Results 1 to 14 of 14

Thread: Security Breach

  1. #1
    Join Date
    Jul 2009
    Posts
    430
    Device(s)
    Samsung s8+
    Carrier(s)
    Wind
    Feedback Score
    0

    Security Breach

    A message to Freedom Mobile Customers.


    After speaking back and forth with the Chief Privacy Officer at Shaw Inc(Owns Freedom Mobile). I have been informed that all your data is held with Freedom using security that rivals that of banks.


    Here is a screenshot of the effectiveness of this security: https://imgur.com/VFgYcCi
    Please do not fear, I do not access your accounts for any reason. Some people however would steal your information.


    I have currently identified over 1000 at-risk-accounts on Freedom Mobile's MyAccount page.


    If this upsets you, be sure to send an email to [email protected]


    You may also lodge a complaint for "Failure to safeguard my personal information" at https://www.priv.gc.ca/en/report-a-c...ut-a-business/


    Freedom Representatives may reach me at [email protected]

    From user on Reddit: https://www.reddit.com/user/NullHumanity
    Reddit Thread: https://www.reddit.com/r/freedommobi...curity_breach/

    He/she Asked me to post this here as they waiting for there account to be approved.

    Update: https://mobilesyrup.com/2018/02/12/f...curity-breach/ has been posted there as well now.
    Last edited by rickyis911; 02-12-2018 at 05:21 PM.
    Freedom Mobile
    Line 1:
    $59 LTE Plan for $59
    Line 2: $45 Unlimited everything a month $45


  2. #2
    Join Date
    Nov 2006
    Posts
    197
    Carrier(s)
    Public / Freedom / T-mobile
    Feedback Score
    0
    Thank you for posting this. I already observed the thread on reddit with interest. Since they use only a 4 digit PIN, it seems very plausible to just brute force the Wind / Freedom list of CNAC numbers that are available.

    At the very least they need to immediately increase time outs for wrong logins and start force migrating to a user name / password system.
    Freedom Promo Everywhere 50 - 35% FNF = $32.50 (Unlimited CAN / USA Roaming Calls and Data)
    Public Mobile 30 - $2 Autopay - $5 Loyalty = $23 (Unlimited Calls + 500MB)

  3. #3
    Join Date
    Jul 2009
    Posts
    430
    Device(s)
    Samsung s8+
    Carrier(s)
    Wind
    Feedback Score
    0
    some more comments from the person that found this

    " Great article Rose and thank you for bringing attention where it is needed.I'm quite concerned by the response of Chethan Lakshman.
    There is evidence to suggest that other people have been attacking this lax security for quite some time. Since they are not posting publicly I am guessing they are stealing the information.
    And the official response is that the customer is to blame?
    "We continue to strongly encourage our customers to use unique PIN numbers that are not easy to guess, and to change their PINs frequently to best protect their personal account information.”
    I've spoken just now to 6 people who have been in your stores since WIND was on the sign. Not a single one of them can recall even one instance of being advised the importance of a "unique PIN." You say this is strongly encouraged...
    There is no such thing as a unique PIN number when you have approximately 1.2million subscribers and exactly 10,000 possible pins. Even if everyone was evenly distributed among the pins, you would actually have more of a problem...
    Changing your PIN frequently is NOT good security. It's actually the opposite. This is a common fallacy. "


    " I fully understand where you're coming from. I don't think a security professional is even required here.


    I'd say I spent a total of a full days work trying to communicate the issue in terms understandable to anyone. When I spoke with my mother for example, she immediately understood the problem.

    I also wrote to CBC on the issue.

    There is also the fact that this is a very high risk issue which modifies responsible disclosure considerably. The amount of information available at the rate in which it can be obtained could easily result in millions of dollars of exposure in hours.


    Basically I wasn't taken seriously by policy. A policy to save money. "

  4. #4
    Join Date
    Oct 2016
    Posts
    392
    Device(s)
    OnePlus 2
    Carrier(s)
    Mobilicity -> WIND -> Public Mobile -> Koodo
    Feedback Score
    0
    I'm sure other carriers such as Koodo/Public and Virign etc. have equally leaky security standards. Just look at Koodo's/Public's self serve account pages, they look like they came straight from the 90's.

  5. #5
    Join Date
    May 2015
    Posts
    1,221
    Device(s)
    Blackview BV8000
    Carrier(s)
    Telus & Rogers
    Feedback Score
    0
    Just from playing with system, Freedom pages use Captchas to prevent scripting & will lock out access to your account if wrong PIN entered too many times

    I understand what OP is referring to by the issue there are only 10,000 possible combinations but even online banking sites use 4 to 6 digit PINs so it is not that serious

    The *issue* if one exists is if Freedom website allows multiple attempts but from looking it does not appear to be the case
    Public $120 Province Wide + 12GB - $6 Autopay - $9 Loyalty - $45 Refer = $20 per Month
    Telus SK North American Wide 7GB = $65
    Chatr (Mobi) $40 North America Wide + 6GB + 30 Mins Roaming
    Freedom $35 ($37-BTS) North America Wide + 8GB + 1GB Roaming

  6. #6
    Join Date
    Jul 2009
    Posts
    430
    Device(s)
    Samsung s8+
    Carrier(s)
    Wind
    Feedback Score
    0
    More from /u/NullHumanity
    You can read all his posts to the freedom sub reddit
    It's CAPTCHA after 3, which is not unbreakable. Also there exists a method to forcibly reset the counter after one hour. This was a trivial discovery during my initial research period.


    A skilled attacker would find this, and would be almost guaranteed to have a CAPTCHA bypass method at their disposal. 5 requests per hour is still going to result in a lot of account details being found.


    I added very large delays in my script so as not to stress the login server and I was still seeing a new success every 30 or so seconds.


    I would say a skilled attacker could breach an account and extract data 200 times per minute on a mid level machine.

  7. #7
    Join Date
    May 2015
    Posts
    1,221
    Device(s)
    Blackview BV8000
    Carrier(s)
    Telus & Rogers
    Feedback Score
    0
    @rickyis91 maybe
    But simply changing to a password instead of pin is just as useless
    Most people recycle passwords all the time and common word dictionaries can easily brute force their way in

    I think the OP is making this issue bigger than it is for the attention
    There is an issue but not such a serious one as they made it sound

  8. #8
    Join Date
    Dec 2007
    Location
    SW Ontario
    Posts
    1,769
    Device(s)
    RIM9790
    Carrier(s)
    Wind
    Feedback Score
    0
    There's only so much you can do with a 4 digit PIN.

    Sent from my LG-H933 using HoFo mobile app
    --------------------------------
    Un petit d'un petit
    S'étonne aux Halles
    Un petit d'un petit
    Ah! degrés te fallent

    Old French Proverb from the book of; Mots D'Heures Gousses Rames

    (I am the Stig!)

  9. #9
    Join Date
    Nov 2006
    Posts
    197
    Carrier(s)
    Public / Freedom / T-mobile
    Feedback Score
    0
    The problem is that there appear to be multiple factors combined which make Freedom unsecure compared to other providers.

    1. Freedom allows the login using the phone number which can not be disabled.
    2. Freedom CNAC phone number lists are readily available, ie xxx-500-xxxx., xxx-440-xxxx
    3. Freedom only allows 4 digit pin number for password.
    4. There is apparently a way to reset the error logins after 1 hour and CAPTCHAs are easily bypassible.


    These factors combined make it very easy for an attacker to brute force their way into Freedom's system.

    I don't really care that much much about a Freedom account but sensitive information such as name, DOB, email, billing address available via API which allows for identify theft.

  10. #10
    Join Date
    Sep 2015
    Posts
    77
    Feedback Score
    0
    Quote Originally Posted by Mr.Peppermint View Post
    Just from playing with system, Freedom pages use Captchas to prevent scripting & will lock out access to your account if wrong PIN entered too many times

    I understand what OP is referring to by the issue there are only 10,000 possible combinations but even online banking sites use 4 to 6 digit PINs so it is not that serious

    The *issue* if one exists is if Freedom website allows multiple attempts but from looking it does not appear to be the case
    While you are correct that an account will be locked after the PIN is entered incorrectly too many times, the issue is not being able to brute force the PIN for a single account.

    Ex:
    321-555-0147, PIN: 0000
    321-555-0147, PIN: 0001
    321-555-0147, PIN: 0002
    ...
    Then 321-555-0147 gets locked out after a few attempts and no more PINs can be guessed...so it's safe, right? No.

    How about choosing a common PIN, let's say 1234 or perhaps the last 4 digits of a person's phone number. It is easy to figure out which numbers are allocated to Freedom, let's use 321-555-#### for the example.

    Now:
    321-555-0000, PIN: 1234
    321-555-0001, PIN: 1234
    321-555-0002, PIN: 1234
    ...

    No account is being tried more than once, therefore there are no lockouts. However, a vast amount of personal information can be obtained from this system extremely easily.

    The best solution for now seems to be choosing an obscure and completely random PIN and hoping for the best. That does not guarantee anything though, as an attacker might start trying random PINs after they have already gotten data from accounts with common ones. Any account that has already been accessed can be removed from the list so each new iteration there are less accounts to try. A permanent fix is to replace the PIN with a password which has much greater entropy.

    A bank is not a good analogy in this situation because the username or card number is not as easily guessable as the phone numbers. One would also hope that a bank would have better intrusion detection to prevent an attack like the one outlined here. Additionally, most banks are now realizing that having a low entropy PIN is not a good idea and are moving away from PIN based online logins.

  11. #11
    Join Date
    Jul 2009
    Posts
    430
    Device(s)
    Samsung s8+
    Carrier(s)
    Wind
    Feedback Score
    0
    Update from NullHumanity


    I'm told that the OPC has launched an investigation and the officer conducting the initial report is agreeing that the PIN's need to change.


    Progress...

  12. #12
    Join Date
    Jul 2009
    Posts
    430
    Device(s)
    Samsung s8+
    Carrier(s)
    Wind
    Feedback Score
    0
    UPDATE: from NullHumanity
    It appears that Freedom Mobile will not be fixing this issue. An old friend of mine who brought this to my attention originally is now speaking with the OPC directly and will be following this through until completion.
    As I understand it, this may be read. All 2,106 Phone number/PIN combos I found existed in a total of just over 70,000 phone numbers. These phone numbers did not all belong to Freedom. In fact, my script just incremented by one each time. The only PIN I tried was 1234. I believe the amount of PINs being 1234 has a lot to say about just how little customers were aware of the importance of a hard-to-guess PIN.
    Security exists only where we create it. If you trust your customers to create their own password, you had best not trust that input to be secure. That's the number one rule for a developer, DO NOT TRUST USER INPUT. A PIN is user input. That's why you force character length, character diversity, and anything else that forces a user to have a hard-to-guess password.

  13. #13
    Join Date
    May 2015
    Posts
    1,221
    Device(s)
    Blackview BV8000
    Carrier(s)
    Telus & Rogers
    Feedback Score
    0
    Quote Originally Posted by 3ethanh View Post
    Now:
    321-555-0000, PIN: 1234
    321-555-0001, PIN: 1234
    321-555-0002, PIN: 1234
    ...

    No account is being tried more than once, therefore there are no lockouts. However, a vast amount of personal information can be obtained from this system extremely easily.
    Ah see this is the part I missed

    Because yes in that scenario trying a few common pins such as 1234 or 0000 would be far more likely to work

    Quote Originally Posted by 3ethanh View Post
    A bank is not a good analogy in this situation because the username or card number is not as easily guessable as the phone numbers.
    Although this is tougher, all you need to know is a persons email + pin, and there certainly are enough email lists out there to guess bank access
    Bank has better intrusion detection though I suspect

  14. #14
    Join Date
    Aug 2008
    Location
    Alberta
    Posts
    3,371
    Carrier(s)
    Value
    Feedback Score
    0
    U.S. Carriers Creating Stronger Tool to Verify Customer ID
    Phone Scoop, Mar 2 2018

    All four major carriers in the U.S., AT&T, Sprint, T-Mobile, and Verizon Wireless, are building a "multi-factor authentication" method that will rely on peoples' cell phones to gain account access. The system, which has been in development since last September, is expected to launch before the end of the year. The goal is to cut back on identity theft and fraud enabled by weak or exposed passwords. The carriers said it will employ a "cryptographically verified phone number" that assesses data including device IP, SIM card, account, and how long customers have been with the carrier...

    --
    2FA by way of SMS code sent to the account holder's phone should do it, wouldn't you think?
    disabling phone # userID with 4 digit PIN seems obvious enough, and urgent
    Koodo does email ID & password only, why not Freedom?

Similar Threads

  1. Replies: 5
    Last Post: 06-09-2010, 06:28 PM
  2. Possible Security Breach
    By bishead in forum BlackBerry
    Replies: 22
    Last Post: 09-29-2008, 12:28 AM
  3. Email from VZW - Security Breach
    By Zingaro in forum Verizon Wireless
    Replies: 21
    Last Post: 08-30-2006, 10:24 PM
  4. Security breach-group account management
    By Zombie999 in forum Fido
    Replies: 2
    Last Post: 07-16-2004, 07:53 AM
  5. vtext security breach
    By gsmseattle in forum Verizon Wireless
    Replies: 6
    Last Post: 07-24-2003, 08:06 PM

Tags for this Thread

Bookmarks