This method takes advantage of two step authentication, account recovery options and consumer ease of configuration.
This is the general concept
If you have £600 in your wallet and a £600 mobile phone, which one would I steal?
I would steal the mobile phone.
So I wouldn’t be able to sell that phone for the same value you purchased it for, but it does give me an in to your accounts, from there, the potential of what I can steal is a lot higher than just taking your wallet.
Now a password on your phone doesn’t really do much these days, nor does finger print recognition or swipe patterns.
So here is a true story
I found a phone in the park the other day while I was walking my dog. It was perfectly placed on a bench, like it had fallen out of someones pocket, they had got up, walked away and hadn’t noticed.
I have two choices
- Return the phone
- Steal all his money
To me, I would always return the phone, but just in this scenario, anyone who comes across your phone has these choices.
There was no ICE contact, no way of identifying the owner, no way of returning the phone as it had a finger print lock, so naturally I used the voice command to look up contacts on the phone, it came up with emails from those people, including the email for the phone, I didn’t read them all I wanted to do was use the phone to
It rang through to the guys mum, without me really asking she gave me his full name and address, I’m sure if I would have asked she would have given me his email as well if I said the phone was running out of battery and I needed to email him to meet him so I could return his phone.
I went to his house, gave him his phone, asked him to unlock it in front of me so I knew it was him, then went on my merry way.
What could I have done differently?
Well, there was nothing stopping me from accessing his phone, going through all his stuff, accessing his email, stealing his money other than
- My own moral compass
- I really don’t care enough about the personal life of a stranger to snoop through their stuff.
So in this article we look at
- How the Crime is Committed
- What a Consumer can do to prevent it
- What the industry has to do to prevent it
How is the crime committed
Well let us consider things we know we can do when we get access to the email
- Someone accessing our emails does give them access to our other accounts
- If the email service is associated with a browser, like Windows Live and Bing or GoogleMail and Google Chrome, then, it can store payment details in a, likely, very non-secure way.
- In addition, where the email is associated to a browser then it will log a comprehensive list of your activity (e-mail Blackmail)
- As well as this, it likely stores your passwords for other accounts in plain text
- Something like Gpay can be used in a shop, but it can also be used to make a direct transfer from an email account to an unknown address or PAYG mobile telephone number.
- Once an email is accessed, manual interception and replacement of emails becomes a viable option, essentially, re-writing an email or an attachment of an email to contain my bank details instead of a companies bank details.
These are just things I can think of off the top of my head, so my only real challenge here is to get into the email account, we can agree that from there theft is possible from a multitude of ways.
It is simply a case of minutes vs hours vs days, but theft is inevitable if I can access your online accounts.
Identity theft is also a very viable option, your email account giving me access to your credit reference company account (Noddle, Experian, Equifax etc.) which likely contains enough about you to verify your existence, certainly enough for gaining online credit. It also guides me well on amounts and services you would likely be accepted to and the ones that would likely reject you.
So how do I access the email from finding a locked phone?
Irrespective of whether you have 2 factor authentication, what we will find is a loop in the process.
With a phone the following is true and they configured by default for the following behaviour
- A linked email account can unlock the phone
- You can answer a phone call without unlocking the phone
- You can read a text message without unlocking the phone
- You can read most of an email without unlocking the phone
- You have partial navigation into certain areas
What do we know about an email default configuration
- The password can be reset via a voice call, text message or email
- Having the password and the phone/account recovery option can be used to bypass 2 step authentication.
So with the phone it is a very simple process
- Go to Email service, select forgot password
- Keep clicking “Try different method” until reset by pin number to phone number comes up
- It will mask the phone number, but 99 times out of 100 we only have 1 mobile number we use for personal reasons, so masking it doesn’t improve security.
- That will prompt a phone call, answer the phone and enter the pin number spoken by the automated voice
- Reset the password
- Enter the new password, click next
- This will prompt 2 step authentication
- On the physical device, if a notification shows, clear the notification *see note below
- This will prompt on the computer screen to use an alternative method.
- One of the options will be a voice or text pin sent to the phone
- This will be the 2 step authentication pin number.
- Access email, remove all notifications of “new device” or “suspicious activity on the account”
- Once the email is accessed, you can usually use this to unlock the mobile phone.
*If you don’t have any form of lock on your device, then it is just less steps and guaranteed early success. So I just approve the device on step 8, but you can work around the lock on the device easily per the above steps.
This is the standard configuration of your mobile device and email accounts
So by default, the set up wizards on your services allow this to happen, quite easily in fact.
The email service provider assume that the mobile phone is secure
The mobile phone manufacturer assumes that the email is secure
They both use each other for authentication
That creates a loop in authentication where by assumption of security, one is used to bypass the other and in turn that is then used to bypass the former.
Can I do this without your phone?
Yes actually, it would need to be at about 03:00 in the morning.
Because the phone number is providing the pin numbers, i.e. a voice call, your phone number can likely be forwarded from your voicemail (Phone Hacking Scandal) or from accessing your online mobile account, you would likely find a feature that will let you forward all your calls from there.
The notification for 2 step authentication is often configured by default to be silent, not sure why to be honest, I mean, If you have your phone it would make sense to alert you audibly that someone is trying to access your account, if you don’t have your phone, I’m not sure why this notification sounding makes a difference.
It is just if I have your phone, it is simple, straight forward, a few seconds to access. Without your phone it does take quite a bit longer, but still within a reasonable time frame.
Are there other methods into my account like this?
Yes, they took longer than a couple of hours to come up with, following our rules we can’t publish the method (we only publish methods that can be thought up quickly)
We also don’t need to publish the method as the solution to this issue found on the next page is incredibly simple, but resolves all the other easy access methods into your account at the same time.