Attacks Made Possible by the Verizon Breach

Zack Whittaker, ZDNet:

Quoting from the article: “Each record included a customer’s name, a cell phone number, and their account PIN”

Verizon’s response here is both untrue and irrelevant. Wireless accounts are the new email accounts for attackers — one key that opens all doors.

The ‘call in’ security model for Wireless Accounts in the United States is as follows:

  1. Caller provides a phone number associated with the account in question. This can be any number on the account, it does not have to be that of the account holder. The number of the account holder’s child holds the same power as of that of an adult.
  2. Caller is prompted for their name. Providing the name of the account holder is required to move to the next stage of authentication.
  3. Caller is prompted for the PIN on the account. PINs are a relatively recent change to the authentication procedure for most carriers — in the past, callers would have to provide the last 4 digits of the Social Security Number (SSN) of the account holder.

With that authentication flow completed, the caller has full control of the account. The Verizon breach contains all of the information requested as part of the authentication flow.

What follows are a list of selected attacks that can be easily carried out solely using the breached information. My focus is on practical attacks — ones that require little to no sophistication/social engineering experience.

I do acknowledge that spelling out how to perform attacks will be seen by some as irresponsible. My thinking is that the Bad Guys™ already know this stuff and are actively performing these attacks today. By shining light on attacks and by publishing some in full, I hope force Verizon to change their policies. Hopefully, this post gets enough attention to make that happen.

I would also like to note that there are attacks I am aware of that I feel are especially dangerous and are not well known to attackers. I am not mentioning them in this piece. I’m trying shine a light on bad practices on Verizon’s part without aiding cyber criminals in the process.

Account Takeover For Bypassing SMS 2FA

For many people, an attacker taking over their Wireless Account for the purpose of getting around 2 Factor Authentication on other, more valuable accounts is the most troubling attack they face. There is no protection from your wireless provider. It’s out of your hands.

If your Wireless Account is breached, your 2FA auth comes back to haunt you. Virtually every major service that exists today treats the holder of the registered phone number as the ultimate authority regarding the account — able to reset passwords, login from any location, close accounts, transfer funds and much more. The situation is bad.

Attack Option #1 — Activating a SIM card.

If an attacker activates a new SIM card on the line in question, the game is over. Verizon lags behind all of the other major US providers in regards to raising the bar one has to meet in order to do so. Other major US providers attempt to verify that the attacker has access to the active SIM card on the account prior to activating a new SIM. These security measures can be worked around, but at least everyone else is trying.

So this attack is much easier to pull off on Verizon accounts. 🎊

Step 1: Acquire an unactivated Verizon Wireless postpaid account SIM card. Verizon Stores generally do not hand out SIMs without first activating them on an account. A good place to get one is the Apple Store — they are free and always unactivated.

Step 2: Call in to Verizon Wireless. Authenticate the account. Once authenticated, an attacker needs to find out what model phone the account holder has. The reason for this is so that they have a plausible story for activating a new SIM.

Now, they could just reset the email on the account and login to the website, but that sends an alert to the account holder and thus starts the clock. It’s much easier to just ask the representative what phone you have under the presence of potentially buying a new phone. That information is not considered to be protected, so they will generally tell you without much complaint. Take note of the phone model the OS the phone runs and hang up.

Now it is time to develop a story to tell to justify the SIM card activation. Google the phone model and see that type of SIM card it requires. If the phone uses Micro SIM, the attacker will be activating a phone that uses a Nano SIM. If the phone is an iPhone 7, they will be activating an Android phone and so on.

To prepare, one must obtain an IMEI/ESN of a Verizon Wireless phone. This can be found on eBay. Physical access to the phone that the ESN/IMEI is from is not required.

Step 3: Call back in. Tell the representative the story. Provide them with the ESN/IMEI when asked, provide the SIM card ICCID when asked. They will activate the SIM and send a notification to the account holder. The clock is ticking now, but the attack is complete.

Fraudulently Ordering Phones from Verizon

If customers getting their Bitcoins stolen isn’t enough to get Verizon to change their policies, maybe losing money to fraud is.

Back before SMS 2FA was a thing, the most common purpose of account takeovers was fraud. Specifically, ordering phones from Verizon on the account holders credit.

In order to fully comprehend the tidal wave of fraud Verizon Wireless customers are now exposed to, it’s important to understand how Wireless Account credit works. Ordering an upgrade is not like applying for a credit card, or even a credit line increase. Nor is adding a line. When the Wireless Account is opened, a credit decision regarding the maximum number of lines and if any deposit is needed for those lines is made at that time, even if an account is opened just for 1 line for 1 person. That decision lasts 6 months in most cases.

Postpaid Wireless Accounts in the United States, on every major carrier, graduate to ‘best case credit’ after a certain amount of time - typically 1 year. If payment is made on time (or at least not seriously late) the account will graduate to the best case credit tier. This lifts any limitations imposed at account creation.

One the account has aged, it can be used to purchase a large number of phones with no up front cost. Carriers do not run the account holder’s credit again unless an alarm is tripped during the purchase process. And, no, attempting to order phones to an address not previously associated with the account does not, by itself, trip any alarms.

What this means is a massive percentage of accounts breached will be able to be weaponized to order phones without going through a typical credit application process. For one thing, any line that has an upgrade available can be upgraded so long as the bill isn’t past due. That alone scores an attacker at least 1 phone.

The older the account is, the worse the damage. A Verizon Wireless consumer account with 2 lines has a maximum of 10 potential phones for the attacker, and hitting that maximum isn’t a matter of the account holder’s credit so much as it is about the attackers skill in avoiding tripping Verizon’s fraud detection.

What follows is what an attack would look like, with descriptions of techniques used to avoid tripping fraud alarms omitted:

Attack — Ordering Phones To An Bad Guy’s Address

  1. Call in and authenticate the account. Get a representative to tell you the number of lines on the account and the type (phone, tablet, MiFi) of device for each.
  2. Call back in and speak to customer service. Explain to them that you need to update the shipping address on the account. They allow the billing and shipping address to be separate, unrelated addresses. Updating the shipping address and then ordering phones does not in and of itself trigger any fraud alarms.
  3. Call back in and order phones. Generally, attackers perform this type of fraud slowly — upgrading 2 of the lines on the account, receiving the phones, calling back in, ordering more until the account holder catches on. The account holder tends not to catch on right away due to techniques used to mask the ability of the account holder to tell that devices were ordered.

This attack is easy to pull off, is widely performed among unskilled credit card fraudster types and gets them iPhones, which they can sell easily.

Other Scary Things

Here are some other attacks that can be pulled off by an unskilled actor armed with the leaked data.

  • Viewing numbers dialed on a per-line basis
  • Listening to the victim’s voicemail.
  • Accessing data stored in Verizon Cloud
  • Porting any number on the account to any other carrier
  • Sending text messages from any number on the line, even without activating a new SIM on the account. If the victim is a Verizon Messages+ user, previously sent or received SMS messages can be viewed and new ones can be sent.
  • The location of any 3G/LTE enabled phone on the account can be tracked. An attacker can sign up a victim for Verizon Family Locator and, without installing an app on the victims end, track their location. To Verizon’s credit, a text message is normally sent to the device being located as an alert. Unfortunately, there are ways for an attacker to get around that.

I think everyone gets the point by now. The Verizon breach that Zack Whittaker reported is very bad, and Verizon’s response to it is nonsense. All Verizon Wireless customers should change their PINs. Verizon itself should consider being more honest in their response to this breach.

Going forward, something has to change with regards to authentication of Wireless Accounts. The current system is no where close to good enough.

Show your support

Clapping shows how much you appreciated Justin May (enMTW)’s story.