No need for malware or loopholes … Experts have successfully hacked popular web accounts protected by a two-factor authentication system with just a recycled phone number.
Take possession of an account despitetwo-factor authentication, via a code received by SMS, it is not as complicated as it seems, but it is still quite vicious. This is what a new study conducted by researchers at Princeton University in the United States. No need to find any loophole, a simple phone number is enough. But be careful, for this to work, the owner of this account must change his phone number and we must be able to recover his old one.
The whole scam is based on the management of old telephone numbers by the operators. Rather than deleting it, the latter reassign the old number to a new subscriber in order to slow down the generation of new numbers and end up running out of 06 and now 07 for the French case. However, according to the researchers, when one abandons a telephone number, it often remains linked by inattention to the two-factor protection system. Thus, the authors of the study discovered that out of 259 telephone numbers available to new subscribers at two large American operators, 171 were still linked to existing accounts on sites. Web popular. But then with this information how hack account from the new owner?
To succeed: luck combined with a lot of malice
To find out, here is the unlikely scenario that could lead to an account being hacked. The most important thing is to be of a particularly malicious. Then, you have to take a new telephone line whose number is recycled. The next step is to use a search engine to find the name of the former owner of this number and possibly his e-mail addresses which serve as an identifier. And it is not that complicated, since to succeed in connecting to the account, the study shows that on its sample, 100 of the recycled telephone numbers made it possible to find information ensuring the first connection step.
Finally, the sesame of the account falls by itself via a message on the mobile, since the former owner has been deprived of his phone number. That’s pretty vicious to be sure, but, according to the researchers, just receiving connection notifications on a new phone number could lead some unusual people to engage in this hacking method. Credible threat or not, before changing the number, it is better to think about updating the parameters ofauthentication Double-factor SMS on all of its accounts.
Interested in what you just read?