Verizon Visible, the wireless giant’s budget offering, experienced an attack recently that saw customer accounts taken over and orders placed using stored payment information. Verizon has verified that the hacked accounts were compromised by a credential stuffing campaign.
The breached accounts are thought to have been compromised by a single actor, as a pattern was established after an account was taken over: stored credit and debit cards were used to order and ship a new-model iPhone. The attacker appears to have used credentials that were leaked in prior data breaches and available on the dark web.
Verizon Visible hack chalked up to credential stuffing
Verizon Visible is a subsidiary of Verizon that offers lower-priced cellular and data plans in return for certain limitations; primarily that there are no long-term contract offers and customers are not eligible for assistance in Verizon’s brick-and-mortar retail locations.
An investigation followed a rash of Verizon Visible customers reporting account intrusions on various social media sites. The attacker would switch the account over to a new email address (generating a notification to the prior valid email address), and then use the stored payment methods in the account to purchase an iPhone 13. Apple’s newest model retails for about $800 to $1,100 depending on storage capacity and other options.
Verizon wrapped up their investigation by the weekend, attributing the hacked accounts to credential stuffing (though some victims had claimed on social media that their Verizon Visible login credentials and password were unique to the site). The company issued a statement indicating that it had deployed internal tools to mitigate the issue, provided customers with additional security controls, and advised customers to identify any shared passwords across other accounts and change them as a precaution.
One of those “additional security controls” appears to be a required email verification to change the address (or any other personal information, such as a shipping address). When an email address change is attempted, the current address on file gets a verification email asking for a response within 30 minutes. If the user does not respond, the change is not made. Users of the Verizon Visible Reddit forum report that this was not the procedure when the attacks began over a week ago; email addresses could be changed immediately and without secondary verification once an attacker was in the account. In the immediate wake of reports of hacked accounts, Verizon Visible also temporarily locked password resets and changes to billing addresses before it made a statement acknowledging the situation.
Verizon Visible has not released information about how many customers were impacted. Some of the customers with hacked accounts reported that the fraudulently-purchased iPhones had been shipped to an address in New York.
Bill Lawrence, CISO of SecurityGate, points out that an underrated factor in choosing a mobile carrier is the ability to make one-time payments without having to store payment cards or accounts numbers on their server: “Utility accounts, like cellphones or electricity, often require payment methods to be associated with a customer account. This scenario sounds like the attackers could change account access and treat themselves to new iPhones with the victim’s credit. When setting up these types of accounts, first and foremost, look for multi-factor authentication options and enable them. Also, be wary of linking bank accounts directly, and if you’re using a card, credit cards have better fraud protection than debit cards. Never click the box shopping websites have to offer to save credit card information to “make the next purchase easier”. That puts your information out there to be lost in each company’s future breach. Use a password manager or your browser instead. And regularly keep an eye out for other fraudulent activity in your accounts.”
Hacked accounts an endemic problem for the telecommunications industry
Verizon Visible is far from the only telecoms service having a tough time with hacked accounts in recent months. Another big story that dropped this month was the breach of messaging platform Syniverse, which works in the background to facilitate text message transfers between the networks of all the major carriers in the United States.
A Securities and Exchange Commission filing earlier this month indirectly revealed that the company had uncovered hacked accounts and unauthorized access on its network in May. Unfortunately, the company also believes the breach began five years earlier (in May of 2016) and was only recently discovered. The company said that 235 of its telecoms customers were impacted, and that they had already been notified and prompted to reset their credentials. The lengthy breach window has led many to wonder exactly what the extent of compromise was at these companies; for their part, the telecoms giants have largely remained quiet about the issue. If the hackers had unfettered access to the country’s major carriers, that could mean that billions of text messages have been spied on over the last few years.
T-Mobile also suffered a major breach that was disclosed in August, with the records of over seven million customers along with some 40 million that had applied for credit compromised by a hacker that offered the stolen personal information on the dark web. That same month, a hacking group popped up on dark web forums claiming that they had 70 million stolen records from AT&T for sale (AT&T denied that the breach was legitimate).
Telecoms companies have become one of the more popular targets during the heightened pandemic period of criminal cyber activity. Ruston Miles, Founder and Cybersecurity Advisor at Bluefin, says that these incidents of hacked accounts are a clear sign that it is time for companies to wake up and modernize their security: “Hackers have developed so many methods and diverse threat vectors to break into a system or network that it’s not about protecting the perimeter anymore – although that is always important – but making what’s inside that perimeter absolutely useless. We call this devaluing the data; it is essentially taking all sensitive customer data, like login details, and encrypting or tokenizing it or both, depending on the business use case. Encryption and tokenization masks the data so that it is not readable and therefore, not saleable on the Dark Web. No business or organization will ever be able to 100% prevent a data breach but they can prevent the breached data from being compromised. Companies can ensure that if a breach happens, that encryption or tokenization are in place to protect the data from compromise even after the breach. It’s like the old westerns where the robbers steal the safe from the bank, only to find out later that the safe is too strong for them to break into.”
Matthew Rogers, Global CISO at Syntax, agrees and adds that automated behavioral analysis should be considered: “In light of new and increasing security threats related to COVID-19, organizations must secure themselves beyond just implementing software solutions. Take phishing threats, for example. Traditional antivirus software solutions are signature-based, so their protection is limited to familiar threats. As a result, only a fraction of actual threats will be detected. Modern security solutions with intelligent sandboxing functions represent an alternative. These solutions carry out static and dynamic analyses of files based on behavioral indicators and ask the question, ‘What type of behavior is typical for users, devices and systems, and what constitutes a deviation?’ Combining traditional threat detection with more sophisticated Endpoint Detection Response can help provide a more comprehensive defense system against attacks.”