Researcher dials for dollars using two-factor authentication phone calls

Thief on the phone

I would hope that, by now, most readers of these pages are familiar with two-factor authentication, or  2FA. For those who are not, 2FA is a method of authentication that asks users to provide two pieces of information (typically a password and an authentication code) when they log in to a website or service.

The codes used in 2FA come in many forms – via an authenticator app, a text message, and sometimes even via automated voice phone calls as a backup for someone who may not have access to a mobile phone.

Although few sites support 2FA voice phone calls as an option, many of the biggest software companies and social networks still do as they have some of the largest and most diverse user pools out there.

Belgian security researcher Arne Swinnen capitalized on this after finding a fundamental flaw in the 2FA voice call systems used by Google, Microsoft, and Facebook’s Instagram.

Swinnen set up premium-rate phone numbers and tricked the 2FA voice systems for these three organizations into making dozens of calls to his phone number. Even though all three systems had some kind of rate limiting in place to prevent rampant abuse, it wasn’t enough to stop him exploiting them to make money.

In the case of Microsoft’s Office 365 product, Swinnen found that he could increase calls to a single number from seven to 172, just by adding zeros and country codes to the beginning of each number.

The vulnerability that Swinnen discovered is unusual in that it doesn’t scam end-users out of money, but instead steals from the companies. With premium-rate 2FA phone calls taking up to 30 seconds each, it is easy to rack up a big bills by chaining dozens of these automated calls.

According to The Register, Swinnen – and others with less noble intentions – could potentially make up to $750,000 from a single premium rate number.

If you’re handy with writing Python scripts, perhaps this might sound like an easy way to make a few bucks – but don’t get any ideas. Swinnen responsibly disclosed these vulnerabilities to Facebook, Google, and Microsoft. All three companies responded with remediation to prevent, or at least lessen the likelihood of this kind of scam taking place.

As a thanks for sharing his findings, Swinnen received bug bounties from Facebook ($2000) and Microsoft ($500), and a place in the Google Hall of Fame.