Story image

Identity theft - have you ever pen tested procedures?

20 Mar 17

A recent story by my colleague reminded me a big problem we have in IT Security industry. There is a focus on technical aspects of penetration tests, network and application security, while the chain is only as strong as its weakest link.

Identity theft 

The story is real and actually the attack vector is quite well known. The victim used SMS as a second factor authentication (yes, I published Is SMS-based 2-FA really that bad? but never said that it is the best solution, see the follow-up Secure 2-FA guide) and here is how the attack started. An attacker was able to buy an anonymous pre-paid SIM in a convenience store and using just the full name and date of birth of the victim, he transferred the victim's phone number to the other telecommunications provider. Just like that, without any form of ID.

Can YOU actually protect yourself from this kind of attack? 

The simple answer is - no. It's not even worth checking procedures at your telco provider, because it's the other one who is stealing your number. 

You can mitigate the risk at some level by lowering the usability - register a second phone number and use it only for 2-FA. Websites which care about security do not disclose the full mobile phone number used for 2-FA and even if the attacker compromised your password, he would not be able to know this number. Do not store this number anywhere, especially in your e-mail or address book and do not set it as a contact phone in your bank.

How telcos can authenticate users when transferring a phone number? 

Firstly, an example from Poland - in such cases telcos send a SMS message to the current number to confirm the transfer. Simple and not very costly.

Not surprisingly, call the current number! If you receive a phone call from a telco provider that someone wants to transfer your number, you won't answer yes.

Require a photo ID at a branch. Not just a scan, it can be faked. Or just stolen - if an attacker wants to transfer your 2-FA phone number, he can already have access to your mailbox where some people store scanned IDs. Usability - low.

Any trusted profile at a gov level using which you can sign such a request - e.g. in Estonia they have eID with a chip in it, thumbs up!

Block the old number for a day or two, maybe it raises some suspicion. Still, you might be on vacation or just enjoying a weekend without a phone at this time.

Have you ever pen tested procedures? 

Companies often put a huge focus and budget on testing the IT platform itself but what about the IVR channel? 

What data do you need to reset password or 2-FA device at your bank? Can you do it online? 

Does your bank offer an IVR banking service? How do you authenticate in IVRs? Why do you need PINs or passwords if all you need is full name, date of birth or few details about your products? Can you change security questions? Or it is your personal data such as mother's maiden name or place of birth? 

Do you remember the IVR PIN number you set 5 years ago? Can you turn IVR channel off? Why do we care about strong passwords if we allow 8-digit PINs in IVR with the same functionality as web online banking? 

VoIP is getting more popular nowadays. Does your telco provider allow to activate additional VoIP access on your number? Does it allow to read or forward SMS to e-mail? Which data telcos require for authentication? Can you do it without access to your phone? 

Some companies invest millions of dollars year by year to test security of your platform but all the attackers needs to do is call the domain registrator and reset some passwords? What authentication data do you need to transfer your domain?

Summary 

Next time when you consider testing a web or mobile application, include testing authentication to all channels where you can remind, change or reset a password or 2-FA device in the target application. The attacker does not care if it was "out-of-scope". 

Remember: a chain is only as strong as its weakest link.

Article by Jakub Kaluzny, security consultant at The Missing Link.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.