30

One of the common way of implementing 2FA is using phone number Text message or Call with OTP. As I can see, usually web services show something like:

OTP was sent to the number +*********34

Is it done because revealing the number is considered a vulnerability?

If yes, then which one and is it described anywhere?

I guess it has something to do with not wanting to show too much info about the user. This info might be used for social engineering but maybe there is something else?

Having a link to a trusted location with the description would be great as well.

AndrewL64
  • 103
  • 3
MyUserName
  • 403
  • 4
  • 5
  • If there is any possible attack on a phone number, revealing an obfuscated phone number will not fall victim to it. It does give you enough information to say "But my number ends in "87", something is wrong!", and switch to your 2FA/WTF behavior. – waltinator Jul 15 '20 at 02:21
  • 34
    "So you're telling me all I need to do to find out someone's private phone number is to try to log in with their email address?" – user253751 Jul 15 '20 at 08:32
  • 1
    @user253751 you'd still have to use password to get phone number if we're talking about 2FA – val is still with Monica Jul 15 '20 at 12:46
  • 1
    @valsaysReinstateMonica Isn't that the point of 2FA though? A secondary method of authorization in case the password is guessed or leaked or otherwise found out? Honest question, maybe I'm wrong. – Steve-O Jul 15 '20 at 15:06
  • 2
    @Steve-O yes, you're correct. I just pointed out that email alone wouldn't be enough to get phone number in this situation/ – val is still with Monica Jul 15 '20 at 15:25
  • "If yes, then which one, is it described anywhere?" is a lot like saying despite SE's rules, you hope others will do most of your work. The idea is that you first ask your reference books or search engines "which one" then come here for clarification of what doesn't make sense… – Robbie Goodwin Jul 16 '20 at 21:31

6 Answers6

58

The primary attack method against text message OTP is to 'sim swap' and take over the target's phone number. If the site provided the full number in this scenario, they'd be giving the attacker exactly the information they need to break the security being used.

(To lift up comments: In general, more personal information is needed, if you're going to social engineer telecom staff into swapping the SIM. In some places and under some carriers, it's even harder than that, requiring ID to be presented in person. But there are also cases where nothing more than the phone number is required, even with enhanced protections in place, if the telecom staff are colluding with the attackers.)

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 7
    Well, not *exactly* the info they'd need. You can't SIM swap with just the phone number, else we'd all be sunk. The attacker needs a ton of personal information and whatever other verifying info the mobile carrier requires. – schroeder Jul 15 '20 at 09:26
  • 4
    @schroeder note also that sim swap only works in certain countries. down here in Eastern Europe the only way to get your number transferred to a new SIM is going to your carrier's and presenting your ID. unless of course you purchased an anonymous SIM (ie prepaid without a contract), in which case, I am not sure you can even transfer your number to another SIM. – Gnudiff Jul 15 '20 at 10:29
  • @Gnudiff I haven't needed to show my ID the last 2 times I carried over my number to a new SIM (Netherlands). I don't know if I ever needed it before then. Apparently, regional differences may impact security here. – Mast Jul 15 '20 at 11:58
  • @Mast gnudiff did say that the difference would vary by country – schroeder Jul 15 '20 at 12:20
  • 1
    @schroeder And I agree by providing an example. Now both cases are covered. – Mast Jul 15 '20 at 12:22
  • @schroeder I wish that were true. My colleagues have shown this to be false (at least for pre-paid plans in the US) the website: https://www.issms2fasecure.com/. TL;DR there is authenticating information that's not personal/can be forged, such as recent calls and payment history – Ryan Amos Jul 17 '20 at 21:24
  • @RyanAmos I'm not sure you have contradicted my statement. You need more than just the number. You need "other verifying info". – schroeder Jul 18 '20 at 07:14
  • @schroeder Maybe I wasn't sufficiently clear. The point is the other verifying info can be obtain without actually having to collecting personal information. For example, call logs can be forged by calling the victim or inducing them to call a number you own. Payment records can be forged by making a payment on behalf of the victim (typically does not require authentication). So with just a phone number and *no other information* you may actually be able to perform a sim swap attack. – Ryan Amos Jul 18 '20 at 12:32
26

This is not about a "vulnerability". This is about personally identifiable information (PII). It's the same reason why credit cards numbers are not displayed in full on sites either.

Anyone passing by your screen, cameras recording, etc, would see the info. And it's not necessary to show the whole number. It's just there as a reminder to the user.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Considered adding at as an answer, but this more or less already says what I want to say. Displaying the telephone number does not pass the "does this feature protect me against my stalker/abusive ex" test either. Unless there is no other option, PII should always be masked. – Sumurai8 Jul 16 '20 at 08:43
14

If the full number were listed then I could visit your account, request a new password, and know your phone number. The last two digits are a tradeoff that permit you to know its (likely) your number without giving away your phone number to anybody who wants to view it on the website.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 2
    Doesn't it show the phone number (obfuscated) only after entering the correct password? In other words, I could only get OPs phone number if I already had OPs password? – gerrit Jul 15 '20 at 07:51
  • 1
    @gerrit yes, the phone number here is shown only in case user has entered proper login and password. But as I see it still makes sense to hide it. – MyUserName Jul 15 '20 at 08:31
  • 1
    It can also remind you _which_ of your numbers you used when you registered (useful if someone may have used their home or work number, for example). – Player One Jul 15 '20 at 23:32
8

Well, the thing that all of us agree is that by showing the full phone number, the application is leaking sensitive information about the user. I don't know what regulation apply to your country however based on the GDPR European regulation phone number are considered as personal info an as such should be handled appropriately. This means that if the phone number is revealed to an other user the application/website is not GDPR compliant. Again I don't know what regulations apply in your specific case but I think it useful to have that in your mind when developing your application.

Now let's consider the scenario in which malicious user TRUDY has somehow landed in the OTP screen and a message appears A Otp was send to +30 0000000001 what can TRUDY do with that? I can think of 4 scenarios

  1. sim swap As described by gowenfawr . This could have different lever of success depending the sim swap process that each carrier implements.
  2. Social engineering. Sending messages as your company like Your_company.com Click on the link to insert otp/password and other phishing emails.
  3. OSINT . Phone numbers are unique enough to help an attacker perform an open source investigation about the user in social media and other platforms which could be used in spear phishing emails or to answer security questions like From what country/state are you from. Of course this is not the most likely scenario and requires TRUDY to specifically invest time for this user.

To conclude as long as TRUDY can not use the phone number to gain further access in your system I would argue it not to be a vulnerability.

Vasilis Konstantinou
  • 116
  • 6
1

Keep in mind that security of a phone number may be different with different mobile phone operators. You don't know how seriously some other unrelated to you organization takes security. This is especially so if your clients are residents of distant countries and you know very little about how operators work there. In my country it is possible to come to a mobile phone operators center and persuade folks into simply giving you the SIM-card of desired phone number. All you need to give them is fake passport copies and they may not bother checking them. So no need for some fancy 0-day vulnerabilities and hacking skills, just talk to some unrelated people. This happened a lot in the past and is a huge security problem. Some people lost access to their sites or domain names because of it and lost huge amounts of income. Hackers used phone number-based single-factor authentication to gain access to their accounts and steal them.

I would give you links to examples but they're in a different language and I don't want be accused of defamation.

Long story short: phone number protection is not good at all, at least when it's a single factor IMHO.

Gherman
  • 111
  • 4
-2

I am not an expert But when I have to change the password of my google accounts. They always tell me that the OTP has been sent to this specific number.

I have Different Mobile numbers. And I don't remember what phone number I used on a website. some old websites have sent the OTP to the phone number that I don't own now then that will be a problem if they didn't show what number they are sending the OTP to.

So I would recommend showing the number linked to the account they want to change their password of.

at last, I would say that there are thousands vulnerability But we do not take them to account because the probability of happening is minute and not worth the inconvenience caused by it

yatharth mheshwari
  • 1