Could your mobile voicemail system help hackers unlock your online accounts?

Graham Cluley,

In 1993, Peter Steiner submitted a pen-and-ink cartoon to The New Yorker magazine, featuring two dogs at a desk.  One of them is sitting in front of a computer screen and says to the other:

"On the Internet, nobody knows you're a dog"

Steiner and The New Yorker probably didn't realise at the time just how true that was, and what a challenge the issue would become as more and more critical information was stored on the net, and people began to use online services for banking and financial transactions.

Clearly anyone can claim to be whoever they like on the internet, but to authenticate identities properly more is going to be required than a simple claim of "Yes, I'm Rex's owner".

So, the first thing that happened was that people were told to choose passwords.

Unfortunately human beings are monumentally bad at choosing (and remembering) passwords.

People typically use static, non-changing usernames and passwords.  These can be simple for attackers to grab through low-tech phishing attacks and basic keylogging spyware, or users may be simply careless with them.

And, things are getting ever more complicated for users struggling to juggle multiple passwords for multiple online services (whether work-related or personal) on multiple devices - work desktop, home, mobile tablet, etc etc.  It's enough to give anyone a headache.

And every day new apps and services are coming out - and users are keen to try them out, signing up for them, only perhaps to dump them a few days later.

Online life is becoming complicated, and it's no wonder that it's estimated that something like 80% of all hacking breaches are the result of people using simple passwords that are easy to crack or guess.

Multi-factor authentication is the answer to the password problem, as it demands two or more of the following:

  • something you have (maybe a card, a phone, a key fob)
  • something you know (a PIN or a password)
  • something you are (a biometric, such as your fingerprint)

It's good that high profile services like Google, Facebook, LinkedIn and others have followed the example set by more mature industries like the banking sector by introducing multifactor authentication solutions.  But that's not to say that they have necessarily considered all the possible opportunities for attack.

For instance, this weekend the Sydney Morning Herald reported how mobile phone users in Australia who have 2FA securing their Google, Yahoo, Facebook and LinkedIn profiles could have had their accounts compromised.

The reason?  The way those websites could leave 2FA codes as a message on mobile voicemail systems.

Sydney-based security researcher Shubham Shah discovered that voicemail could be such a weak point in the chain, that it could allow an attacker to waltz around 2FA protection.

To effect an attack, Shah showed that all an attack would need was the following:

  • The victim's username/email & password. (Perhaps grabbed through a targeted phishing attack, or if the user had failed to follow best password security practices in the past)
  • The mobile number which the victim had attached to the 2FA service. (Often information which is easily available)
  • A mobile number spoofing service. (A way of displaying a different number - calling line identification (CLI) - from the one you are really calling on, and available via the net at little cost)
  • The mobile networks voicemail number for remote access. (a mere Google search away)

Shah explains how the attack would then work:

The first stage of the exploit:

  • The attacker logs into the victims account on a 2FA enabled web application
  • The attacker engages a call with the victims phone number (only 20-30 seconds needed)
  • Immediately after this, the attacker chooses the alternative 2FA option to send the 2FA code via Phone Call
  • As the victim is engaged in the call by the attacker, the 2FA phone calling service will send the 2FA code to the victims voicemail, immediately.

So, we're now at a point where the victim's voicemail contains the 2FA code required to gain access to the website or online service.

All the attacker needs to do is access the victim's voicemail by using the spoofing service to pretend he is calling from the victim's own phone.  As Shubham Shah showed, more than 9.59 million Australian Optus mobile subscribers were at risk because their voicemail systems did not demand that a PIN be entered to access voicemail from a user's "own" phone number.

Last month, The Register found a similar problem with two UK mobile phone networks, after they programmed a VOIP system to pretend to be the mobile number of the voicemail account it wanted to hack.

In short, if your mobile phone operator hasn't properly protected your voicemail system any online service which is prepared to leave a voicemail containing your 2FA code could be putting your accounts at risk.

Fortunately, there are some easy solutions for this which still manage to find the right compromise between security, cost and ease-of-use.

Firstly, mobile phone operators need to beef up voicemail security.  Ideally they would not just rely on the CLI to identify who was attempting to access the voicemail account, but could also demand a PIN that the user had already set up.

Secondly, why were websites like Facebook and Google leaving voicemails containing 2FA codes in the first place?  If it had never been left there then there would be no opportunity for the hacker to recover it for abuse. Recognising that being able to receive your 2FA code via a phone call might be very helpful to some (see the "ease-of-use" criteria above), the requirement is to find a way to deliver that call without risking leaving the information in a voicemail.

The answer is for the automated phone call to not read out the 2FA code *unless* there has been some user interaction on the call.  For instance, asking the user to press number "x" to be told their authentication code. Their voicemail greeting won't interact with the call, and so no compromising message will be left.

There is one final solution.  And that is to do away with authentication systems which rely on phone calls and SMS messages, and rely upon alternative methods of authentication instead.

Should you wish to read more about Shubham Shah's discovery, and the response of different online services to news of the problem, read his blog post.

If all this is sounding very complicated, you may wish to investigate cloud-based authentication solutions which can authenticate your data and secure your content, working with with multiple services, regardless of the methods of login, and will never offer to leave you a voicemail containing a secret PIN.

Graham Cluley is an award-winning security blogger, researcher and public speaker.  He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's.  He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. 

Graham Cluley was