Risks of using virtual number services for receiving SMS when registering on Internet resources


    Earlier, we wrote about the possibility of obtaining a personal phone number by analyzing and sorting social resources and accounts .

    A small review below will examine the flip side of the coin - the risks of hacking accounts on Internet resources in cases where there is access to receive SMS - for example, when using free virtual number services.

    Introduction


    Often, users do not want to leave their personal phone numbers, and also save on the purchase of numbers for call forwarding or the organization of receiving SMS using free services available on the Internet.

    There are actually a lot of such services, the following are some of the workers at the moment:

    tempsms.ru
    onlinesim.ru/sms-receive
    5sim.net/free
    getfreesmsnumber.com/#
    receive-a-sms.com
    receive-sms.com
    sms.sellaite .com / index.php # phone_list
    receive-sms-online.com
    receivesmsonline.com
    receivefreesms.com
    smsreceivefree.com
    www.receivesmsonline.net

    The essence of these services is simple: the user is provided with a certain number and a basic web interface that displays real-time SMS messages arriving at this number.



    You can select numbers from different countries, the most popular are the USA, the Russian Federation, the UK and Canada, although lovers of the exotic can use phones, for example, the Philippines or Brazil.



    To use the toll free numbers, the services do not require registration and are absolutely anonymous. If the user wants to get a number that will not be displayed to everyone, you will have to pay for it. The price depends on the rental period of the number and country code - and can vary within a very wide range from a couple of hundred rubles to $ 30 and above.

    It is clear that an ordinary user who does not want to "shine" his number and receive spam in the form of SMS, at the same time underestimates the security and uses free, temporary and publicly available services. Usually, this is motivated by “enough for email to recover my password”, “I still won’t use it”, etc.

    Risks and attack description


    The risks in the described situation are obvious: an attacker can read SMS, like any other visitor to the site of free numbers. This means that potentially on the account page, a password recovery procedure can be initiated by sending a code to an attached phone number - after which access is easily obtained.

    After gaining access, an attacker can already easily change the email address and phone number, and thus completely take over the victim's account.



    Since updating the list of toll free numbers is sometimes quite rare - once every few months - an attacker can find a lot of rather interesting information accumulated by the victim over this period.

    Our little analysis


    We tried to use the specified mechanism and gain access to some accounts.

    We found the following main cases of using free SMS services with the possibility of access.

    • Social networks and dating services. In this case, access is easy enough, especially if the user has not installed an additional security check. It should be said that most of the accounts were used for fraud and were blocked, but in some cases they were quite used, sometimes even with activated paid services. Especially in this case, users of dating services, for example, Mamba , are vulnerable , since there is simply no additional security on these resources, and correspondence contains a lot of sensitive information that can easily be used for blackmail.
    • Register Viber, WhatsApp, etc. Despite the obviousness that after the "obsolescence" of the toll free number, the user can easily lose access to his account, we found a lot of actively used accounts. The risks in this case are completely analogous to social networks - all delicate correspondence, as well as photos can become the prey of an attacker.
    • Using various internet services. Very often a login and password were sent to the number, and therefore access was obtained without any problems. We did not set the task to break the record for the amount of money on services, moreover, we did not use a single penny, but the money was:
    • Fraud. Especially in this regard, taxi drivers were pleased: the overwhelming number of accounts that were received using free virtual numbers and verified by us corresponded to drivers, but not passengers. This seemed logical to us: it is unlikely that the passenger wants the driver to not reach him, but the driver very often dials from another number, “because the phone is down”, etc. Such schemes allow you to reset the rating again, use several cars, etc.

      We also noted a lot of SMS related to obtaining credit cards, obtaining loans, etc.
    • Registration of insurance policies, loyalty program cards, etc.

    conclusions


    Apparently, users are not sufficiently aware of the criticality of using free virtual numbers to register for various accounts and other services. This can be somehow explained in cases where the number is used to test such registration (although the testing process itself may not be convenient, since anyone can "steal" the account obtained in this way and interrupt the progress of work), but it cannot be justified in any way cases when such registration will be seriously used subsequently.

    It's funny that in spite of the fact that many services check the binding of numbers to VoIP services (for example, they won’t be able to register using numbers associated with Google Voice / Hangouts), we don’t know how to check the binding to free virtual numbers - although such verification could easily be done by simply calling a number.

    This applies not only to social networks, but also to banking and credit organizations - of course, they also use other verification methods, but in terms of free SMS services - a complete gap.


    Also popular now: