Security experts are warning that millions of Verizon customer accounts could still be at risk after a data exposure by an Israeli company working for the phone giant.
Chris Vickery, director of cyber risk research at security firm UpGuard, found as many as 14 million customer records for the past six months on an exposed and unprotected Amazon S3 cloud server in late June.
This sensitive data includes millions of individual customer names, phone numbers, and their account PIN, which we confirmed is all that can be needed by an attacker to access a person’s account. That can lead to phone number hijacking and account takeovers, which could allow hackers to break into a person’s email and social media accounts protected even by two-factor authentication, according to security experts briefed on the exposure prior to publication.
Verizon said that an investigation determined that “no other external party accessed the data,” but did not say how it came to that conclusion. The logic goes that if a security researcher found the data, there’s no telling who else might have done.
Phone account hijacking is a real problem because cellular accounts are a single point of failure for even the most security-minded person. With three data points — all of which were found in the exposed data — anyone can call up a cell provider and try to trick the call center representative into thinking they are the account holder. Because so many sites and services offer the additional layer of two-factor verification by sending a passcode as a text message to your phone, once a phone is hijacked, that can be it.
Per Thorsheim, a password expert and security researcher, called this a “nightmare” situation for customers.
“Losing access to your phone can have serious consequences for some,” said Thorsheim. “The worst case is that you lose access to all the services that use SMS for two-factor authentication, and countless services use and rely on SMS on being what is assumed to be a secure channel.”
Some people unfortunately know that feeling better than others.
“I tried to do everything by the book,” said Justin Williams on the phone this week. “I don’t use shared passwords, I use a password manager, and I have a PIN on my AT&T account,” he said. And, he has set up two-factor authentication on every account that supports it.
And yet, last week, he still got his phone account hijacked and money withdrawn from his bank account.
A hacker called up AT&T several times to try to get access to Williams’ account. Like most phone companies, AT&T only requires a name and a phone number to get access to a person’s account. In this case, Williams said an AT&T call center representative “broke protocol” and didn’t ask for the account PIN, he wrote in a blog post after the incident. The hacker was able to take over his phone number in what’s known as a SIM-swap scam, and also therefore any incoming two-factor authentication code.
As Williams discovered, PayPal, which is linked to his bank account, only requires a person’s email address and two-factor code to reset a password.
“Since PayPal only supports SMS-based authentication, all the perpetrator needed was to be able to receive SMS messages as ‘me’ and he was in,” he said. He doesn’t entirely blame PayPal, he said.
This isn’t unique to Williams. It happens dozens of times a day — and thousands of times per month. And yet, the carriers — who we rely on more than anyone to keep our information secure — know how bad the problem is.
Lorrie Cranor, former FTC chief technologist, also had her phone account hijacked while she was mid-call.
“In the best case it is a hassle: you phone stops working and it requires several phone calls to customer service and the fraud department and a trip or two or three to the phone store to get everything sorted out,” she said. “But in the worst case, thieves may use your mobile phone account to gain access to social network accounts, email accounts, or even financial accounts.”
“The mobile phone carriers should be doing more to cut down on account hijacking by requiring multiple authentication factors, beyond a PIN and a driver’s license,” she said. “I was amazed that someone was able to walk into a phone store with a fake ID and claim to be me and my carrier didn’t even try to text or call my phone to confirm.”
She called the Verizon data exposure a “significant problem” if the data was picked up by criminals.
“If there is a risk that the PINs were exposed, then Verizon should reset all the PINs or require customers to reset their PINs using a secure channel before they are used again to access their account,” said Cranor.
Since we spoke, Williams had his money refunded but has heard nothing from AT&T. (We reached out to the company but didn’t hear back at the time of writing.)
“It’s a weird thing with phone providers; they’re super uncomfortable with being the identity of people,” said Williams. “Your phone number is your identity — my phone is my lifeline to the world. Yet, it’s frustrating that they don’t put as much effort into security. These companies don’t want to lose customers by making this stuff more complicated for people.”
“Right now, all things considered, this could’ve been a lot worse,” he said. “The whole thing is utterly violating. It’s just some s**t-head kid in Australia doing this for giggles.”