Are we secured with multiple layers of security?

There is a huge initiative from industry leaders to double secure user account in order to regain access in case of lost password. That’s perfectly fine. It helps you recover credentials, but this study shows it opens a hole that might be one of the largest security and privacy threats. Both private users and enterprises employs services such as Google, Facebook, Twitter, LinkedIN and others and give trust to those companies to store and process our sensitive data.

However, while all the eyes are pointed to such large enterprises that are trusted, very few are considering an impact of background players who sell Two-Factor authentication security to those enterprises players.

That could make a perfect position for a lucrative business to position on the right spot, and make profit by selling targeted accounts access.

Now lets’ assume the following.

Company X is specialized in delivering PIN codes via Phone Calls or SMS.

That Company X eventually grows enough through mergers and acquisitions so it starts providing services to Google, Facebook, LinkedIN, Twitter and Banks.

Every time you decide to reset your password via your phone by SMS or Call, or even login to your banking platform, your supplier initiate API call towards company X asking them to send you the code.

The attack pattern:

Person in company X can virtually get access to any part of your digital life, including social profiles, chat’s, contacts, messages, places you visit, as well as your bank account.

Flow:

Person X from the company X intentionally initiate password reset with the target victim.

Person X intercepts the message and performs Login.

This opens a whole new chapter in Internet security, as IT is getting more and more centralized. Instead of securing, this topology is vulnerable as never before. This could possibly lead to a black market of industrial espionage utilizing techniques from this study.

The graphical representation of attack scenario:

Regular Flow:

Attack Flow:

Did this scenario ever happen?

Yes. It has been confirmed. Multiple persons confirmed LinkedIN accounts being hacked. After some forensic investigation, I found the following scenario is in use, with accounts being successfully attacked:

This Email shows that someone performed a password reset using Chrome on Windows from United States.

Active login using Chrome, from Windows, country United States, and more important from the Block that has been assigned to one of the Biggest 2FA providers on the world that process Google, Facebook, Instagram, Twitter and many other services. (The block used within their office).

Traffic is not delivered in any form of encryption. Due to a fact that SMS/Voice MSU market function just like a stock market, after the code get’s submitted from Social Network for upward delivery, it’s up to their partner to chose the “least cost route”. There is no Encryption In 2FA transmission:

Methods to achieve targeted attack: By dropping the SMS/Voice call price on the global market for specific Country and the operator of the Victim, as a result of least cost routing, it’s a matter of minutes when the traffic is going to get re-routed towards the attacker platform.

In order to be able to do so, without being suspicious, it could employ very serious tricks: This is the UK numbering plan of prefixes issued by Ofcom.

How bellow market cost is achieved to “get Social Networks verifications” at anytime without even being suspicious:

- 078730 allocated by Ofcom to company X

- 078731 078732 078733 … 078739 allocated to O2

Operators worldwide will try to short-down the lists of Global Titles (similar to iptables rules), and most of them have only 07873 = O2

Result:

· Traffic accepted even there is no Roaming Agreement with X (based on O2), Invoice goes to O2 — not X.

· Even if O2 has no agreement, it’s in small operators interest to accept messages from a giant. The test by setting a number from the example pool using a voip white channel resulted in China Telecom thinks my operator is O2.

This is the one and only case of such allocation in the UK or anywhere in the world.

In conclusion: This looks like a very sophisticated scheme aiming to control whole market with the idea of being able to get access to any account at anytime.

The company might even make a loss on their business, and sell the access to any targeted account on any service to government or private sector via third parity companies to make enormous amount of profit.

This study presents forensic evidences that scenario is already happening, affecting the whole Internet community.