back to article How to scam $750,000 out of Microsoft Office: Two-factor auth calls to premium-rate numbers

Gaming two-factor authentication systems with premium rate phone numbers can be very profitable – or it was until the flaws got reported. Belgian security researcher Arne Swinnen noticed that the authentication systems used by Facebook-owned Instagram, Google and Microsoft allow access tokens to be received by a voice call as …

Silver badge
Facepalm

Totally irresponsible disclosure

- the researcher should have extended the test period to be sure of the findings, and involved others to independently verify.

Apparently Microsoft agrees it wasn't important, based on the size of their bounty, so no need to rush to tell them.

34
4
Silver badge

Re: Totally irresponsible disclosure

According to his notes, he started submitting the vulnerabilities to vendors in September 2015. Others in February this year. He also pinged them repeatedly until they *really* understood how much moola was extractable even after their original sets of responses. He waited until all these had been addressed before publishing his notes.

He was totally being responsible. 10 months of notification time, multiple communications. And you won't even take the time to read about it to understand that much?

6
18
Silver badge

Re: Totally irresponsible disclosure

FYI Notas, I believe tfewster was being ironic, hence the up votes...

21
3

Re: Totally irresponsible disclosure

Sad when Micro$oft made google look miserly...

7
2
Silver badge

Re: Microsoft agrees it wasn't important, based on the size of their bounty

Too angry about M$ douchebaggery to get to the quote from Google at the bottom of the article?

"the panel decided not to reward this report financially .... It qualified for the credit though – you'll appear in a Google Hall of Fame"

7
0

Re: Microsoft agrees it wasn't important, based on the size of their bounty

"– you'll appear in a Google Hall of Fame"

ooohh.. Hall of Fame? Wow. That and $3 will get me a starbucks coffee, premium stuff that.

5
0
FAIL

FFS

Is it really so hard to validate the format of a phone number? Most countries are fairly well organised and have a common prefix or number range for certain types of phone number. It should be no more than a hight school project to set up suitable regular expressions to filter out obvious crap like this.

12
3
Anonymous Coward

Re: FFS

Agreed. I too have never once had a bug in any of my code.

8
0
Silver badge
Happy

@Pomgolian: Re: FFS

Pomgolian,

you would have thought that, I did.

Many phone numbers in our bit of Devon are one number shorter than many, it is not at all unusual for web forms etc to insist that our number is wrong, which I respond to by adding in a digit so that they can't contact us...

Ironically when we moved in, there was a problem with [BT] moving our account across and switching the necessaries on re broadband.

The most helpful person at BT insisted that:

- The number was wrong, I pointed out that BT allocated it to us

- It couldn't be working because it was wrong [see above], I pointed out that I was using the number to call her...

- An engineer visit [£] would be needed to asess it as there had never been broadband, my retort was the house is about 500 years old (presumably hasn't moved more than a few inches over the period), and the lovely chap we bought the house from had broadband from BT

A few hours later our broadband was working.

Funny old world innit???

10
0
Headmaster

Re: FFS

What about obvious crap such as misspellings or did you actually matriculate to a "hight school"?

Muphry strikes again!

0
0
Silver badge
Childcatcher

Re: @Pomgolian: FFS

"Many phone numbers in our bit of Devon are one number shorter than many"

Many areas have five and six digit subscriber numbers. For the full horror of our (UK) number plan, may I direct sir to http://www.area-codes.org.uk/formatting.php and yes I do implement that lot on every PBX I install.

Why on earth we can't have something like the boring old, very simple and generally logical NANP (ie left pond) I don't know. FFS, look at our "geographic" dial codes. Remember how many number changes London has had since the 80s? Remember how we all got to add an extra 1 (Plymouth 0752 -> 01752) ? We've had so much change and we still have a wanky plan. Oh and VoIP renders the concept of local moot anyway.

Greetings from next door in Somerset.

5
0
Go

Re: FFS

"Is it really so hard to validate the format of a phone number?"

Yes, and email address validation is equally as hard.

Solve them both and you're onto a winner.

1
0

Re: FFS

Email address validation hard? Nah, just needs a two page regex.

http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html

3
0

Re: @Pomgolian: FFS

Has anyone done the 'I would expect extra digits in Cornwall' gag yet?

3
0
Silver badge
Pint

@gerdesj: Re: @Pomgolian: FFS

Gerdesj,

Thanks for that, I will eyeball it once I have consumed enough coffee!

We do live in a jolly nice bit of the country eh?

Have one on me.

Cheers.

Jay.

0
0
Anonymous Coward

Re: @gerdesj number changes

Ha, that change was easy.

Should have tried London numbers:

01 -> 071 / 081 -> 0171 / 0181 -> 020

I worked at phone company for the first two but left when the third came around!

0
0
Silver badge

In my (Douglas-Adams-inspired) dreams, this could be used to try to bancrupt the buggers.

14
0

allthecoolshortnamesweretaken, I have the same dream too.

A while ago I realised that Virgin Media (UK) foolishly published 'issues' with their TV, phone or internet services by postcode. I generally dislike the company and went on a bit of a personal mission.

I checked the 'issues' page daily and enjoyed several months of bill-free service just because I couldn't access "Prisoner Cell Block H on Channel 984" for 10 minutes (and other nebulous reasons).

I just hope they never built up my social profile based on my "complaints"!

5
0

Didn't Ford Prefect do that by phoning up the time service from Alpha Centauri or somewhere like that?

0
0

What a pittance he received. When he was offered the $500 he should have said er thank you then spent the rest of the day profiting from the scam until they fixed it!

6
2
Thumb Up

Haha

That's genius.

1
0
WTF?

bug bounty?

"The company gave Swinnen a $500 bug bounty"

OK, right. The next bug I find in your crap software, I just will not bother to tell you.

6
2
Anonymous Coward

Re: bug bounty?

So you'd invest the time and effort for the satisfaction of knowing?

1
0

Dammit...

... why didn't I think of that ? In hindsight it seems so obvious.

Good luck to Arne. He may have only received a pittance, but if it's any consolation : I'll buy him a pint when I meet him.

1
0

Which also shows what a sewer the premium rate phone industry is. As far as I can see, it exists only to defraud people.

9
0
Anonymous Coward

@Joe 37

"... it exists only to defraud people."

Correct!!! ....... and the man wins a Kewpie Doll.

:) :)

2
0

Correct!!! ....... and the man wins a Kewpie Doll.

Call 0901 345345 to claim your prize! (*)

* Calls cost £3.50 per minute. Minimum call time five minutes.

3
0

Is it only me that thinks some of this article reads like he actualy ran this scam for a while before reporting it, you know to "test it"?

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017