• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

200 Swedish municipalities impacted by a major cyberattack on IT provider

 | 

TransUnion discloses a data breach impacting over 4.4 million customers

 | 

NSA, NCSC, and allies detailed TTPs associated with Chinese APT actors targeting critical infrastructure Orgs

 | 

UNC6395 targets Salesloft in Drift OAuth token theft campaign

 | 

Over 28,000 Citrix instances remain exposed to critical RCE flaw CVE-2025-7775

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Healthcare Services Group discloses 2024 data breach that impacted 624,496 people

 | 

ESET warns of PromptLock, the first AI-driven ransomware

 | 

China linked UNC6384 targeted diplomats by hijacking web traffic

 | 

Farmers Insurance discloses a data breach impacting 1.1M customers

 | 

Citrix fixed three NetScaler flaws, one of them actively exploited in the wild

 | 

Auchan discloses data breach: data of hundreds of thousands of customers exposed

 | 

U.S. CISA adds Citrix Session Recording, and Git flaws to its Known Exploited Vulnerabilities catalog

 | 

Docker fixes critical Desktop flaw allowing container escapes

 | 

Malicious apps with +19M installs removed from Google Play because spreading Anatsa banking trojan and other malware

 | 

Pakistan-linked APT36 abuses Linux .desktop files to drop custom malware in new campaign

 | 

Android.Backdoor.916.origin malware targets Russian business executives

 | 

Electronics manufacturer Data I/O took offline operational systems following a ransomware attack

 | 

IoT under siege: The return of the Mirai-based Gayfemboy Botnet

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 59

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Abusing Two-factor authentication to steal money from Instagram, Google and Microsoft

Abusing Two-factor authentication to steal money from Instagram, Google and Microsoft

Pierluigi Paganini July 19, 2016

A security expert revealed a number of flaws in the big player’s two-factor authentication methods that could allow crooks to steal money.

Social media bug bounty hunter, Arne Swinnen, has revealed a number of flaws in the big player’s 2 factor authentication (2FA) methods that could enable a malicious user to illicit large sums of money from their phone-based verification services.

Two-factor authentication is often offered to social media users as an added layer of security in ensuring user verification.

Swinnen has reported that an attacker could abuse the security system with the purchase of a number of premium rate telephone numbers which would then be called by the authentication system on login.

The security researcher registered a premium UK number which charged at a rate of £0.06 and managed to make £1 in 17 minutes via Instagram’s two-factor authentication service.

two-factor authentication flaws hacking

The pay-out screen for Swinnen’s premium rate UK number

Instagram allows users to link a mobile phone number to your account, once activated, the 2 factor authentication system sends a 6 digit pin to your number, if this is not used in 3 minutes of sending, a call is placed to the number saved, in Swinnen’s case, his UK premium rate number.

two-factor authentication flaws hacking 2

Instagram’s 6 digit pin code (left) and the activation call appearing on the saved phone number (right)

By itself this method could reportedly earn up to £17,000 per year. Each call lasts around 17 seconds and the system limits its rate monitoring to one call every 30 seconds, however, a dedicated attacker with 100 accounts and premium rate numbers could potentially earn £1 Million in a year.

Facebook awarded Swinnen $2000 for the discovery of this method however initially reported that they will not be looking to make any changes to their rate limiting and monitoring technologies as a result.

The social media giant’s first response was “This is intentional behavior in our product. We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”

When the discussion was raised regarding an attacker using an increased number of accounts Facebook commented “Thanks for following up — because these requests are routed through a dedicated service for monitoring and blocking abuse, “intentional behavior” in this case is considered “accepted risk”. Generally speaking, attacks that depend on multiple accounts under attacker control fall under the “spam or social engineering techniques” category of ineligible reports for the whitehat program.”

They later went on to concede “Hello again! We’ll be doing some fine-tuning of our rate limits and work on the service used for outbound calls in response to this submission, so this issue will be eligible for a whitehat bounty. You can expect an update from us again when the changes have been made. Thanks!

(…)
We have looked into this issue and believe that the vulnerability has been patched (rate limits adjusted and some additional monitoring in place).”

Google also allow users to receive their two-factor token codes in a voice call, each call in this case lasts approximately 35 seconds and the rate is limited to 10 per hour.

In two hours, the research earned €1, calculated over a year with 100 unique accounts and matching numbers, this has the potential to net a not insignificant €400,000.

Although the find merited Swinnen to be listed in their hall of fame, the search engine giant ruled that the discovery did not warrant a monetary reward. Google stated that they had a contingency in place for mitigating fraudulent transactions such as these and deemed it impossible to totally eradicate the threat of malicious players exploiting their authentication systems in this manner.

Google also stated charitably that money is less important to them than user security.

The research also covered Microsoft’s 365 trial accounts which allows users to verify themselves via a voice call. Microsoft paid the researcher $500 for discovering that although a user could enter a premium number, the number was later blocked following 7 failed registration attempts.

This was circumvented by entering a premium number with up to 18 zeros in front of the actual number itself. Zero pairs could also be replaced with international dial prefixes and the call would still go through. It was also discovered that up to 4 random digits could be appended to the number and that Microsoft wouldn’t notice that the number had been dialed many times before.

This attempt earned €1 in less than a minute, Microsoft addressed the vulnerability by amending the service to prevent uses from adding addition digits to an actual phone number.

Written by: Steven Boyd

Steven BoydSteven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Two-factor authentication, cybercrime)

[adrotate banner=”12″]


facebook linkedin twitter

Cybercrime Google Hacking Instagram Microsoft two-factor authentication

you might also like

Pierluigi Paganini August 28, 2025
200 Swedish municipalities impacted by a major cyberattack on IT provider
Read more
Pierluigi Paganini August 28, 2025
TransUnion discloses a data breach impacting over 4.4 million customers
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    200 Swedish municipalities impacted by a major cyberattack on IT provider

    Security / August 28, 2025

    TransUnion discloses a data breach impacting over 4.4 million customers

    Data Breach / August 28, 2025

    NSA, NCSC, and allies detailed TTPs associated with Chinese APT actors targeting critical infrastructure Orgs

    Intelligence / August 28, 2025

    UNC6395 targets Salesloft in Drift OAuth token theft campaign

    Hacking / August 28, 2025

    Over 28,000 Citrix instances remain exposed to critical RCE flaw CVE-2025-7775

    Hacking / August 27, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT