Vodafone hounds Czech customers for bills after they were brute-forced with Voda-issued PINs

Crooks cracked phone number accounts with passcode '1234'


Two crooks scammed Vodafone customers in the Czech Republic out of $26,000 thanks to weak telco-issued PIN codes.

Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits. A pair of chancers with no technical skills were able to launch a brute-force attack that reportedly involved trying random phone numbers and the passcode 1234 to crack accounts registered with the mobile network's customer portal.

It gets worse. The fraudsters were able to obtain new SIM cards by simply knowing a phone number and the PIN code linked to that account. No photo ID or even email confirmation were apparently required. The duplicate SIMs were ordered through an online service before they were picked up in person.

At this point the duo funded online betting accounts through premium-rate SMS messages sent through a payment gateway and debited against a compromised mobile account. Money was then withdrawn from these betting accounts, leaving Voda customers with a nasty debt and the fraudsters laughing all the way to the bank.

The attack wasn't terribly sophisticated so perhaps it isn't surprising that the crooks were soon pinched.

The 60 affected customers' bills were padded with fraudulent transactions. Rather than them writing off, Vodafone is aggressively chasing payments, even resorting to debt collectors.

The telco reportedly claimed that its clients are liable for the fraudulent transactions because they had weak passwords – ignoring that these easily guessed codes were issued as a result of security shortcomings in its own system.

These codes may have been handed out as temporary credentials, but Vodafone didn't let customers know that these details needed to be changed. In some cases users apparently didn't even know they had a web account.

El Reg learnt of the whole sorry business from Prague-based software developer Michal Špaček, who made a series of Twitter posts about the matter.

"Vodafone says your password is your responsibility and points to [its] ToS [terms of service]," he wrote. "[The] bad guys were even able to get new SIM cards because they knew a phone number and a password. No additional checks."

A local newspaper's report of the scam can be found here (in Czech).

Petr Bužo and Nikola Horváthová from the Czech city of Teplice were jailed for three and two years respectively over the scam.

The compromised accounts were all reportedly set up before 2012. For the last six years customers have selected their own six-digit passwords themselves when setting up an account at mobile phone shops. Security experts like Špaček are not impressed with the new system's robustness either.

A friend of Špaček, Michal Illich, some years ago was assigned "1234" when setting up an account, which he received printed out in an envelope as if it had been generated by a machine.

Through the Voda web portal, the defendants reportedly had access to victims' date of birth, residence, bank details and call records. Thankfully they never abused this information to mount ID theft scams or follow-up phishing attacks.

El Reg invited Vodafone in the Czech Republic to comment on the case and criticism of its security policies. Vodafone said:

We were sorry to hear that some of our customers fell victim to targeted fraudulent activity by criminals. We make it very clear to all our customers that they need strong, unique passwords in order to protect themselves from this kind of criminal behaviour. We have been working with law enforcement to ensure that those responsible were brought to justice and compensate our customers.

Authentication expert Per Thorsheim told El Reg that Vodafone's Czech Republic arm had made a litany of security gaffes. One basic measure, using email addresses instead of PIN codes, would have been enough to frustrate the simple brute-force attack the fraudsters used.

"If Vodafone used email as username *and* said passwords [should be a minimum length of 8 characters], 'password' would probably get you access, but you would need a long list of valid user email addresses. Definitely a harder attack to do.

"The crazy part of this story is that Vodafone has a shitty authentication setup, a good probability they have set '1234' for users themselves, and then they blame their customers for bad security and getting hacked."

If Vodafone had any rate-limiting, account lockout, geofencing or time-based security on logins, that would help improve security without inconveniencing legitimate users, Thorsheim further noted.

The Oslo-based security expert concluded: "The Information Commissioner's Office in the Czech Republic should look into this, based on what might be bad protection of personal data, and ask for risk analysis and DPIA [data protection impact assessments]." ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • State of internet crime in Q1 2022: Bot traffic on the rise, and more
    According to this cybersecurity outfit that wants your business, anyway

    The fraud industry, in some respects, grew in the first quarter of the year, with crooks putting more human resources into some attacks while increasingly relying on bots to carry out things like credential stuffing and fake account creation.

    That's according to Arkose Labs, which claimed in its latest State of Fraud and Account Security report that one in four online accounts created in Q1 2022 were fake and used for fraud, scams, and the like.

    The biz, which touts device and network defense software, said it came to this conclusion after analyzing "billions of sessions ... across our global network" during the first three months of the year. These sessions apparently spanned account registrations, logins, and interactions with financial, ecommerce, travel, social media, gaming, and entertainment services. Take all these numbers with a grain of salt as ultimately Arkose wants you to buy its stuff to prevent all this kind of crime.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading
  • Cops' Killer Bee stings credential-stealing scammer
    Fraudster and two alleged accomplices nabbed in joint op

    An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

    The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

    The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

    Continue reading

Biting the hand that feeds IT © 1998–2022