Tele2 vulnerability: Telegram and Qiwi wallet users are in danger

No so long ago, I came across an unpleasant feature of the Tele2 operator, with which you can steal the history of Telegram messages, access the Qiwi-wallet, etc. I will make a reservation that the method has several conditions and it may not work for a particular person, but nevertheless, there is a real danger.

Any operator can restore a SIM card in the office upon presentation of a passport by the owner. However, Tele2 representatives go to meet their customers and allow them to perform the restoration without a passport. You just need to name your full name, passport details of the owner and a duplicate SIM card in your pocket. Now the situation has become a bit more complicated (you need to go personally to the operator’s representative), but before that you could simply buy a “blank” SIM card and switch the number to this pig when you call the customer service. But, in general, the situation has not changed - the owner is not needed for restoration, only his data is needed.

In this way, you can “hijack” a phone number from a complete stranger to you, just knowing his passport information, which is not a problem to get. For example, many have heard about the recent leak at the registrar R01.RU. But the registrar keeps all passport data (including passport scans) and telephone numbers of its customers. Do not also forget about the database, which are sold in the subway or walk on the Internet. That is, we take any Tele2 phone number from such a database, take passport data and go to restore the SIM card. At the same time, the original SIM card will be blocked, but in the meantime, the owner will understand and figure out what is happening, you can quickly merge all the necessary data.
')
This “vulnerability” affects all services that use a phone number as a login. For example, Telegram messenger. We have a SIM card, insert it into the phone, launch the instant messenger, enter the victim's phone number and Telegram sends us an SMS. We successfully receive SMS, enter the code in Telegram and all old messages are automatically loaded. The same method will work, for example, for a Qiwi wallet - if there was money on the account, you can withdraw it in the same way by recovering the password by phone number.

Not only telegrams and Qiwi wallet are in danger, but also any other services that use authorization only by phone number. Yes, you can trite “wring out the phone” and download all the necessary information, but we will not consider such cases. As a result, one day, your phone will say that it is not registered with the operator’s network, and in the meantime, all your messages, money, etc. will be stolen.

It can be said that any system that is tied to a mobile phone is subject to such a vulnerability. However, in my opinion, this is not the case: knowing the login, for example, on Skype or on Yandex, determining the phone number that is tied to this login is conditionally not realistic or very problematic (well, except for those cases when the owner put it on display) . In the case of Qiwi and Telegram, the login is just the phone number, so nothing further needs to be clarified.

In my opinion, the Tele2 operator should completely eliminate the practice of restoring SIM cards without the presence of the owner personally in the office. In the meantime, the operator did not do this; all services using mobile authorization should introduce additional security mechanisms for users who are Tele2 subscribers.

UPD : it turns out there is a simple protection mechanism against such a vulnerability: for each new password recovery request (in the case of Qiwi) or Telegram authorization, make an HLR request. The answer will contain IMSI (International Mobile Subscriber Identity) - a SIM card number. If this number has changed since the last request, then you need to sound the alarm.