Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

MFA (multi-factor authentication) is used in order to prevent a data breach from completely compromising an account. The solution to the simple point of failure is to have a second authentication method that an attacker would not have access to.

2FA tends to have multiple ways to do it. For instance, OTPs on a synced phone app, SMS text message, phone call and many others. Having a vulnerability in any of them, because of the choice, results in a bypass of 2FA.

There is a common vulnerability with the phone call feature: voicemail. When a call is missed, the caller has the chance to leave a message for them. However, does leaving a 2FA code on voicemail a good idea? The argument of this article is that this is a horrible idea!

In previous research done by Sophos and a few other instances, voicemail is known to be semi-insecure. In Australia, a large amount of Telco's were vulnerable to attacks that allowed anybody to access the voicemail. But how?

If the ANI/Caller ID matches the account holder on a phone call, the system does NOT ask for a code to verify the account. In the US, the pin is requested regardless of the caller id. Because the caller id can be spoofed, this is a horrible idea!

By using a spoofing provider, a VoIP spoofing service or SpoofCard, the caller id check can be bypassed. With access to the voicemail (which is a vulnerability by itself), 2FA can be bypassed.

The next step was reaching out to the companies to ask them to stop putting 2FA tokens into voicemail. Some of the companies contacted (Google) claimed this was not an issue with their system but the Telcos system. Others, such as Facebook, LinkedIn, Duo, Authy, just removed the functionality of using the voicemail for 2FA, preventing the attack.