Verizon Security Flaw Left Millions of Home Internet Users Vulnerable to Attack

Joseph Bernstein, reporting for BuzzFeed:

Last week, BuzzFeed News received a tip from Eric Taylor — now the chief information security officer of a company called Cinder, but probably better known by his former hacking alias, Cosmo the God. Taylor and Blake Welsh, a student at Anne Arundel Community College in Maryland, had found a way to easily access Verizon user information by spoofing IP data. They passed along the information to BuzzFeed News on the condition that we would report it to Verizon before publishing — which we did. […]

Within a few hours of the tip, and despite having no technical background, with the explicit permission of several Verizon account holders, I was able to convince Verizon customer service to reset an account password, giving me total control of a Verizon account. It was surprisingly easily done.

So far, it sounds like no customers were actually attacked by this flaw but it’s pretty scary. Especially the social engineering angle:

Even worse, customer support gave me that reset information despite the customer having a security PIN set up. In order to get a reset when someone has set a PIN, Verizon customer support requires either that number, the amount of the most recent payment, or access to the phone listed on the account; Verizon will call customers at that number with their PIN. None of these were listed in the source code, and I obviously didn’t have access to the account phone.

So I called back, and asked for the amount of my last payment, claiming to be balancing my checkbook. Verizon happily gave it to me. Now armed with one of the requisite pieces of verification information, I called back a third time and got a friendly rep to reset the password. We were able to successfully repeat this procedure on demand.

Wednesday, 13 May 2015