 |
| American telecom companies that can be attacked by exchanging cards |
A Princeton University study found that five major US telecom companies use authentication methods vulnerable to exchange cards, and Princeton University scientists found last year to test five major US telecom providers. Find out if call center employees can be asked to transfer numbers and call the user on a different business card without providing the appropriate credentials.
When an attacker calls a mobile operator and asks them to change the victim’s phone number on the attacker's owner’s card, the phone card is exchanged so that they can reset their password and connect to the Internet (for example, via email, electronically). The portal (or banking system) for accessing sensitive accounts and cryptocurrency exchange.
According to the investigation team investigation, they found that AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were using weak software in customer support centers, and attackers could use these measures to attack contact card exchanges.
Researchers purchased 10 prepaid lines from AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless for a total of 50 lines. They used these lines on the phone to make real calls and record real calls, and found that they only had to successfully answer one thing to verify their identity. Ask the company to change the service on their calling card.
To test the company's security measures, they required to deliberately replace phone cards and enter incorrect PIN codes to force customer service agents to use a different authentication method, and customers provided mail dates or account holder birth dates. Upon coding, they also provided incorrect information, prompting employees to switch to a third type. The caller requested one of the authentication methods for the last call.
In this way, the researchers succeeded in exchanging phone cards and verifying 140 online services using phone authentication to determine that attackers could use their forwarded numbers for processing.
They analyzed which of them allowed the attackers to swap phone cards to hijack user accounts, and they could reset passwords for 17 of these services simply by forwarding phone cards only because they didn't have to ask additional authentication questions.