Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Newest First  |  Oldest First  |  Threaded View
CharlotteSmithAG
50%
50%
CharlotteSmithAG,
User Rank: Apprentice
11/23/2019 | 3:04:19 AM
Re: Common Sense always rules out
Looking forward to more details regarding it
tdsan
50%
50%
tdsan,
User Rank: Ninja
11/21/2019 | 1:32:31 PM
Re: Common Sense always rules out

One thing I didn't elaborate on in the article is that both my Pixel and Apple phones' default settings with notifications 'turned on' reveal the first line of a text on the notifications screen. [The onetime code comes through usually since it's in the first line].

I do believe it is less user-error and more of a structural/endemic vulnerability, since the presumption is that a majority of users will leave their phones on the default setting. [Please correct if I'm wrong about that - it's possible that the default for notifications varies for different versions of different mobile phones]
  • Interesting point, so from a technical and security standpoint, most individuals will install certain security tools (controls) to ensure or reduce the chances of it being compromised. A number of security individuals verify the patches are up-to-date, install Antivirus, HIDS, Firewall and other mechanisms (checks and balances). The same should apply to the phone, it is not any different since the operating system is based on Linux or Linux variant. So in this case you may be wrong about that, they give you the box but it is up to you on how to fill it. We should apply the same principles to the phone as we do the computer.

T

 

 
CyberLady
50%
50%
CyberLady,
User Rank: Author
11/21/2019 | 1:18:55 PM
Re: Common Sense always rules out
Todd,

Thanks for your feedback. I enjoyed reading your responses to the different sections of the paper.

One thing I didn't elaborate on in the article is that both my Pixel and Apple phones' default settings with notifications 'turned on' reveal the first line of a text on the notifications screen. [The onetime code comes through usually since it's in the first line].

Since it's my understanding that this is the 'default' notifications setting for many cell phones, I do believe it is less user-error and more of a structural/endemic vulnerability, since the presumption is that a majority of users will leave their phones on the default setting. [Please correct if I'm wrong about that - it's possible that the default for notifications varies for different versions of different mobile phones]. I don't have any statistics on the topic, but in our era of convenience over security, I do belive most (non-infoSec) users opt for notifcations on their phones. 

I agree that much of security is the responsibility of the user. And, I guess, my hope is to help educate users who have their notifications turned-on for messaging, that this can be an issue. I also agree that this is not any sort of traditional 'hack' - the title was mean to be a bit tongue-in-cheek. 

Thanks again for the perspective. I will incorporate your feedback into this topic as a present or write about it in the future. 

Cheers,

Nicole
tdsan
50%
50%
tdsan,
User Rank: Ninja
11/21/2019 | 12:50:20 PM
Common Sense always rules out

I immediately received a one-time passcode from Twitter and was able to read the code via a notification on the locked screen of my cellphone. Upon entering the code into Twitter's website, I was prompted to enter a new password and gained full control of the account. Since SMS notifications appear on my phone's locked screen, anyone with physical access to my phone and my phone number could have taken over my Twitter account.
  •  You have actually addressed some of what I am going to say in the later parts of your response but first of all, why would the user allow text messages to be displayed on a locked screen. The phone makes a sound and informs the user they have a new text message. But to Twitter's point, they can't think for you, that is up to the end user. When things happen like this, the accountability is on the end-user because they have not taken the precautions to address basic security concerns.

 
The most disturbing thing about my Twitter experiment is the knowledge that any family member, friend, or co-worker who had my phone number could enter it in Twitter's "Forgot password?" field, pick up my locked phone to view the one-time password, and gain full control of my account. A SIM swap wasn't even necessary.
  •  Again, how can we blame Twitter for leaving the door open. That is almost like leaving your door open when you leave for work, you're asking for trouble. Again, common sense comes into play here and with a number of different situations (i.e. CapitalOne, Marriott, Accenture, etc). In the S3 bucket situation, there is a section in AWS that says "Block All Public Access", what more can they do, it is a service.

 
Many online providers suggest adding a mobile phone number as a way to implement 2FA — that is, 1) something you know and 2) something you have. Indeed, 2FA is used to initially link a user's phone number to an online account; however, after the initial confirmation of the phone number, the authentication process often reverts back to single-factor authentication (a phone number) for authenticating accounts.
  • I do think MFA/2FA is great, but if the person leaves their phone open (where the vendor thinks the phone is suppose to be with the user and locked -no sensitive info on the screen - since it has sensitive data), that is even a problem. Again, it comes to making good choices. This is not a hack, because you have the phone. The hack comes into place when you don't have the phone and they are able to figure out the sequence of the TOTP codes being used or they capture the string or QRCode that you used to create the TOTP process.

The points are valid but the problem with the argument is that you had the phone in your possession and did nothing during the time you had the phone in use (did not follow best practices). So it is not up to the vendor, it is a service the vendor has made available to the end-user. If the end-user does not take the necessary steps to lock their home (rhetorical), then anyone can enter even with MFA/2FA (common sense and basic security steps).

Todd


Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.