Attackers are always looking for new ways to get access to users’ bank accounts and mobile devices, but sometimes the old ways are best. A researcher has discovered a serious security flaw in mobile provider FreedomPop’s site that allow an attacker to take complete control of a victim’s mobile account.

Paul Moore, a security researcher and consultant in the U.K., found the vulnerability and reported it to the company, which has not fixed it yet. FreedomPop’s network is not a typical mobile network, as users’ calls and texts go over a VOIP network rather than the wireless infrastructure. Data traffic uses a normal mobile network, and FreedomPop bills its services as completely free. Customers can even bring their own devices to the network.

Moore found a method that allows an attacker to compromise a user’s account and make and receive calls and texts.

“It is currently possible to remotely hijack any FreedomPop account, allowing both calls & messages to be made/intercepted by an attacker. No usernames, no passwords and no SIM swapping… just unfettered access to a user’s communications,” Moore wrote in a post on the problem.

Because the vulnerability has not been patched yet, Moore is not detailing the exact nature of the problem or how it can be exploited. But he also discovered a vulnerability in Halifax Bank’s Web site that could be used in conjunction with the FreedomPop issue to get access to a victim’s bank account, as well.

“A serious (yet remarkably simple) vulnerability in the Halifax site allows an attacker to execute arbitrary & external scripts. This gives the attacker complete control over the victim’s environment; changing links, buttons, text and crucially… perform actions as if they’re the genuine user,” Moore wrote.

In an example in his post, Moore showed a screen shot of a doctored Halifax site that included a small section urging the user to upgrade to a Premier+ account, which doesn’t exist.

“No security warnings, no outward signs at all that we’re looking at a page controlled entirely by an attacker,” Moore wrote.

Halifax, like many financial institutions, uses calls to a customer’s mobile number as a form of verification for changes to an account. So in theory, if a victim fell for the ruse on the compromised banking site and made a change to his account, he would get a call confirming it. However, if the victim also is a FreedomPop customer, the attacker would have the ability to take over his mobile account as well, negating the value of that second verification step.

Moore said that Halifax, which is owned by Lloyd’s of London, is working on a fix for the problem, but doesn’t expect to have it ready for another three to four weeks. He has been in communication with FreedomPop, as well, but has not gotten any response from the company for more than a month.

FreedomPop did not respond to a request for comment.

“The FreedomPop flaw is remotely exploitable and would be fairly easy to mitigate, at least in the interim. There are numerous other issues (lack of TLS, insecure sessions etc) which also need to be addressed, so I’d expect this flaw to be patched during other upgrades needed to secure the site,” Moore said via email.
The combination of the two problems makes each of them more serious, Moore said.
“In isolation, the issues at the Halifax do not appear to be particularly serious… though I’d question how such a basic flaw went unnoticed. When combined with other, equally simple exploits elsewhere, an attacker has a much wider window of opportunity to gain access to your communications & bank account,” he said.

Leave a Comment

Your email address will not be published.