back to article How to scam $750,000 out of Microsoft Office: Two-factor auth calls to premium-rate numbers

Gaming two-factor authentication systems with premium rate phone numbers can be very profitable – or it was until the flaws got reported. Belgian security researcher Arne Swinnen noticed that the authentication systems used by Facebook-owned Instagram, Google and Microsoft allow access tokens to be received by a voice call as …

  1. tfewster Silver badge
    Facepalm

    Totally irresponsible disclosure

    - the researcher should have extended the test period to be sure of the findings, and involved others to independently verify.

    Apparently Microsoft agrees it wasn't important, based on the size of their bounty, so no need to rush to tell them.

    1. Notas Badoff

      Re: Totally irresponsible disclosure

      According to his notes, he started submitting the vulnerabilities to vendors in September 2015. Others in February this year. He also pinged them repeatedly until they *really* understood how much moola was extractable even after their original sets of responses. He waited until all these had been addressed before publishing his notes.

      He was totally being responsible. 10 months of notification time, multiple communications. And you won't even take the time to read about it to understand that much?

      1. Roland6 Silver badge

        Re: Totally irresponsible disclosure

        FYI Notas, I believe tfewster was being ironic, hence the up votes...

    2. NotBob

      Re: Totally irresponsible disclosure

      Sad when Micro$oft made google look miserly...

    3. sabroni Silver badge

      Re: Microsoft agrees it wasn't important, based on the size of their bounty

      Too angry about M$ douchebaggery to get to the quote from Google at the bottom of the article?

      "the panel decided not to reward this report financially .... It qualified for the credit though – you'll appear in a Google Hall of Fame"

      1. Bob Dole (tm)

        Re: Microsoft agrees it wasn't important, based on the size of their bounty

        "– you'll appear in a Google Hall of Fame"

        ooohh.. Hall of Fame? Wow. That and $3 will get me a starbucks coffee, premium stuff that.

  2. Pomgolian
    FAIL

    FFS

    Is it really so hard to validate the format of a phone number? Most countries are fairly well organised and have a common prefix or number range for certain types of phone number. It should be no more than a hight school project to set up suitable regular expressions to filter out obvious crap like this.

    1. Anonymous Coward
      Anonymous Coward

      Re: FFS

      Agreed. I too have never once had a bug in any of my code.

    2. fruitoftheloon
      Happy

      @Pomgolian: Re: FFS

      Pomgolian,

      you would have thought that, I did.

      Many phone numbers in our bit of Devon are one number shorter than many, it is not at all unusual for web forms etc to insist that our number is wrong, which I respond to by adding in a digit so that they can't contact us...

      Ironically when we moved in, there was a problem with [BT] moving our account across and switching the necessaries on re broadband.

      The most helpful person at BT insisted that:

      - The number was wrong, I pointed out that BT allocated it to us

      - It couldn't be working because it was wrong [see above], I pointed out that I was using the number to call her...

      - An engineer visit [£] would be needed to asess it as there had never been broadband, my retort was the house is about 500 years old (presumably hasn't moved more than a few inches over the period), and the lovely chap we bought the house from had broadband from BT

      A few hours later our broadband was working.

      Funny old world innit???

      1. gerdesj Silver badge
        Childcatcher

        Re: @Pomgolian: FFS

        "Many phone numbers in our bit of Devon are one number shorter than many"

        Many areas have five and six digit subscriber numbers. For the full horror of our (UK) number plan, may I direct sir to http://www.area-codes.org.uk/formatting.php and yes I do implement that lot on every PBX I install.

        Why on earth we can't have something like the boring old, very simple and generally logical NANP (ie left pond) I don't know. FFS, look at our "geographic" dial codes. Remember how many number changes London has had since the 80s? Remember how we all got to add an extra 1 (Plymouth 0752 -> 01752) ? We've had so much change and we still have a wanky plan. Oh and VoIP renders the concept of local moot anyway.

        Greetings from next door in Somerset.

        1. Case

          Re: @Pomgolian: FFS

          Has anyone done the 'I would expect extra digits in Cornwall' gag yet?

        2. fruitoftheloon
          Pint

          @gerdesj: Re: @Pomgolian: FFS

          Gerdesj,

          Thanks for that, I will eyeball it once I have consumed enough coffee!

          We do live in a jolly nice bit of the country eh?

          Have one on me.

          Cheers.

          Jay.

        3. Anonymous Coward
          Anonymous Coward

          Re: @gerdesj number changes

          Ha, that change was easy.

          Should have tried London numbers:

          01 -> 071 / 081 -> 0171 / 0181 -> 020

          I worked at phone company for the first two but left when the third came around!

    3. O RLY
      Headmaster

      Re: FFS

      What about obvious crap such as misspellings or did you actually matriculate to a "hight school"?

      Muphry strikes again!

    4. Borg.King
      Go

      Re: FFS

      "Is it really so hard to validate the format of a phone number?"

      Yes, and email address validation is equally as hard.

      Solve them both and you're onto a winner.

      1. Julian Bradfield

        Re: FFS

        Email address validation hard? Nah, just needs a two page regex.

        http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html

  3. allthecoolshortnamesweretaken

    In my (Douglas-Adams-inspired) dreams, this could be used to try to bancrupt the buggers.

    1. rlswilliams

      allthecoolshortnamesweretaken, I have the same dream too.

      A while ago I realised that Virgin Media (UK) foolishly published 'issues' with their TV, phone or internet services by postcode. I generally dislike the company and went on a bit of a personal mission.

      I checked the 'issues' page daily and enjoyed several months of bill-free service just because I couldn't access "Prisoner Cell Block H on Channel 984" for 10 minutes (and other nebulous reasons).

      I just hope they never built up my social profile based on my "complaints"!

    2. el_oscuro

      Didn't Ford Prefect do that by phoning up the time service from Alpha Centauri or somewhere like that?

  4. therebel

    What a pittance he received. When he was offered the $500 he should have said er thank you then spent the rest of the day profiting from the scam until they fixed it!

  5. Anonymous C0ward
    Thumb Up

    Haha

    That's genius.

  6. YetAnotherJoeBlow
    WTF?

    bug bounty?

    "The company gave Swinnen a $500 bug bounty"

    OK, right. The next bug I find in your crap software, I just will not bother to tell you.

    1. Anonymous Coward
      Anonymous Coward

      Re: bug bounty?

      So you'd invest the time and effort for the satisfaction of knowing?

  7. Tabor

    Dammit...

    ... why didn't I think of that ? In hindsight it seems so obvious.

    Good luck to Arne. He may have only received a pittance, but if it's any consolation : I'll buy him a pint when I meet him.

  8. Joe 37

    Which also shows what a sewer the premium rate phone industry is. As far as I can see, it exists only to defraud people.

    1. Anonymous Coward
      Anonymous Coward

      @Joe 37

      "... it exists only to defraud people."

      Correct!!! ....... and the man wins a Kewpie Doll.

      :) :)

      1. Real Ale is Best

        Correct!!! ....... and the man wins a Kewpie Doll.

        Call 0901 345345 to claim your prize! (*)

        * Calls cost £3.50 per minute. Minimum call time five minutes.

  9. Chris 239

    Is it only me that thinks some of this article reads like he actualy ran this scam for a while before reporting it, you know to "test it"?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019