Story image

Identity theft - have you ever pen tested procedures?

20 Mar 2017

A recent story by my colleague reminded me a big problem we have in IT Security industry. There is a focus on technical aspects of penetration tests, network and application security, while the chain is only as strong as its weakest link.

Identity theft 

The story is real and actually the attack vector is quite well known. The victim used SMS as a second factor authentication (yes, I published Is SMS-based 2-FA really that bad? but never said that it is the best solution, see the follow-up Secure 2-FA guide) and here is how the attack started. An attacker was able to buy an anonymous pre-paid SIM in a convenience store and using just the full name and date of birth of the victim, he transferred the victim's phone number to the other telecommunications provider. Just like that, without any form of ID.

Can YOU actually protect yourself from this kind of attack? 

The simple answer is - no. It's not even worth checking procedures at your telco provider, because it's the other one who is stealing your number. 

You can mitigate the risk at some level by lowering the usability - register a second phone number and use it only for 2-FA. Websites which care about security do not disclose the full mobile phone number used for 2-FA and even if the attacker compromised your password, he would not be able to know this number. Do not store this number anywhere, especially in your e-mail or address book and do not set it as a contact phone in your bank.

How telcos can authenticate users when transferring a phone number? 

Firstly, an example from Poland - in such cases telcos send a SMS message to the current number to confirm the transfer. Simple and not very costly.

Not surprisingly, call the current number! If you receive a phone call from a telco provider that someone wants to transfer your number, you won't answer yes.

Require a photo ID at a branch. Not just a scan, it can be faked. Or just stolen - if an attacker wants to transfer your 2-FA phone number, he can already have access to your mailbox where some people store scanned IDs. Usability - low.

Any trusted profile at a gov level using which you can sign such a request - e.g. in Estonia they have eID with a chip in it, thumbs up!

Block the old number for a day or two, maybe it raises some suspicion. Still, you might be on vacation or just enjoying a weekend without a phone at this time.

Have you ever pen tested procedures? 

Companies often put a huge focus and budget on testing the IT platform itself but what about the IVR channel? 

What data do you need to reset password or 2-FA device at your bank? Can you do it online? 

Does your bank offer an IVR banking service? How do you authenticate in IVRs? Why do you need PINs or passwords if all you need is full name, date of birth or few details about your products? Can you change security questions? Or it is your personal data such as mother's maiden name or place of birth? 

Do you remember the IVR PIN number you set 5 years ago? Can you turn IVR channel off? Why do we care about strong passwords if we allow 8-digit PINs in IVR with the same functionality as web online banking? 

VoIP is getting more popular nowadays. Does your telco provider allow to activate additional VoIP access on your number? Does it allow to read or forward SMS to e-mail? Which data telcos require for authentication? Can you do it without access to your phone? 

Some companies invest millions of dollars year by year to test security of your platform but all the attackers needs to do is call the domain registrator and reset some passwords? What authentication data do you need to transfer your domain?


Next time when you consider testing a web or mobile application, include testing authentication to all channels where you can remind, change or reset a password or 2-FA device in the target application. The attacker does not care if it was "out-of-scope". 

Remember: a chain is only as strong as its weakest link.

Article by Jakub Kaluzny, security consultant at The Missing Link.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.