Making Money by Abusing Phone-Based Two-Step Verification

A security researcher has discovered a method that would have enabled fraudsters to steal thousands of dollars from Facebook, Microsoft, and Google by linking premium-rate numbers to various accounts as part of the two-step verification process.

Arne Swinnen discovered the issue several months ago after looking at the way that several of these companies’s services set up their two-step verification procedures. Facebook uses two-step verification for some of its services, including Instagram, and Google and Microsoft also employ it for some of their user accounts. Swinnen realized that the companies made a mistake in not checking to see whether the numbers that users supply as contact points are legitimate.

“They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP,” Swinnen said in a post explaining the bug.  “Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number.”

For services such as Instagram and Gmail, users can associate a phone number with their accounts. In the case of Instagram, users can find other people by their phone number, and when a user adds a number, Instagram will send a text to verify the number. If the user never enters the code included in the text, Instagram will eventually call the number. Swinnen noticed that Instagram’s robocallers would call any number supplied, including premium-rate numbers.

“One attacker could thus steal 1 GBP per 30 minutes.”

“As a PoC, 60 additional calls were made in an automated fashion with Burp Intruder, each with 30 seconds throttle in between. This concluded the theft of one symbolic pound over the course of 17 minutes,” Swinnen said.

“One attacker could thus steal 1 GBP per 30 minutes, or 48 GBP/day, 1.440 GBP/month or 17.280/year with one [instagram account, premium number] pair. However, a dedicated attacker could easily setup and manage 100 of these pairs, increasing these numbers by a factor 100: 4.800 GBP/day, 144.000 GBP/month or 1.728.000 GBP/year.”

Swinnen said that the same number could be linked to any number of different Instagram accounts, upping the amount of money that an attacker could steal. Facebook, which owns Instagram, patched the issue and paid Swinnen a $2,000 bug bounty for the submission.

Google and Microsoft had similar issues, although with different systems. Google will use a mobile phone as a part of its two-step verification system, and will sometimes place a phone call to a number to give the user a six-digit token for authentication.

“Entering a premium number here would result in a phone call from Google, but the number would be blocked after a few attempts when no valid token is entered. However luckily, supported forwarding the call to a SIP server (“Callcentre”) and consuming them with a SIP client (Blink in this case) so I could actually hear the message out loud,” Swinnen said.

Once he got past the registration process, Swinnen was able to set up a system that would execute logins and generate the phone calls.

“First, the call destination for the premium number on was modified to a standard ‘conference service’, so I wouldn’t be bothered by it anymore. Then, a selenium script to login with username & password to the 2FA-protected account was recorded with the Firefox IDE plugin & exported to python script. Last but not least, a second quick & dirty python script was designed to execute the former one every 6 minutes and executed. Two hours and 17+1 (enrollment) calls later, the symbolic Euro was mine again.”

Microsoft’s problem was with its Office 365 service, specifically with free trials. By prepending or appending zeroes or random digits to premium-rate numbers entered as part of the trial registration process, Swinnen could cause Microsoft’s system to call the numbers many times over.

“On top of this, Microsoft allowed concurrent calls to the same premium number. limits the number of concurrent calls from one source address to one of its premium numbers to 10, so a PoC was performed where 2*10 concurrent calls were made within less than one minute, yielding a little more than 1 EUR profit,” Swinnen said.

Both Google and Microsoft put mitigations in place to address the problems, and Microsoft paid Swinnen a $500 bounty. Google didn’t award a bounty.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed