Dangerous Digital Legacy: What Threats Does the Reincarnation of a Lost Number Possess?

[Man]

Have you ever seen your former classmate Olya become some kind of mustachioed Nikolai on social networks? Or have you ever accidentally entered someone else's group chat? And not just some spam, but a real chat of friends going fishing or to a birthday party? Maybe you've received a message in Telegram about a new user with the number of your late grandmother Zina?

Something similar can happen after a SIM card is blocked after a certain period of inactivity (usually 60 to 365 days depending on the operator) when the number comes back on sale.

What happens if the new owner of your previous number tries to log in where you previously registered? To answer this question, we conducted an experiment.

Experiment. Beginning​

Initially, we compiled a list of 80 services and applications popular in Russia. Of these, 56 required login using a phone number and a password from an SMS message. Half of these applications required entering a password, but allowed you to reset it using a code from an SMS message. To simplify the task, we excluded applications for which there was no browser version, and personal accounts of mobile operators.
As a result, 38 applications remained, which for convenience we divided into nine categories. More than half of them were personal accounts on company websites (24%), online stores and pharmacies (16%) and services for the delivery of prepared meals and food products (16%). We allocated SSO services (10%) to a separate category - they provide a single account for all applications of a particular company.

The next step was to purchase SIM cards. It was decided to purchase 100 SIM cards from five major telecom operators. For the sake of purity of the experiment, 30 SIM cards were purchased in the traditional way in mobile phone stores (“white”), another 50 SIM cards were purchased through Telegram channels (“gray”), and the remaining 20 numbers were planned to be rented through specialized online services (virtual). In the end, it was possible to purchase only 15 virtual SIM cards instead of 20. Thus, a total of 95 numbers were used.

Once the list of applications was compiled and SIM cards were purchased, it was time to start the experiment - to check the authorization option in each of the 38 applications. We calculated that if we spend about 5 minutes manually checking each account, then the experiment would take about 13 days To save time, we decided to buy a SIM box - a special device for receiving and sending SMS messages and making calls. For our experiment, we used a device with eight SIM cards with 2G support, which allowed us to receive messages with passwords to several numbers at once.

With each phone number, we checked the possibility of authentication in applications from a previously compiled list, using login or password recovery forms. After checking 20% of the numbers, we reduced the list to 13 services with the highest probability of successful login. Thanks to this optimization and the use of SIM box, we managed it in one day.

A useful gap​

It should be noted separately that every third application examined (12 out of 38) contained a User Enumeration vulnerability, which made it possible to partially automate the experiment and reduce the time it took to conduct it.

In some services, when entering the phone number of an existing user, you could see the message “An SMS message with a code has been sent to your number.” Conversely, when entering a phone number for which an account had not been created before, we saw the words “A user with this number was not found” or something similar in meaning. From this, we concluded whether an account linked to the entered phone number existed in the system or not. Similar messages were also encountered in registration forms and when recovering a password. From a security perspective, the different content of the messages is a flaw that allows a hypothetical attacker to determine which accounts exist in order to continue the attack. Account verification in applications with such a flaw can be automated.

In addition, at the stage of preparation for an attack, even before purchasing SIM cards, attackers can pre-compile a list of numbers for which accounts exist, which will further increase the chances of a successful catch: they may not buy numbers for which accounts have not previously been registered.

It's a shame to let the numbers go to waste​

During the experiment, we found that almost half (43%) of the numbers had previously been used to register with the services from our list. It was possible to find an unblocked account of the previous owner in every third case: for 37% of all numbers, it was possible to find an active account in at least one of the services, for 6% of numbers, previously created accounts were blocked. Among those numbers that had already been used for registration, in every fourth case (27%) the ability to log into the accounts of previous owners in at least two services was confirmed.
Experiment results (proportion of numbers)

Sellers of "gray" SIM cards, having learned the purpose of the purchase, gave advice on choosing operators whose phone numbers are best suited for our task. The results of the experiment confirmed their recommendations.

Two out of five operators had a higher share of successful authorization confirmations than the others. One of the five operators, having detected activity, blocked SIM cards, so successful authorization was possible only with one of the 18 numbers of this operator. Blocking occurred quite quickly - SMS messages with one-time passwords stopped coming after several attempts.
In addition, it was found that when trying to log into a personal account, two out of five operators disclose the full name of the person to whom the number is registered. This means that an attacker who uses a "gray" number to carry out one or another attack can subsequently use the personal data obtained.

During the experiment, we did not find any relationship between the possibility of successful authorization and the SIM card category (“gray”, “white” and virtual).

Number of rooms with login option depending on SIM card category

Valuable finds​

In total, it was possible to confirm the possibility of access to 57 accounts of the previous owners of the phone numbers. However, in none of the investigated cases was the possibility of access to a bank account confirmed.

Categories of services for which access to accounts has been confirmed

During the experiment, we noticed that if the number had not previously been used to register on social networks, then no accounts with this number were found in other services either. This means that attackers can use this fact to optimize mass attacks on users.

What's the bottom line?​

Losing a phone or a long business trip abroad are the main reasons why the owner of a mobile phone number may lose access to it. Losing a number also means losing access to online services and applications to which this number was linked. And this, in turn, provides grounds for attacks by intruders as soon as your old phone number goes on sale again. We have prepared recommendations for subscribers, application developers and mobile operators that will help increase your level of security.

Recommendations​

For users:​

• Maintain access to your phone numbers, don't lose your SIM cards.
• Top up your balance on time and perform at least one paid action every three months: send an SMS message or make a call.
• If you have lost access to your phone number and there is no way to restore it in a timely manner, relink your accounts to another number that you have access to.
• For critical applications (messengers, social networks, online banks), additionally use an alternative authorization method, if possible, for example via email.
• Set up two-factor authentication using a one-time password generator like Google Authenticator. Avoid text message logins if possible.
• Do not grant mobile apps permission to read SMS messages.
• Do not share one-time passwords with anyone.
• If you notice any suspicious activity, please contact the app's support service or your mobile operator.

For application developers:​

• Give users the option to choose how they want to sign in. Add email or OAuth login.
• Do not use SMS as a second authentication factor or add the option to select an OTP generator as a second factor.
• Do not use SMS as a replacement for passwords for single-factor authentication.
• Ask users to confirm ownership of their phone number every three months.
• Implement a secure process for restoring access to your account in case of a phone number change.
• Registration, authorization, and password recovery forms should not display information about the presence of a user with the specified phone number.
• Do not allow password recovery using only the code from the SMS message.
• Monitor where users log in from. An unusual IP address or browser should raise suspicions in security systems.
• Notify the user about login attempts from unusual locations.
• Provide users with the ability to view and end active sessions. All active sessions must be ended when changing a password.

For mobile operators:​

• Notify users about imminent blocking of a number via email and an alternative phone number.
• Implement the ability to restore access to a phone number on the website or in a mobile application.

The article is for informational purposes only and is not an instruction or a call to commit illegal actions. Our goal is to tell about existing vulnerabilities that can be used by attackers, warn users and give recommendations on how to protect personal information on the Internet. The authors are not responsible for the use of the published information. Remember that you need to monitor the security of your data.

Have you ever experienced an unexpected change of ownership of a number? Maybe it was you?

Source