentication—all thanks to a fake passport.
The hacker tricked Facebook's customer support into resetting the victim's password and disable the account's security mechanisms by pretending to be his victim. And how did Facebook verify his identity? By asking for a digital copy of a government photo ID, which the hacker easily faked.
Facebook admitted that "accepting this ID was a mistake that violated our own internal policies," and helped the victim regain control of his account and his business pages on the social network.
But as some noted after reading the story, this incident underscores just how vulnerable people are to account takeovers. All it takes, it seems, is an email and some Photoshopping skills.
"No doubt about the need of proper identification, but scanned documents by email or web? There has to be better ways!" Per Thorsheim, a security and passwords expert, said on Twitter. "And there is, at least for some countries where a digital government issued identity exists, and allows proper verification."
Thorsheim explained that in Norway, for example, every citizen has a government-approved e-ID which allows them to cryptographically sign documents or requests. That could be used in cases like these, to verify that someone really is who they say they are. That's how Estonia's national ID works also.
Facebook did not respond to further questions on the hack, particularly how the ID the hacker sent was in violation of its "internal policies" to verify users' identities. Other companies, such as Paypal and Airbnb, also ask for copies of passports in some cases.
Jessy Irwin, an independent security researcher who worked at password manager 1Password until recently, also pointed out at Estonia as an ideal alternative to the current system.
"It is 2016 and we're still scanning/photographing largely static identification docs, which could be designed to work much better with the very digital world we work in," she told me. "Forgery isn't new and has been a issue for literally thousands of years."
Unfortunately, she added, until we adopt a digital ID like the one Estonia has, there might not really be a good alternative.
"Unfortunately, we have to [use scans of IDs] until we build something better," she said. "It's a system fail."