Possible Yota fraud scenario
Today I, without knowing it, turned the petty financial fraud and got into a not very pleasant situation. But first things first.
You will need:
- Having an account on yota.ru (i.e., you should have used their services earlier and have your own device)
- Knowledge of the security key of another's wireless network from Yota, in which you are currently located
')
Being in a foreign network, go to the login page . If you have not been authorized before - in the “Username” field you will immediately receive the email of the person to whose account a device located nearby is linked (in my case it was Gemtek LTE). Immediately, I did not attach any importance to this, but the fact is that I, as I can remember, always turn off any autocomplete and remembering passwords in my browsers. Therefore, the address is "provided" by the current device. Usability
Log in with your data - the current device is immediately tied to your account. Go to the tab "Yota 4G", we find in the grown list now our new device, which we can manage to the same extent as the previous owner. In particular, we can control the current terms of Internet access from this device (tariff).
Not knowing about all these features and being in someone else's office, I needed to change the tariff for my device to a free super-slow Internet with daily pay, i.e. essentially disable it. The tariff slider was shifted to 0, the operation was confirmed without reading the details, and the Internet in the office where I was visiting disappears. All users are redirected to the Yota page with a call to bind the device or create an account.
Further, the most interesting. While I was talking with Yota tech support and comprehended their technical details, which they had long been aware of, I received an sms-notification that funds had been credited to my account. Someone from impatient and ignorant employees replenished my account with his bank card!
Unfortunately, the most interesting question remained a mystery to me - to restore the workflow performed by an employee and understand how technically such an operation could have happened I did not have to (I had to quickly eliminate the consequences of my actions, and there was no time to investigate).
Also, a message from ChronoPay came to my email address with the details of the above transaction - the name of the cardholder, its incomplete number, client number (in the ChronoPay system?). So it goes.
Experimental Gemtek LTE was tied back to the account of its rightful owner.
Losses of the affected company were recovered offline.
However, I can not say that there were no casualties - my cash is now represented in the form of a balance on my Yota account, but I still have to pay for vaccinations to the cat.
I hope the company Yota will pay attention to this little incident.
Staging
You will need:
- Having an account on yota.ru (i.e., you should have used their services earlier and have your own device)
- Knowledge of the security key of another's wireless network from Yota, in which you are currently located
')
Sequencing
Being in a foreign network, go to the login page . If you have not been authorized before - in the “Username” field you will immediately receive the email of the person to whose account a device located nearby is linked (in my case it was Gemtek LTE). Immediately, I did not attach any importance to this, but the fact is that I, as I can remember, always turn off any autocomplete and remembering passwords in my browsers. Therefore, the address is "provided" by the current device. Usability
Log in with your data - the current device is immediately tied to your account. Go to the tab "Yota 4G", we find in the grown list now our new device, which we can manage to the same extent as the previous owner. In particular, we can control the current terms of Internet access from this device (tariff).
Possible consequences and profit
Not knowing about all these features and being in someone else's office, I needed to change the tariff for my device to a free super-slow Internet with daily pay, i.e. essentially disable it. The tariff slider was shifted to 0, the operation was confirmed without reading the details, and the Internet in the office where I was visiting disappears. All users are redirected to the Yota page with a call to bind the device or create an account.
Further, the most interesting. While I was talking with Yota tech support and comprehended their technical details, which they had long been aware of, I received an sms-notification that funds had been credited to my account. Someone from impatient and ignorant employees replenished my account with his bank card!
Unfortunately, the most interesting question remained a mystery to me - to restore the workflow performed by an employee and understand how technically such an operation could have happened I did not have to (I had to quickly eliminate the consequences of my actions, and there was no time to investigate).
Also, a message from ChronoPay came to my email address with the details of the above transaction - the name of the cardholder, its incomplete number, client number (in the ChronoPay system?). So it goes.
Conclusion
Experimental Gemtek LTE was tied back to the account of its rightful owner.
Losses of the affected company were recovered offline.
However, I can not say that there were no casualties - my cash is now represented in the form of a balance on my Yota account, but I still have to pay for vaccinations to the cat.
I hope the company Yota will pay attention to this little incident.
Source: https://habr.com/ru/post/193996/
All Articles