
Facebook Mobile Security Hole Allows Identity Theft (Gareth Wright) - ashishgandhi
http://garethwright.com/blog/facebook-mobile-security-hole-allows-identity-theft
======
tedunangst
Is "identity theft" the new "bricked"?

Expanded version: You need two things for identity theft: SSN and mother's
maiden name. Neither are particularly difficult to discover, but not on
Facebook. Now matter how good your social engineering chops, none of my
friends know those things. If your goal is stealing my identity, breaking into
Facebook is only a waste of time.

Also, not to downplay the exploit too much, but it does require physical
access. Anyone in a position to steal my phone, however briefly, could also
steal my wallet containing my unencrypted driver's license.

------
SoftwareMaven
Why wouldn't FB et al be using the keychain to store this?

The problem with the "once they have physical access" argument is that it is
easy to be in a situation where you don't think you are giving up physical
access. Imagine a rogue coffee shop that builds a bunch of iOS chargers using
Raspberry Pi machines that just look like cheap chargers.

Note that this is as much an Apple problem as a FB problem. FB should not be
storing tokens outside the keychain. Apple should allow (require?) devices to
have a shared key before accepting data connections (similar to the number
that pops up for synching the old AppleTV).

------
zitterbewegung
Physical access of a device usually screws you anyways. If I had access to
your iPad why couldn't I just use a password reset and gain access to your
Facebook account?

