o2 Germany promotes SMS-Phishing

[pentest () i4mail informatik rwth-aachen de]

= Advisory: o2 Germany promotes SMS-Phishing =

RedTeam likes to point out that certain text messages ("SMS") recently
sent by the cellphone network operator "o2 Germany" to some of its
customers might promote SMS-Phishing. RedTeam expects SMS-Phishing to
spread even more and become a severe problem. 

== Details ==

Security-Risk: Successful SMS-Phishing
Vendor-URL: http://www.o2online.de/
Vendor-Status: informed
Advisory-URL:
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-009.txt
German Version:
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-009-de.txt


== Introduction ==

The cellphone network operator o2 Germany recently sent text messages
("SMS") to their customers, asking them to reply to these messages to
get their mobile phones configured for additional features - in this
instance the Multimedia Messaging Service ("MMS").
This makes it very easy for ill-meaning 3rd-parties to send officially
looking text messages to o2-customers, making them answer to a number
liable with costs, using so-called Premium-SMS numbers.

== More Details ==

o2 sent some of its customers the following two text messages:
"Sehr geehrter <customer-name>, Ihr Handy ist zum Versand und Empfang
von MMS-Nachrichten (Text und Fotos) geeignet."
"Falls Ihr Handy nicht richtig eingestellt ist, ueberspielen wir Ihnen
kostenlos die Einstellungen. Bitte antworten Sie gratis auf diese SMS
mit HANDY. o2-Team."

Translation:
"Dear <customer-name>, your cell-phone is able to send and receive
MMS-messages (text and fotos)."
"In case your cell-phone isn't configured properly we will update your
phone to the correct settings for free. Please answer to this text
message with HANDY. o2-team."

"Premium SMS" is a possibility to pay small amounts of money by sending
a text message to the vendor (so-called "Mobile Originated-Billing")
quite like Premium-Phonenumbers. In the beginning the german
payment-providers agreed on prices from 0.29 - 3.00 Euros per received
text message. Currently one text message can cost up to 4.99 Euros. But
this may rise, as there are no laws limiting the prices. The money is
shared between the network-provider, the payment-provider and the
vendor. The latter gets the largest share.
This makes it quite lucrative to send text messages from a
Premium-number and trick the receiver into answering to it (so-called
SMS-Phishing).

On the internet, eCommerce and online-banking sites have learned the
hard way never to send any emails to their customers linked to their
websites. But obviously other communities, like cellphone network
providers, have missed that lesson. 

That's why RedTeam considers it extremely harmful if a network-provider
asks its customers to answer to a text message. The customers will get
used to it and be easier victims. RedTeam expects SMS-Phishing to spread
even more and become a severe problem. 

== Proof of Concept ==

Imagine an attacker sending o2-customers a text message saying the
following:
"Hello! Due to maintainance an update of your SMS-configuration becomes
necessary. To be able to receive text messages in the future, please
reply to this message with UPDATE. We will then send you your new
configuration for free. o2-team."
The attacker could also include the customer's name to make it seem more
credible. Cell-phone-numbers and names can be easily connected through
search engines.

== Piece of Advice ==

Network-providers should not request their customers to answer to a text
message. Instead they should make public that they never ask their
customers to answer to a text message. (This is analogous to what banks
do regarding email and PIN-/TAN-numbers.)

If it is necessary for a network-provider that its customers agree to
receive something (e.g. a new configuration) RedTeam suggests this
course of action:
The provider sends the customer a text message with an individual code.
The customer has to enter this code, along with his cell-phone-number,
on the provider's website. The provider can then be sure that the
customer wants to use the service without making the customer a
prominent target for phishing. 

== Security Risk ==

According to RedTeam the risk is in the high trust-level a
network-provider probably has among its customers. Many of the customers
are likely to act on the requests of their provider. Now that o2 Germany
has in fact sent its customers a text message asking them to answer, it
is very easy for an attacker to pretend to be o2 and abuse o2's
trust-level. 

== History ==

17. 03. 2005 - RedTeam becomes aware of the o2-campaign
23. 03. 2005 - This Advisory is published


== RedTeam ==

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find
more Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/