It seems that two-factor authentication solutions that deliver verification codes to mobile phones are not as foolproof as one might think – a lesson that an Australian business owner learned the hard way.
Back in July, he received a phone call from his bank, which notified him that some $45,000 were pilfered from his mortgage account by fraudsters. Having already chosen the option given by the Commonwealth Bank to use two-factor authentication when accessing his bank account online, he wondered how this could have happened.
He assumed that his login credentials were stolen with information-stealing malware that was likely installed on the company laptop he sometimes used to access his account. But how could the fraudsters get their hands on the additional verification code that the bank sends directly to his mobile phone?
Well, as it turns out, they took advantage of the mobile phone number portability option offered by telecommunication companies and mandated by the Australian government so that the companies could not lock in customers, and employed social engineering skills to gather the information needed for such a move.
According to SC Magazine, they extracted information about him and his work by placing a call to his office, pretending be an employee of the Australian Tax Office, and got his mobile phone number from his daughter by posing as a business partner in urgent need of that information.
Armed with the data, they called his mobile phone provider and requested his account to be “ported” to a pre-paid account with an alternative provider. Once the move was completed, they sent the businessman a message supposedly coming from his provider (Vodafone), notifying him that he will likely experience problems with the reception in the next 24 hours, so that he would not become suspicious about the fact that he would not be receiving any calls or messages.
Not long after that, they begun spending the money in an electronics shop. Once they ended their spending spree, they ported the mobile phone account back to his provider – a move made possible by the fact that they obviously knew the answers to the security questions asked during the process.
The businessman was unaware of everything that happened until the bank notified him that it had frozen his account. The large and unusual transaction has made its fraud unit suspicious, and when they couldn’t contact him by phone to ask him about it, they preventively blocked the account to prevent further theft.
In the end, the businessman got his money back from the bank, and the bank absorbed the loss. The bank claims that they have managed to track down where the fraudsters spent the money, and that they have notified the police that there were security camera tapes that can be used to identify them. According to them, the police said that one of the fraudsters left the country.
But, the bigger problem in all of this is the fact that Australian banks have been informed of the possibility of the “porting” option being misused to mount this kind of attack back in 2009, but a lot of them declined to implement a verification system that would make sure that the number to which they send the additional verification code has not been recently “ported”.