Two Factor Phone Fraud to steal from net bigwigs

Social media bug bounty hunter, Arne Swinnen, has revealed a number of flaws in the big player’s 2 factor authentication (2FA) methods that could enable a malicious user to illicit large sums of money from their phone-based verification services.

Two factor authentication is often offered to many of the users of social media as an added layer of security in ensuring user verification.

Swinnen has reported that an attacker could abuse the security system with the purchase of a number of premium rate telephone numbers which would then be called by the authentication system on logon.
The security researcher registered a premium UK number which charged at a rate of £0.06 and managed to make £1 in 17 minutes via Instagram’s two factor authentication service.

The pay-out screen for Swinnen’s premium rate UK number

Instagram allows users to link a mobile phone number to your account, once activated, the 2 factor authentication system sends a 6 digit pin to your number, if this is not used in 3 minutes of sending, a call is placed to the number saved, in Swinnen’s case, his UK premium rate number.

Instagram’s 6 digit pin code

The actiavation call appearing on the saved phone number

By itself this method could reportedly earn up to £17,000 per year. Each call lasts around 17 seconds and the system limits its rate monitoring to one call every 30 seconds, however a dedicated attacker with 100 accounts and premium rate numbers could potentially earn £1 Million in a year.

Facebook awarded Swinnen $2000 for the discovery of this method however initially reported that they will not be looking to make any changes to their rate limiting and monitoring technologies as a result.
The social media giant’s first reponse was “This is intentional behavior in our product. We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”

When the discussion was raised regarding an attacker using an increased number of accounts Facebook commented “Thanks for following up — because these requests are routed through a dedicated service for monitoring and blocking abuse, “intentional behavior” in this case is considered “accepted risk”. Generally speaking, attacks that depend on multiple accounts under attacker control fall under the “spam or social engineering techniques” category of ineligible reports for the whitehat program.”

They later went on to concede “Hello again! We’ll be doing some fine-tuning of our rate limits and work on the service used for outbound calls in response to this submission, so this issue will be eligible for a whitehat bounty. You can expect an update from us again when the changes have been made. Thanks!
(…) We have looked into this issue and believe that the vulnerability has been patched (rate limits adjusted and some additional monitoring in place).”

Google also allow users to receive their 2 factor token codes in a voice call, each call in this case lasts approximately 35 seconds and the rate is limited to 10 per hour.
In two hours, the research earned €1, calculated over a year with 100 unique accounts and matching numbers, this has the potential to net would be attackers a not insignificant €400,000.

Although the find merited Swinnen to be listed in their hall of fame, the search engine giant ruled that the discovery did not warrant a monetary reward. Google stated that they had contingency in place for mitigating fraudulent transactions such as these and deemed it impossible to totally eradicate the threat of malicious players exploiting their authentication systems in this manner.

Google also stated charitably that money is less important to them than user security.

The research also covered Microsoft’s 365 trial accounts which allows users to verify themselves via a voice call. Microsoft paid the researcher $500 for discovering that although a user could enter a premium number, the number was later blocked following 7 failed registration attempts.

This was circumvented by entering a premium number with up to 18 zeros in front of the actual number itself. Zero pairs could also be replaced with international dial prefixes and the call would still go through. It was also discovered that up to 4 random digits could be appended to the number and that Microsoft wouldn’t notice that the number had been dialed many times before.

This attempt earned €1 in less than a minute, Microsoft addressed the vulnerability by amending the service to prevent uses from adding addition digits to an actual phone number.