Published on September 16th, 2020 📆 | 2316 Views ⚑
0Accidental Airbnb account takeover linked to recycled phone numbers
Itâs a flaw that can result in account takeover, credit card theft and privacy leaks, and yet it has gone unaddressed for years on certain websites and online apps.
The scenario works like this: A mobile device owner attempts to register an account on a website or web app, using a phone number that was recently assigned to him by a telecom carrier. But that phone number previously belonged to a different phone owner who at one time also signed up for the same web service. Instead of creating a new account, the new device owner instead is logged into the account of the phone numberâs original owner.
âItâs probably one of the oldest vulnerabilities with regards to mobile phone numbers⌠and identity,â said Marc Rogers, executive director of cybersecurity at Okta.
Itâs almost as if the new device owner has pulled off a SIM swap scam â only there was no intent of deception. Nobody tricked the wireless carrier into reassigning a victimâs phone number to another device. It just happened by chance.
Still, a less ethical person might take advantage of the situation by perusing the strangerâs online account for their payment card information or personal details. This is what compelled one concerned citizen to contact SC Media last week after her husband encountered this very flaw while registering an account with online vacation rental marketplace Airbnb.
âWhen we went to the Airbnb site to sign up, the site gave us a few options to register as a new user. The first option on the list is by phone number,â the tipster, who wishes to remain anonymous, reported. âSo we went ahead and typed in my husbandâs phone number â which he obtained last May, not too long ago.â
Her husband then was sent a four-digit verification code to enter the site, and âboom! We were logged in to another userâs account,â she said.
That account belongs to a stranger whose valid credit card information, email address, phone number and other personal details were all accessible to the tipster and her husband â apparently all because the stranger had previously owned the husbandâs phone number.
When SC Media contacted Airbnb last Friday regarding the complaint, a spokesperson said the company would address the issue and on Tuesday followed up with a statement: âWeâve developed a resolution for the reported issue involving recycled phone numbers and new account sign ups, which fortunately only affected a very small number of our users. We are constantly evaluating and improving our protections and are committed to strengthening the security controls of our platform.â
But the tipster disagreed and said the problem was not resolved. She said she determined this not by logging into the strangerâs account again, but by attempting to sign up for a new Airbnb account using her own phone number (not her husbandâs), even though she already had an account registered with that number. Instead of creating a new account, she was logged in to her own previously existing account, she told SC Media.
Moreover, she said she never received any alerts from Airbnb notifying her of this anomalous account login activity â and therefore concluded that the stranger whose account was accidentally hijacked probably never did either.Â
The tipster sent SC Media numerous screenshots of the Airbnb website as evidence of this accidental account takeover as well as images of her chat activity with Airbnb online support. At one point, the support team member tells the tipster that the only way for the husband to create his own account is to register with a different phone number, apparently because his own number was still associated with the strangerâs account.
As it turns out, websites and apps have experienced this commonplace problem for years.
âPhone numbers are recycled more frequently than before, especially with the explosion of new devices that require SIM cards,â Rogers explained.
Telecom companies try to avoid problems associated with recycling disowned numbers by taking those numbers out of service for a period of time before recycling them. (The FCC requires a minimum of 90 days.) However, this is not a panacea, and so it is advisable that website and web app developers â along with web account owners â follow best practices to help alleviate the issue.
Many donât, though. Indeed, messaging service WhatsApp has reportedly also experienced the same problem of logging individuals with recycled phone numbers into other peopleâs accounts.
In certain cases, website or app operators could find themselves in violation of GDPR or Payment Card Industry data security standards if usersâ information were to be exposed, Rogers said.
Best practices for developers, users
For starters, web and app developers should freeze accounts after a period of inactivity. That way, entering a reused phone number months after an account goes dormant canât just automatically revive it.
âBest practice dictates that if you have a user account go silent for more than a set amount of time â especially an account thatâs associated with payment details â you should lock it,â said Rogers, âbecause that user has gone away.â
âAt the very least, if the user appears to come back, force them to go through a re-registration process to prove that theyâre same person,â Rogers continued. âBut this isnât happening in some cases, and there are quite a few high-profile applications out there that hang on to usersâ information, almost indefinitely.â
In the case presented by the tipster, itâs unclear whether or not the stranger whose account was accidentally accessed is still actively using her Airbnb account, despite no longer using the phone number she originally registered it with. If she has been actively using her account, then Rogersâ suggestion for Airbnb to lock down dormant accounts wouldnât alone have prevented the accidental account takeover.
Still, there is more even companies like Airbnb can do. Namely, they can add a second factor of authentication when registering or re-registering for an online web service. âIt should ask for additional information, especially when viewing things like financial payment systems,â said Rogers. Simple proof that you physically possess the phone isnât sufficient in the situation presented by the tipster: âWell, of course youâre in possession of the phone,â said Rogers. After all, the phone number was assigned to you.
Proactive login alerts that inform account-holders when anomalous new login activity is taking place could also prove to be a useful security measure to warn of possible account takeovers before any damage is done.
An example of a company following best practices, said Rogers, is the messaging app Signal. If Signal users swap phones or change numbers on a phone, they start with an empty message history when they reinstall the app.
There is also an onus on individual account owners to change their online account details or even deactivate their accounts if they plan to drop or switching phone numbers, said Rogers. This is also potentially an important lesson for businesses, which sometimes provision and re-provision corporate-owned mobile devices to multiple employees who may go on to use those devices to register for online accounts.
âThe same problem exists with mobile phones that you buy secondhand on eBay,â said Rogers, noting that heâs âpicked up secondhand phones and found sensitive user information on them, even valid session IDs from major accounts.â
Better customer service on Airbnbâs part could have also helped the tipster, who was frustrated by multiple misunderstandings while talking to a customer support agent. At one point, the representative mistakenly thought the tipster was asking if she could complete a third-party booking. Then later, the rep incorrectly addressed the tipster by the wrong name, using the name of the stranger whose account was accidentally hijacked.
While Rogers wasnât surprised to learn of this issue, he did express puzzlement as to why developers continue to tussle with this vulnerability.
âWeâve known about this problem for at least 20 years. And there are plenty of apps out there that do design securely to make sure that their apps have privacy by design,â said Rogers. âSo I would say thereâs largely no excuse for the apps that donât do this.â
Gloss