A clever Belgian guy has figured out a way to make a lot of money out of Microsoft Office. Sadly, it’s probably illegal, definitely improper and Microsoft has stopped it.
We’ve talked about two-factor authentication and recommended it for anyone with a Microsoft Account, especially with Office 365. ‘2Fac’ makes it a lot harder for someone to steal your account.
Arne Swinnen, a Belgian security researcher realized that two-factor authentication can be done by the service provider (Microsoft, Google, Instagram/Facebook etc.) making a phone call to speak the authentication code to you. That’s not the normal method, it’s usually an online code, email or text message.
Mr Swinnen setup some ‘premium rate’ phone numbers which charge a high price per minute for incoming calls. Then set those phone numbers as security options in two-factor authentication.
The result? Each time Microsoft etc. called to give out a security code, they were charged at the premium rate of EUR0.15 / USD0.16 / AUD0.22 per minute.
That sounds trivial, but Arne found that you could call many times and automate those calls so they could be done tirelessly, 24/7.
And you could setup multiple accounts, each using the same premium number. So Microsoft could be tricked into calling the same premium number, many times, simultaneously.
There was a block in place to stop calling the same number too often, by Arne found that adding zeros before the real number fooled Microsoft’s system into dialing. Some added digits after the number also allowed excessive calling.
With all those combination, a single Microsoft account could be fooled into calling a premium rate number over 13 million times. Remember, all this can be automated so an unattended computer could get, in theory, almost ¾ million US dollars.
It’s amazing that Microsoft, and other companies, didn’t have better protections in place to cover these possibilities.
To its credit, Microsoft moved fairly quickly to close the loopholes (though it took some prompting to fix them all). Redmond paid the usual bounty for reporting a security loophole even though this particular bug didn’t compromise customer data.
Compare that to Instagram/Facebook which took 3 months just to acknowledge there was a problem!
Or Google which refused to acknowledge there’s a problem at all. They declined Arne their usual reward by sticking to the strict terms of the bounty program which is for bugs that could lead to a breach of customer data. Sounds remarkably ungracious and stingy. In the circumstances, Google’s offer to put Arne in their ‘Hall of Fame’ sounds more like an insult than a reward.
