Story image

Identity theft - have you ever pen tested procedures?

20 Mar 17

A recent story by my colleague reminded me a big problem we have in IT Security industry. There is a focus on technical aspects of penetration tests, network and application security, while the chain is only as strong as its weakest link.

Identity theft 

The story is real and actually the attack vector is quite well known. The victim used SMS as a second factor authentication (yes, I published Is SMS-based 2-FA really that bad? but never said that it is the best solution, see the follow-up Secure 2-FA guide) and here is how the attack started. An attacker was able to buy an anonymous pre-paid SIM in a convenience store and using just the full name and date of birth of the victim, he transferred the victim's phone number to the other telecommunications provider. Just like that, without any form of ID.

Can YOU actually protect yourself from this kind of attack? 

The simple answer is - no. It's not even worth checking procedures at your telco provider, because it's the other one who is stealing your number. 

You can mitigate the risk at some level by lowering the usability - register a second phone number and use it only for 2-FA. Websites which care about security do not disclose the full mobile phone number used for 2-FA and even if the attacker compromised your password, he would not be able to know this number. Do not store this number anywhere, especially in your e-mail or address book and do not set it as a contact phone in your bank.

How telcos can authenticate users when transferring a phone number? 

Firstly, an example from Poland - in such cases telcos send a SMS message to the current number to confirm the transfer. Simple and not very costly.

Not surprisingly, call the current number! If you receive a phone call from a telco provider that someone wants to transfer your number, you won't answer yes.

Require a photo ID at a branch. Not just a scan, it can be faked. Or just stolen - if an attacker wants to transfer your 2-FA phone number, he can already have access to your mailbox where some people store scanned IDs. Usability - low.

Any trusted profile at a gov level using which you can sign such a request - e.g. in Estonia they have eID with a chip in it, thumbs up!

Block the old number for a day or two, maybe it raises some suspicion. Still, you might be on vacation or just enjoying a weekend without a phone at this time.

Have you ever pen tested procedures? 

Companies often put a huge focus and budget on testing the IT platform itself but what about the IVR channel? 

What data do you need to reset password or 2-FA device at your bank? Can you do it online? 

Does your bank offer an IVR banking service? How do you authenticate in IVRs? Why do you need PINs or passwords if all you need is full name, date of birth or few details about your products? Can you change security questions? Or it is your personal data such as mother's maiden name or place of birth? 

Do you remember the IVR PIN number you set 5 years ago? Can you turn IVR channel off? Why do we care about strong passwords if we allow 8-digit PINs in IVR with the same functionality as web online banking? 

VoIP is getting more popular nowadays. Does your telco provider allow to activate additional VoIP access on your number? Does it allow to read or forward SMS to e-mail? Which data telcos require for authentication? Can you do it without access to your phone? 

Some companies invest millions of dollars year by year to test security of your platform but all the attackers needs to do is call the domain registrator and reset some passwords? What authentication data do you need to transfer your domain?


Next time when you consider testing a web or mobile application, include testing authentication to all channels where you can remind, change or reset a password or 2-FA device in the target application. The attacker does not care if it was "out-of-scope". 

Remember: a chain is only as strong as its weakest link.

Article by Jakub Kaluzny, security consultant at The Missing Link.

Cofense launches MSSP program to provide phishing defence for SMBs
SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.