Researcher Finds Way To Steal Cash From Google, Instagram, and Microsoft Through The Phone

Trailrunner7 quotes a report from On the Wire: A security researcher has discovered a method that would have enabled fraudsters to steal thousands of dollars from Facebook, Microsoft, and Google by linking premium-rate numbers to various accounts as part of the two-step verification process. Arne Swinnen discovered the issue several months ago after looking at the way that several of these companies's services set up their two-step verification procedures. Facebook uses two-step verification for some of its services, including Instagram, and Google and Microsoft also employ it for some of their user accounts. Swinnen realized that the companies made a mistake in not checking to see whether the numbers that users supply as contact points are legitimate. "They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP," Swinnen said in a post explaining the bug. "For services such as Instagram and Gmail, users can associate a phone number with their accounts," reports On the Wire. "In the case of Instagram, users can find other people by their phone number, and when a user adds a number, Instagram will send a text to verify the number. If the user never enters the code included in the text, Instagram will eventually call the number. Swinnen noticed that Instagramâ(TM)s robocallers would call any number supplied, including premium-rate numbers. 'One attacker could thus steal 1 GBP per 30 minutes, or 48 GBP/day, 1.440 GBP/month or 17.280/year with one pair. However, a dedicated attacker could easily setup and manage 100 of these pairs, increasing these numbers by a factor 100: 4.800 GBP/day, 144.000 GBP/month or 1.728.000 GBP/year.'"

Re:Dupe

[BarbaraHudson]

Do you even look at the front page of your own website to see if a story has been posted recently?

You must be new here.

Re:

[mfh]

Heh.

That's strange

[Anonymous Coward]

Another researcher discovered the same thing about four Slashdot stories ago.

Click bait

[110010001000]

The story explains how the proof of concept exploit could work. It is tedious and was not likely to be used by sane people. The guy was awarded $2000 for discovering the loophole.

Re:

[Cruciform]

A year or two ago there was a fellow that made the news for doing the same thing to phone scammers. He set up a premium number and would redirect them to that.

How much to do this legally?

[110010001000]

As in, I would love to get a phone number that is 'premium' and then give it out to every website that keeps asking for a phone number.

Slime keep trying to steal my privacy in exchange for nothing. They abuse the phone number and have no business asking for it. If they want my phone so badly, then PAY every time you call me. After all, I never want you to call me, so why shouldn't you pay to talk to me?

Re:How much to do this legally?

[lakeland]

US Premium numbers are no longer available. UK numbers are easily available - register at http://www.phonepayplus.org.uk... [phonepayplus.org.uk]

Note that you would be breaching the ToS for your premium number - they require you to notify all 'customers' that they're calling a premium rate number. So while it's easy to set up, I think you'd be cut off pretty quickly too.

Re:

[Opportunist]

Don't worry, I'll include it in that omnipresent "tell us what you think of us" or "is there anything you'd like to tell us" field. That way we'll finally get to see whether someone actually reads it.

Re:

[rudy_wayne]

US Premium numbers are no longer available.

I was wondering why there was no mention of US numbers and as I was reading the article it occurred to me that I hadn't seen any ads for services using a premium number in quite some time. I have to say, I'm quite surprised that all those "pro-business" politicians out there allowed premium numbers to be banned.

Re:

[lakeland]

I was thinking the same thing and just did a bit of reading (http://www.imediaconnection.com/articles/ported-articles/blogs/2012/dec/verizon-announces-end-of-900-number-billing/).

It looks like the only thing politicians did to kill it was ban phone sex. It was mainly killed by greedy, incompetent carriers.

Re:

[140Mandak262Jamuna]

(For the record, I'm not involved in that type of business, but I do know some things about the evolution of modern payment systems, so I'm speaking from that angle, not as someone interested in dirty talk with an anonymous liar. Really.)

Wow! Even anonymous cowards do not want to be mistaken for phone sex callers...

Re:

[rudy_wayne]

As in, I would love to get a phone number that is 'premium' and then give it out to every website that keeps asking for a phone number.
 

Other than Google, which keeps nagging me to connect a mobile phone number to my account, I can't remember any websites asking for a phone number.

Re:

[Zaelath]

Google, LinkedIN, Facebook, Amazon, many many many others that won't allow you to create an account without one, particularly as part of shipping information.

Re:

[GrumpySteen]

Just give them one of the many rejection line [rejectionline.com] numbers. It's probably the most suitable use those numbers will ever get.

The original story didn't attract many comments

[mspohr]

It looks like they're posting it again to see if they can drum up more ennui.

Not news

[110010001000]

We had same thing in Russia around 12 - 11 years ago when there were the WAP and premium content craze. There was a guy from carders.su who wrote an MMS exploit that hacked Sony cellphones on A100 OS and made them send premium sms in 2006. The whole Megafon cell network went down as it got DDOSed by the chain reaction of the virus spreading