Sunday, April 20, 2014

Why using Mobile Phones to Reset Passwords is Unsafe

I do not agree that websites should recover passwords using mobile phones.  It only takes a few minutes to hijack your account using your mobile phone. They do not need to know your phone password or unlock pattern. All they have to do is transfer your SIM to another phone so they can receive your SMS messages. Allow me to demonstrate.

Testing with a Yahoo account

I created a dummy Yahoo account, entered a valid mobile number, and logged out. Pretending that I do not know the password, I clicked on the I can't access my account link and I was presented with this screen.

The next screen asks for my Yahoo ID and some verification to ensure that I am not a bot.  Entering the correct text displays this next screen.

Clicking the Next button tells Yahoo to send a code to my mobile phone via SMS.

With my identity validated, all I have to do now is to enter a new password.

It is ironic that the next screen reminds you of how easy it is to recover accounts via text messages. 

Testing with a Facebook account

Facebook has a similar feature.

The above option results in an SMS message similar to the one below.

I did not try the included link, but it appears to make resetting your password easier.

Here is the next screen.


I only used Yahoo and Facebook as examples, but there may be other websites employing SMS to reset passwords. Honestly, I only learned yesterday that my Yahoo and Facebook accounts were set to allow password change via my mobile phone. I entered my mobile number years ago and I do not recall seeing whose password recovery options.


1 comment:

  1. Someone took advantage of the SMS vulnerability a year after I posted it. Instead of borrowing a SIM though, they requested for a SIM replacement: