Information Security Asked by MyUserName on October 28, 2021
One of the common way of implementing 2FA is using phone number Text message or Call with OTP. As I can see, usually web services show something like:
OTP was sent to the number +*********34
Is it done because revealing the number is considered a vulnerability?
If yes, then which one and is it described anywhere?
I guess it has something to do with not wanting to show too much info about the user. This info might be used for social engineering but maybe there is something else?
Having a link to a trusted location with the description would be great as well.
Keep in mind that security of a phone number may be different with different mobile phone operators. You don't know how seriously some other unrelated to you organization takes security. This is especially so if your clients are residents of distant countries and you know very little about how operators work there. In my country it is possible to come to a mobile phone operators center and persuade folks into simply giving you the SIM-card of desired phone number. All you need to give them is fake passport copies and they may not bother checking them. So no need for some fancy 0-day vulnerabilities and hacking skills, just talk to some unrelated people. This happened a lot in the past and is a huge security problem. Some people lost access to their sites or domain names because of it and lost huge amounts of income. Hackers used phone number-based single-factor authentication to gain access to their accounts and steal them.
I would give you links to examples but they're in a different language and I don't want be accused of defamation.
Long story short: phone number protection is not good at all, at least when it's a single factor IMHO.
Answered by Gherman on October 28, 2021
I am not an expert But when I have to change the password of my google accounts. They always tell me that the OTP has been sent to this specific number.
I have Different Mobile numbers. And I don't remember what phone number I used on a website. some old websites have sent the OTP to the phone number that I don't own now then that will be a problem if they didn't show what number they are sending the OTP to.
So I would recommend showing the number linked to the account they want to change their password of.
at last, I would say that there are thousands vulnerability But we do not take them to account because the probability of happening is minute and not worth the inconvenience caused by it
Answered by yatharth mheshwari on October 28, 2021
Well, the thing that all of us agree is that by showing the full phone number, the application is leaking sensitive information about the user. I don't know what regulation apply to your country however based on the GDPR European regulation phone number are considered as personal info an as such should be handled appropriately. This means that if the phone number is revealed to an other user the application/website is not GDPR compliant. Again I don't know what regulations apply in your specific case but I think it useful to have that in your mind when developing your application.
Now let's consider the scenario in which malicious user TRUDY has somehow landed in the OTP screen and a message appears A Otp was send to +30 0000000001
what can TRUDY do with that?
I can think of 4 scenarios
Your_company.com Click on the link to insert otp/password
and other phishing emails.From what country/state are you from
. Of course this is not the most likely scenario and requires TRUDY to specifically invest time for this user.To conclude as long as TRUDY can not use the phone number to gain further access in your system I would argue it not to be a vulnerability.
Answered by Vasilis Konstantinou on October 28, 2021
If the full number were listed then I could visit your account, request a new password, and know your phone number. The last two digits are a tradeoff that permit you to know its (likely) your number without giving away your phone number to anybody who wants to view it on the website.
Answered by Jeff Ferland on October 28, 2021
The primary attack method against text message OTP is to 'sim swap' and take over the target's phone number. If the site provided the full number in this scenario, they'd be giving the attacker exactly the information they need to break the security being used.
(To lift up comments: In general, more personal information is needed, if you're going to social engineer telecom staff into swapping the SIM. In some places and under some carriers, it's even harder than that, requiring ID to be presented in person. But there are also cases where nothing more than the phone number is required, even with enhanced protections in place, if the telecom staff are colluding with the attackers.)
Answered by gowenfawr on October 28, 2021
This is not about a "vulnerability". This is about personally identifiable information (PII). It's the same reason why credit cards numbers are not displayed in full on sites either.
Anyone passing by your screen, cameras recording, etc, would see the info. And it's not necessary to show the whole number. It's just there as a reminder to the user.
Answered by schroeder on October 28, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP