Two crooks scammed Vodafone customers in the Czech Republic out of $26,000 thanks to weak telco-issued PIN codes.
Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits. A pair of chancers with no technical skills were able to launch a brute-force attack that reportedly involved trying random phone numbers and the passcode 1234 to crack accounts registered with the mobile network's customer portal.
It gets worse. The fraudsters were able to obtain new SIM cards by simply knowing a phone number and the PIN code linked to that account. No photo ID or even email confirmation were apparently required. The duplicate SIMs were ordered through an online service before they were picked up in person.
At this point the duo funded online betting accounts through premium-rate SMS messages sent through a payment gateway and debited against a compromised mobile account. Money was then withdrawn from these betting accounts, leaving Voda customers with a nasty debt and the fraudsters laughing all the way to the bank.
The attack wasn't terribly sophisticated so perhaps it isn't surprising that the crooks were soon pinched.
The 60 affected customers' bills were padded with fraudulent transactions. Rather than them writing off, Vodafone is aggressively chasing payments, even resorting to debt collectors.
The telco reportedly claimed that its clients are liable for the fraudulent transactions because they had weak passwords – ignoring that these easily guessed codes were issued as a result of security shortcomings in its own system.
These codes may have been handed out as temporary credentials, but Vodafone didn't let customers know that these details needed to be changed. In some cases users apparently didn't even know they had a web account.
El Reg learnt of the whole sorry business from Prague-based software developer Michal Špaček, who made a series of Twitter posts about the matter.
"Vodafone says your password is your responsibility and points to [its] ToS [terms of service]," he wrote. "[The] bad guys were even able to get new SIM cards because they knew a phone number and a password. No additional checks."
A local newspaper's report of the scam can be found here (in Czech).
Petr Bužo and Nikola Horváthová from the Czech city of Teplice were jailed for three and two years respectively over the scam.
The compromised accounts were all reportedly set up before 2012. For the last six years customers have selected their own six-digit passwords themselves when setting up an account at mobile phone shops. Security experts like Špaček are not impressed with the new system's robustness either.
A friend of Špaček, Michal Illich, some years ago was assigned "1234" when setting up an account, which he received printed out in an envelope as if it had been generated by a machine.
Through the Voda web portal, the defendants reportedly had access to victims' date of birth, residence, bank details and call records. Thankfully they never abused this information to mount ID theft scams or follow-up phishing attacks.
El Reg invited Vodafone in the Czech Republic to comment on the case and criticism of its security policies. Vodafone said:
We were sorry to hear that some of our customers fell victim to targeted fraudulent activity by criminals. We make it very clear to all our customers that they need strong, unique passwords in order to protect themselves from this kind of criminal behaviour. We have been working with law enforcement to ensure that those responsible were brought to justice and compensate our customers.
Authentication expert Per Thorsheim told El Reg that Vodafone's Czech Republic arm had made a litany of security gaffes. One basic measure, using email addresses instead of PIN codes, would have been enough to frustrate the simple brute-force attack the fraudsters used.
"If Vodafone used email as username *and* said passwords [should be a minimum length of 8 characters], 'password' would probably get you access, but you would need a long list of valid user email addresses. Definitely a harder attack to do.
"The crazy part of this story is that Vodafone has a shitty authentication setup, a good probability they have set '1234' for users themselves, and then they blame their customers for bad security and getting hacked."
If Vodafone had any rate-limiting, account lockout, geofencing or time-based security on logins, that would help improve security without inconveniencing legitimate users, Thorsheim further noted.
The Oslo-based security expert concluded: "The Information Commissioner's Office in the Czech Republic should look into this, based on what might be bad protection of personal data, and ask for risk analysis and DPIA [data protection impact assessments]." ®