Attackers could steal millions through online phone verification systems

In the latest attack that shows how hard it is for users to identify phone numbers with premium call charges, a researcher has found that he could have earned millions by abusing the online phone verification systems used by Google, Microsoft, and Instagram.

Many websites and mobile apps allow users to associate a phone number with their account. This can be used for two-factor authentication or as an account recovery and verification option. Many of these systems rely on codes sent via text messages, but also offer the option to call the user and dictate such codes.

Last year, a Belgian IT security consultant named Arne Swinnen started wondering if such systems test if the numbers entered by users have premium charges attached to them and set out to test several popular services.

To read this article in full or to leave a comment, please click here