Phone Call-based Authentication is vulnerable to Call Forwarding Exploit.
According to a research conducted, modern technology is facing dramatic security concerns in the approaches of two-step verification, especially the phone call-based one.
Results are pointing to a serious exploit. “Your calls may be forwarded at any time without your knowledge.”
Recent technology developments have resulted in the merging of legacy SS7 telephone network and Internet in a bid to cut down the expenses incurred by mobile operators.
There is an industry-wide adoption of those hybrid products. However, a lack of access control in the legacy network protocols that are now exposed to attacks via internet may come with a price.
According to the tests performed, more than 60% of randomly selected mobile operators are prone to unauthorised call forwarding. An attacker can easily get all the information needed, such as a customer's SIM Card IMSI,
to authorize himself on the network and send a specially crafted packet activating the card forwarding service with a destination number of his choice.
In practice, an attacker with the knowledge of the customer's valid phone number can easily click on “Forgot Password” button and wait for the password reset call confirmation PIN.
- It's simple as that, according to Stefan Ćertić, Chief Technologies Officer of CS Networks.
In a recent research paper – The Future of Mobile Security, Stefan is describing (M)Secure, a next-generation two-step authentication product relying on a patent pending
call forwarding indication technology. “The goal is to prevent bad guys from stealing your sensitive data by disabling a call to an active call forwarding subscriber.”
Company executives are inviting all interested service providers to a quick demonstration of the security exploit.
“All interested companies are more then welcome to apply for live demonstration of the forwarding exploit. The (M)Secure technology has already found its way to a
large number of banking and financial institutions after a successful presentation at the Mobile World Congress as recent hacks of major industry players have shown that
traditional authentication methods are no longer enough”.
Share the Fun!
Sharing is caring, and sharing is easy! made it easy!
Stay up to date with latest toughts on