More and more authentication systems are using SMS messages to verify the identity of users. Google, for example, offers you the option to send a PIN code to your phone when you login. This provides the second of two “factors” of authentication — something you have (the phone, with a one-time password) as well as something you know (your usual password).
IT News in Australia has a story that describes a real-world case of how this is bypassed by attackers.
The service providers generally require public forms of information before they will let you access your account — company name with tax ID and a mobile phone number with user name. This means only one-factor authentication (ironic, no?), based on easy-to-find information, is all that an attacker needed to initiate a port request (reassign a phone number to a new provider).
Back to the story, two separate social engineering calls were used to gather the information necessary according to IT News. Both calls were answered by someone other than the target individual.
In the days leading up to the fraud being committed, he had received two strange phone calls. One came through to his office two-to-three days earlier, claiming to be a representative of the Australian Tax Office, asking if he worked at the company. Another went through to his home number when he was at work. The caller claimed to be a client seeking his mobile phone number for an urgent job; his daughter gave out the number without hesitation.
Now with the information needed to execute the redirection the attackers also created camouflage to anticipate any alarm during service interruptions caused by a phone port.
The fraudsters used this information to make a call to Craig’s mobile phone provider, Vodafone Australia, asking for his phone number to be “ported†to a new device.
As the port request was processed, the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours. This bought the criminals time to commit the fraud.
Within 30 minutes of the port being completed, and with a verification code in hand, the attackers were spending the $45,000 at an electronics retailer.
The anti-fraud system then kicked-in. Other systems may not have anti-fraud controls as a backup (may lack defense in depth) or attackers may be able to spend below the radar and avoid alarms. Either way this real-world porting attack is a good example of how authentication has to be assessed holistically; transfer, reset and other account management options are often a weak link.