News

2FA and telco vulnerability allows criminals to hack email accounts, reveals security researcher

When you forget your Gmail password, and have two factor authentication (2FA) enabled, Google will SMS or call you with a six to eight digit code. You enter the code (Google calls this 2-step verification) and gain access to your account.

George Nott Apr 15th 2019 A-A+

When you forget your Gmail password, and have two factor authentication (2FA) enabled, Google will SMS or call you with a six to eight digit code. You enter the code (Google calls this 2-step verification) and gain access to your account.

"The security industry has been promoting two factor authentication for a long time, It's a good thing but there are some vulnerabilities," explains Kaspersky Lab senior security researcher David Jacoby.

In a demonstration at Kaspersky's Security Analyst Summit in Singapore this week, Jacoby showed that the security feature allows criminals to easily gain access to an individual's Gmail account. All you need is some readily available information, a target's number, and a phone to call a telco's customer support.

Essentially, Jacoby explains: "You just need to have the balls to do it."

Super easy

The hack has been seen "in the wild" in Sweden, Where Jacoby is based, where it is made easier thanks to a government service with which anyone can look up the carrier of any mobile number.

"It's a bit crazy. I don't see the benefit of it," Jacoby says.

Similar services exist in other countries, often through commercial, subscription services.

Once a target is selected and their number and carrier discovered, the hacker calls their telco and asks for calls to be redirected temporarily to another number (owned by the criminal). In Jacoby's case, redirecting someone else's calls was easily done.

He played such a call: Hey support team. I have a very important call coming in but I don't have my phone, can you please redirect all incoming calls to XXXXXX this number...? Thank you!

"They do it. We tried so many different telcos and all of them were vulnerable to this sort of social engineering attack," Jacoby said.

The attacker simply requests Google call with a verification code, it comes through to the hacker's phone number, and they gain access to the account. A similar security feature is offered by Facebook, Twitter and Apple.

"It's not that difficult, it's super easy," Jacoby says.

So many flaws

The security researcher points the finger at the telcos for the vulnerability. 

"It's a vulnerability in their routines, they don't verify who you are," Jacoby says.

He has contacted the Swedish telcos he tested, who have all said they are examining their procedures.

"What I want to see is that they add some kind of technical security. Send me a text message saying now your number is redirected to whatever. Even if I don't have access to my phone, when I get home I'll be able to see that. Or if I log into your app [show it there]," he said.

"There's so many flaws in this entire thing, it doesn't make sense."

Ironically, the victim will need to have enabled two factor authentication for the hack to work.

"So you add extra security and you become vulnerable. You add this: ah crap now anyone can hack it!" Jacoby said.

The author travelled to the Security Analyst Summit as a guest of Kaspersky.