As anyone who has called into a bank or utility provider lately knows, security for customer service routines – the prescribed ways in which support reps verify the identity of customers that call in – are being continually upgraded. Two-factor authentication, voice passwords, various security questions (“what was the name of your first pet,” for instance) and even verifying that a person is at the account address by calling a landline are all well-known features of the authentication process when making account changes.
Well, usually, anyway.
At the Security Analyst Summit 2019 in Singapore last month, David Jacoby, a Swedish member of Kaspersky Lab’s global research and analysis team (GReAT), presented a short, five-minute presentation called “Exploiting Telco Support Teams for Fun and Profit.” He explained how Swedish telcos ask only for a bare minimum of information from callers – and publicly available information at that – before agreeing to make account changes to specific numbers. This has led to real-world attacks where victims have found their mobile phone calls hijacked and redirected to a rogue number.
The ease of which someone can redirect the calls is a dream for a stalker, or for someone who’s interested in sniffing out personal information on an individual’s contacts and calling habits. The attackers can find out who the victim usually speaks to, who calls him or her, and with what frequency – information that can be used in corporate espionage efforts or for follow-on social-engineering attacks.
To find out more, we sat down with Jacoby to have him take us through his findings. Also, don’t miss our interview video, available here and embedded below.
Threatpost: So, you’ve uncovered a telco-based, social-engineering attack?
DJ: So I’m talking about social engineering, and it’s not really an attack, but a kind of vulnerability in the way that Swedish telcos handle customer data.
So when a customer calls the support team, there’s no way that they can verify who the person is on the other side. And by exploiting that, you could actually use some of the functions in the telco system to redirect voice messages and voice calls to another phone. So when they don’t have a way to check out who you are, you can easily redirect any phone call to any number that you want, and by doing that you can also bypass the two-factor authentication on some social-media providers.
TP: In practice, what happens when someone calls in?
DJ: Okay, when you call into this telco, you present yourself with a name and maybe your phone number and they will verify that in the system. Maybe if you’re unlucky, the support person will actually try to ask you some security questions. Like, what address do you live at? Or what’s your Social Security number or your date of birth? But all of that information is public in Sweden. So, by just going online, you’re going to find out all that information about the victim that you want to transfer the calls from.
After you’ve done that, all incoming voice calls will be redirected from the victim’s phone to a different phone and there’s no way that a victim can find that out. There’s no way they can see that it’s happening. You don’t get a notification or anything.
TP: How is it possible to bypass two-factor authentication?
DJ: I mentioned before that it bypasses two-factor authentication. That’s true and not true at the same time. But what’s happening is that some websites, some really major websites, I don’t want to mention any names, but when you go to these websites, you have the functionality to reset your password, right? And if you have enabled two-factor authentication, the system will send you a security code via SMS, but also through voice. There’s like a robot that calls the number that you’ve registered on that platform, and if you redirect all incoming voice to a different phone, then of course the robot will call a different number and give you the security code, and you can reset that account, the password for that account.
TP: What was the telcos’ reaction to your findings?
DJ: When we found this out, we informed the telcos and we talked about this vulnerability or insecurity. It’s not a technical problem, so they’re trying to figure out a way that they can update their routines to ask better questions or somehow inform the victim that this has been done, maybe through a text message or adding some kind of information into their customer website where you can control your own account, like a user panel, or control panel for your account. So, you can actually see that a number has been redirected to another number.
TP: While it’s not primarily a technical issue, do you have any technical recommendations?
DJ: We’re recommending not just updating their routines. I mean it’s not good enough. So, I recommended some technical things. In Sweden we have an application where you can authenticate with fingerprint or a PIN code; and a lot of governments, a lot of banks, use that for authentication. And so, why don’t the telcos use that? When the user calls, you have to enter your date of birth and Social Security number, and when you’ve done that, it activates an authentication process on your phone, and if you cannot authenticate with your phone, then you cannot come in.
The problem is that you’re telling this telco that you actually forgot your phone somewhere, or you lost your phone somewhere. So, it kind of contradicts [that recommendation]. They cannot really figure that part out, but I know that they’re trying to.
TP: Has this actually been exploited in the wild?
DJ: The way we found out about this attack is that it’s been exploding for a while now, in Sweden at least. We don’t know about the rest of the world, and we don’t know to what extent, but we know that there have been some cases where victims has fallen for this type of attack.
TP: Any final thoughts?
DJ: Don’t do it. Don’t go hacking telcos.