Story image

Identity theft - have you ever pen tested procedures?

20 Mar 2017

A recent story by my colleague reminded me a big problem we have in IT Security industry. There is a focus on technical aspects of penetration tests, network and application security, while the chain is only as strong as its weakest link.

Identity theft 

The story is real and actually the attack vector is quite well known. The victim used SMS as a second factor authentication (yes, I published Is SMS-based 2-FA really that bad? but never said that it is the best solution, see the follow-up Secure 2-FA guide) and here is how the attack started. An attacker was able to buy an anonymous pre-paid SIM in a convenience store and using just the full name and date of birth of the victim, he transferred the victim's phone number to the other telecommunications provider. Just like that, without any form of ID.

Can YOU actually protect yourself from this kind of attack? 

The simple answer is - no. It's not even worth checking procedures at your telco provider, because it's the other one who is stealing your number. 

You can mitigate the risk at some level by lowering the usability - register a second phone number and use it only for 2-FA. Websites which care about security do not disclose the full mobile phone number used for 2-FA and even if the attacker compromised your password, he would not be able to know this number. Do not store this number anywhere, especially in your e-mail or address book and do not set it as a contact phone in your bank.

How telcos can authenticate users when transferring a phone number? 

Firstly, an example from Poland - in such cases telcos send a SMS message to the current number to confirm the transfer. Simple and not very costly.

Not surprisingly, call the current number! If you receive a phone call from a telco provider that someone wants to transfer your number, you won't answer yes.

Require a photo ID at a branch. Not just a scan, it can be faked. Or just stolen - if an attacker wants to transfer your 2-FA phone number, he can already have access to your mailbox where some people store scanned IDs. Usability - low.

Any trusted profile at a gov level using which you can sign such a request - e.g. in Estonia they have eID with a chip in it, thumbs up!

Block the old number for a day or two, maybe it raises some suspicion. Still, you might be on vacation or just enjoying a weekend without a phone at this time.

Have you ever pen tested procedures? 

Companies often put a huge focus and budget on testing the IT platform itself but what about the IVR channel? 

What data do you need to reset password or 2-FA device at your bank? Can you do it online? 

Does your bank offer an IVR banking service? How do you authenticate in IVRs? Why do you need PINs or passwords if all you need is full name, date of birth or few details about your products? Can you change security questions? Or it is your personal data such as mother's maiden name or place of birth? 

Do you remember the IVR PIN number you set 5 years ago? Can you turn IVR channel off? Why do we care about strong passwords if we allow 8-digit PINs in IVR with the same functionality as web online banking? 

VoIP is getting more popular nowadays. Does your telco provider allow to activate additional VoIP access on your number? Does it allow to read or forward SMS to e-mail? Which data telcos require for authentication? Can you do it without access to your phone? 

Some companies invest millions of dollars year by year to test security of your platform but all the attackers needs to do is call the domain registrator and reset some passwords? What authentication data do you need to transfer your domain?

Summary 

Next time when you consider testing a web or mobile application, include testing authentication to all channels where you can remind, change or reset a password or 2-FA device in the target application. The attacker does not care if it was "out-of-scope". 

Remember: a chain is only as strong as its weakest link.

Article by Jakub Kaluzny, security consultant at The Missing Link.

Aerohive launches guide to cloud-managed network access control
NAC for Dummies teaches the key aspects of network access control within enterprise IT networks and how you can secure all devices on the network.
Sungard AS named DRaaS leader by Forrester
It was noted for its disaster-recovery-as-a-service solution’s ability to “serve client needs at all stages of their need for business continuity.”
Gartner: The five priorities of privacy executives
The priorities highlight the need for strategic approaches to engage with shifting regulatory, technology, customer and third-party risk trends.
emt Distribution adds risk intelligence vendor
Flashpoint has signed emt Distribution to provide channel partners in Oceania and South East Asia a solution for illicit threat actor communities.
CrowdStrike: Improving network security with cloud computing solutions
Australian spending on public cloud services is expected to reach $6.5 billion this year according to Gartner
Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.