Risks of using virtual number services for receiving SMS when registering on Internet resources

Earlier we wrote about the possibility of obtaining a personal phone number using the analysis and sorting of social resources and accounts .

A small review below will consider the reverse side of the medal - the risks of hacking accounts on Internet resources in cases where you have access to receive SMS - for example, in the case of using free services of virtual numbers.

Introduction

Often, users do not want to leave their personal phone numbers, and also save on the purchase of numbers for redirects or organizing SMS reception, using free services available on the Internet.

There are actually quite a few such services, some of the workers at the moment are listed below:
')
tempsms.ru
onlinesim.ru/sms-receive
5sim.net/free
getfreesmsnumber.com/#
receive-a-sms.com
receive-sms.com
sms.sellaite.com/index.php#phone_list
receive-sms-online.com
receivesmsonline.com
receivefreesms.com
smsreceivefree.com
www.receivesmsonline.net

The essence of these services is simple: the user is provided with a number and a basic web interface that displays incoming SMS messages in real time.



You can select numbers of different countries, the most popular are the United States, Russia, Great Britain and Canada, although lovers of the exotic can use phones, for example, the Philippines or Brazil.



To use free numbers, services do not require registration and are completely anonymous. If the user wants to get a number that will not be displayed to everyone, you will have to pay for it. The price depends on the rental period of the number and country code - and can vary within very wide limits from a couple hundred rubles to $ 30 and above.

It is clear that an ordinary user who does not want to “shine” his number and receive spam in the form of SMS, at the same time underestimates security and uses free, temporary and publicly available services. Usually, this is motivated by “e-mail is enough for me to recover the password”, “I will not use it anyway,” etc.

Risks and description of the attack

The risks in this situation are obvious: an attacker can read SMS, like any other visitor to the site of free numbers. This means that the password recovery procedure can be initiated on the account page by sending the code to the associated phone number — after which access is easily obtained.

After gaining access, an attacker can easily change email addresses and phone number, and thus completely seize the victim’s account.



Since updating the list of free numbers is sometimes done quite rarely - every few months - an attacker can find a lot of quite interesting information accumulated by the victim during this period.

Our little analysis

We tried to use the specified mechanism and get access to some accounts.

We found the following main cases of the use of free SMS services with the ability to gain access.

• Social networks and dating services. In this case, access is fairly easy, especially if the user has not installed an additional security check. It should be said that most of the accounts were used for fraud and were blocked, but in some cases they were fully used, sometimes even with activated paid services. Especially in this case, users of dating services, such as Mamba , are vulnerable, since additional security on these resources is simply not provided, and the correspondence contains quite a lot of sensitive information that can easily be used for blackmail.
• Register Viber, WhatsApp, etc. Despite the obviousness of the fact that after the “obsolescence” of a toll free number the user can easily lose access to his account, we found quite a lot of actively used accounts. Risks in this case are completely analogous to social networks - all delicate correspondence, as well as photos can be prey to the attacker.
• Use of various Internet services. Very often the username and password were sent to the number, and therefore access was obtained absolutely without problems. We did not set the task to break the record for the amount of money on services, moreover - we did not use a single penny, but the money was:
• Fraud Especially in this regard, taxi drivers were pleased: the overwhelming number of uchetok, which were obtained using free virtual numbers and tested by us, matched the drivers, but not the passengers. It seemed logical to us: it is unlikely that the passenger wants the driver to get through to him, but the driver very often dials from another number, “because the phone has sat down,” etc. Such schemes allow you to re-zero the rating, use several cars, etc.
  
  We also noted a lot of text messages related to issuing credit cards, obtaining loans, etc.
• Registration of insurance policies, loyalty program cards, etc.

findings

Apparently, users are not sufficiently aware of the criticality of using free virtual numbers for registering various accounts and other services. This can be somehow explained in cases where the number is used to test such registration (although the testing process itself cannot be convenient, since anyone can “steal” the accounting record obtained in this way and interrupt the course of work), but it cannot be justified in any way. cases where such registration will be seriously used later.

It's funny that despite the fact that many services check the association of a number to VoIP services (for example, it will not be possible to register using numbers associated with Google Voice / Hangouts), but we don’t know such verification of binding to toll-free virtual numbers — although such verification could easily be carried out by simply calling the number.

This applies not only to social networks, but also to banking and credit organizations - of course, they use other methods of checks, but in terms of free SMS services - a complete breach.