Belgian security researcher Arne Swinnen has discovered a way to steal money from companies like Facebook (through Instagram), Google and Microsoft using 2FA token systems.
Most companies use 2FA (Two-Factor Authentication) to send SMS shortcodes to their users. Optionally, if the user chooses, he can receive a voice call from the company, during which a robot says the code.
These calls are usually made to the number mobile που είναι συσδεδεμένος με τον λογαριασμό. Ο Swinnen ανακάλυψε στα πειράματά του ότι μπορούσε να δημιουργήσει λογαριασμούς του Instagram της Google και του Microsoft Office 365 στους οποίους αντί να βάλει τον αριθμό του κινητού του, χρησιμοποίησε έναν αριθμό premium.
So if one of these three accounts used 2FA instead of calling his number, he was sending premium SMS by charging businesses.
Swinnen argues that attackers could create premium services and falseInstagram, Google or Microsoft accounts.
Using automated scripts, Swinnen reports that an attacker could request 2FA tokens for all accounts, thereby making legitimate phone calls to the service, making a lot of money.
According to Swinnen's calculations, he could theoretically obtain EUR 2.066.000 annually from Instagram, 432.000 € per year from Google, and 669.000 € per premium number from Microsoft.
The technical and exploitation details are different for each service, and Swinnen explains it on his blog.
https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/
