Stealing Money from ISPs Through Premium Rate Calls

I think the best hacks are the ones that are obvious once they're explained, but no one has thought of them before. Here's an example:

Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/... . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number. The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved.

News articles. Slashdot threads.

Posted on July 19, 2016 at 6:21 AM • 13 Comments

Comments

Moshe YJuly 19, 2016 8:13 AM

Anyone who works in telephony for a living checks outbound calls very carefully. This is a learning curve for newcomers, I expect.

Clive RobinsonJuly 19, 2016 8:22 AM

I used to know someone who was an RF Design Engineer when they commanded very high remuneration.

He got sick to death of phone calls from "job agents" he did not know of so got his number changed to a "premium rate" number. He was covering the cost of line rental, auto forwarding to his mobile and his mobile calls with the income from it.

This was back in the time before virus writers caught onto the idea of changing the "dial up number" in peoples Win95 machines to premium rate numbers...

Insider Threat ModelJuly 19, 2016 8:47 AM

Premium rate call fraud is a very common issue and in my experience, typically dealt with outside of InfoSec teams. There are a couple of methods for this that target a wide variety of issues. The method described in the article is of low potential worth, as the duration of effect is typically short lived.

And to Moshe's point, it isn't just outbound as a VAS outcall. It is also inbound if you are the CSP, as one reason for inbound spoofs of premium rates is to raid your subscriber pool using a wangiri attack.
The wangiri is coupled with analysis to generate pools for onward exploitation or further enrichment with yet more and more complex applications.
In my favourite investigation, the CSP was eventually paying the attacker for the privilege of having subscribers attacked, mined and ultimately defrauded.

Maybe I should fire up the research into this again and do a BSides next year since it seems there is a general need for it.

Clive:
Someone other than me did a similar thing back in the day, but to a regional manager and diverted all his personal home calls to an adult service. It took a great deal of convincing to the powers that be that he was not committing fraud.

Bumble BeeJuly 19, 2016 11:06 AM

That's a basic vulnerability with the North American Numbering Plan. That NANPA even allows so-called "premium rate" telephone numbers, usually used for phone sex, "psychic readings," and other scams and various fraudulent activity, and that it is not obvious even to large companies that such telephone numbers are in fact "premium," shows that the aforementioned NANPA is corrupt and that most likely money has been handed under the table.

Jesse ThompsonJuly 19, 2016 1:27 PM

Upon creating our residential VOIP service I simply looked up a list of non-free NANPA area codes (which I re-check every 90 days but have yet to see a change in coming close to a decade now) and had those blocked with a friendly message at my switch.

If I have done my job right, then there should be no dialing pattern possible that leads to any charges greater than inter- or intra-state from our upstream providers, and customers who want international calling and the like can simply use a calling card.

You COULD say it's a learning curve that I somehow skipped, but it's probably easier to say that I dealt with a $600 phone bill due to a room-mate's friend in college who kept calling Cleo for hours and hours over my phone line in '96. Pair that with having a good head for input acceptance in general and you're off to the races.

Bumble BeeJuly 19, 2016 6:03 PM

@Jesse Thompson

I have a relative who used to stay at people's houses and run up those so-called "premium" call charges on the phone bill. The adults would politely call them "long-distance" charges when we kids were around.

AppeosJuly 26, 2016 12:03 PM

This is not a new idea and reminds me of a big issue that telecoms companies were having in the late 1990's.

People were setting up premium rate numbers, then getting cheap international dialling accounts to call them. The telecom companies weren't sophisticated enough to filter out international premium rate numbers, so were vulnerable and lost many millions of dollars.

I was building a carrier billing system for a global telecom company when I noticed this issue. Someone had a bank of laptops with modems in Switzerland calling a UK premium rate number 24x7. Only spotted it by accident after six million dollars was lost. Assume many other telecom companies hit too for similar sums.

MarcusAugust 15, 2016 3:41 PM

This reminds me of a loophole of sorts that was introduced by the creation of competitive local telephone providers in the 1990s: a few of the CLECs figured out they could make a lot of money in "reciprocal compensation" by selling inexpensive telephone lines to dialup ISPs with the understanding those lines would only be used for inbound calls. Since the originating carrier (usually the legacy Bell company) had to pay the terminating carrier (the new CLEC) for handling the call, the CLECs would collect termination fees but never have to pay any out.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.