Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Phone Verification Abused to Steal Money From Tech Giants

A researcher has demonstrated how malicious hackers could have stolen significant amounts of money from Google, Microsoft and Facebook by leveraging flaws in how these companies implemented their phone-based verification services.

A researcher has demonstrated how malicious hackers could have stolen significant amounts of money from Google, Microsoft and Facebook by leveraging flaws in how these companies implemented their phone-based verification services.

Organizations use phone-based verification services for various purposes, but in many cases they don’t verify that the provided number is not a premium rate number. Belgium-based bug bounty hunter Arne Swinnen has analyzed the services offered by Microsoft, Google and Facebook-owned Instagram to determine how easily they can be abused.

In the case of Instagram, the photo-sharing service allows users to link a phone number to their account. Users receive a 6-digit code via SMS, which they have to enter in the mobile app in order to verify their number. If the code is not entered within 3 minutes, the user receives an automated voice call from Instagram.

Swinnen discovered that an attacker could provide a premium rate phone number and Instagram would be charged each time it made a call to that number. Each call lasts roughly 17 seconds and a rate limiting mechanism prevents more than one request every 30 seconds.

The researcher registered a premium U.K. number with a £0.06 per minute rate and managed to earn £1 in 17 minutes. The expert calculated that an attacker could make more than £17,000 per year with just one Instagram account and one premium number, but a dedicated cybercrook with over 100 account and number pairs could make well over £1 million per year.

Facebook initially said this was not a security issue, but ultimately it decided to make some changes to its rate-limiting and monitoring systems based on Swinnen’s findings. The social media giant awarded the expert $2,000 for his work.

Google’s two-factor authentication (2FA) system allows users to receive 2FA tokens via a voice call. Since one call lasts roughly 35 seconds and up to 10 calls can be placed per hour, the researcher managed to earn €1 in two hours. Swinnen calculated that an attacker could make over €400,000 per year by using 100 unique account and premium number combinations.

Google determined that the bug bounty hunter’s submission did not qualify for a monetary reward, but the company did list him in its hall of fame. The company noted that it has mitigations in place to prevent abuse, but admitted that it’s impossible to completely prevent such attacks. Google representatives said money loss is less important to them than user security.

Advertisement. Scroll to continue reading.

In Microsoft’s case, Swinnen noticed that the company allows users to opt for voice calls in order to prove that they are not a bot during the registration process for an Office 365 trial account. The provided number is blocked if the code is not entered after seven attempts, but the expert discovered that the same number can be entered in various formats, allowing a large number of combinations for each number.

For example, an attacker could enter a premium number with up to 18 zeros in front of the actual number. Furthermore, any zero pairs could be replaced with the country code and the call would still go through. Swinnen also discovered that up to four random digits can be appended after the phone number and the call would be made without Microsoft’s systems noticing that it was a number that was entered many times before.

Malicious hackers could have abused the service to make a significant profit since Microsoft allowed an unlimited number of simultaneous calls to one premium number. In his experiments, the researcher earned €1 in less than one minute.

Microsoft, which said the service was operated by a third party, awarded Swinnen $500 for his findings. The company addressed the issue by preventing users from adding extra digits to the actual phone number.

Earlier this year, Swinnen disclosed a couple of Instagram vulnerabilities that could have allowed hackers to brute-force passwords. The expert earned a $5,000 bounty from Facebook.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...