You can rake in real moolah by exploiting Facebook, Google, and Microsoft’s 2FA voice service
How would you love to earn mega bucks from big tech companies like Facebook, Google, and Microsoft using the way these companies use voice verification services for verifying 2-factor authentication. Sounds fun, right! Belgian security researcher Arne Swinnen found that he could steal money from companies like Facebook (through the Instagram service), Google, and Microsoft, using their 2FA voice-based token distribution systems.
Swinnen found that all the three biggies use 2FA (Two-Factor Authentication). To deploy the 2FA, these tech companies send short codes via SMS to their users. Optionally, if the user chooses to, they can also receive a voice call from the company, during which a robot operator speaks the code out loud. During his research, Swinnen found out that these phone calls are usually placed to the phone number officially tied to those specific accounts.
Swinnen found out that he could tie the Instagram, Google and Microsoft Office 365 accounts to a premium phone number instead of a regular one. In doing so, whenever the service (Instagram, Google or Microsoft) called Swinnen to communicate their access code, they were actually calling a premium SMS number. The number would register an incoming call and bill these companies. Neat way to swindle the tech cos!
Though he swindled the three biggies for research, Swinnen argues that potential hackers could millions by creating premium phone services and fake Instagram, Google or Microsoft accounts, linking them together. The hacker could then use automated scripts to request 2FA tokens from these services day in day out and make a heap of profit.
Swinnen calculated that he could swindle Instagram for $2,287,00 per year, Google for $478,100 per year and Microsoft for $740400 per premium number. Swinnen has already reported the flaw to Microsoft, Google, and Facebook. Facebook rewarded him with $2,000, Microsoft with $500, and Google mentioned him in the Hall of Fame.
You can read the full PoC on his blog.