An example might be that my bank has a number “0845 123456″ for it’s lost credit card hotline. It also has the same number “0161 123456″. From mobile numbers and most landlines, calling the geographical number, will be much cheaper. As you can sometimes spend quite a long time on hold to people like this, being charged by the minute on an expensive 30p/minute line can get expensive.
SayNoto0870 let’s you type in the premium (strictly speaking “Lo-call”) rate number and see user submitted geographic numbers going to the same place. It works quite well.
The thing is, there’s not way to verify you’re actually connecting to the right people. Some numbers on their site are “verified” but what does that mean? That they’ve called it and got through to where they wanted to get through to? How do we know it’s an official organisation number?
How it works
If I (“Eve”) purchase an 0800 number, or even more cheaply, a geographic number, via a cheap online VoIP service (~£3/month) and then using a online VoIP service, I forward all call to my banks 0845 number, with the original caller-ID being sent. Everytime Alice phones up, she’ll be connected straight to Bob at the Bank. Bob at the Bank will also, receive a call appearing to come from their Alice, as the orignal caller-ID has been forwarded on.
However, as I, Eve, have the caller going through a number I control, I can intercept their communications – probably by simply illicitly recording the call between Alice and Bob and listening to it afterwards.
Telephone is usually regarded a relatively secure medium for communication, however if you were to intercept a sales line, or a bank line or something, many people may be giving away personal and financial information that could easily be exploited.
SayNoTo0870 is a great service, and I thoroughly support the aim. Sadly, it’s very ripe for a very nasty style of data-theft attack.
In my opinion, the only way to mitigate the attack is to ask companies and organisations not to use 0845 and 0870 numbers, that would encourage their users to see out untrusted alternate numbers.
Today we found out that O2 had screwed up their mobile internet proxy settings quite epically and had sent customer phone numbers to millions of websites, worldwide, as a matter of process, presumably by accident.
We already know this from the fantastic investigative works of O2 customer and twitter user Lew Peckover, a 28 year old web systems administrator working in the field for 10 years.
To be able to downscale images, insert things into HTML pages etc. O2 must route your web queries through a HTTP proxy. As well as the things mentioned above, the proxy is adding an extra HTTP Header to outgoing requests. This header contains your mobile number.
Lew created a website to let people see this in action; let’s look at an example:
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3
Accept-Encoding: gzip, deflate
From the top line we can read information about the device and browser, from lines 2-4 we can read about how the phone is setup and what kind of content it likes to recieve and then, there it is, the header that contains your phone number.
As various MVNO‘s like Tesco and GiffGaff use O2′s technical backbone, they’re also affected, though it’s suspect that it’s not affecting all users.
So the big questions I can imagine people are asking now:
Who has my mobile number? Will I receive loads of nusiance calls? Does Facebook/Google/Microsoft/Your Mum have my mobile number?
Short answer: Theoretically any website one has visited recently on your O2 phone will have received it. They probably didn’t know they’d received it though and I suspect probably didn’t think to save it. I’d doubt that anyone will have acquired anyone’s phone number via this message, however, clearly it’s quite an epic security failure because the oppotunity for this happening is high.
Did this happen on purpose?
Short speculation: I highly doubt it. I suspect the issue occurred because O2 wants to track which customer is responsible for traffic as it goes into their land of HTTP proxies so I suspect they have a rule to use DPI to insert this header into each query – it’s an unique key that they can track to every customer. I suspect the way it’s supposed to work is that on the way out of their cluster of web proxies (doing censorship, image rescaling, etc) they should have a rule to remove the header and thus pass all the HTTP requests up to the internet unmodified. My suggestion is that someone probably misconfigured the rule to “look for this header and remove it”, probably by misspelling the rule they were looking for. It’s an easy sysadmin mistake to make.
Shouldn’t O2 have policies in place to deal prevent stuff like this?
Oh yes. I’m sure they do. I’m sure they have change control systems that I could write novels about. Stuff still slips through though. Was this preventable? Almost certainly, but only O2 knows for sure.
What are O2 saying about this?
Well, I’m sure we’re going to see a mediastorm, some big O2 apology and some PR theatre where someone apologies to 02 and twitter is awash with complaints.
However, currently, some numpty at O2 twitter support thought the following response would make sense:
Hi Lewis. The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device #O2Guru
No, you are not a guru. Lines 1-4 of the header do that. Look at line 5. Yep – there’s the issue.
Currently they’re saying it’s their “top priority” and they are “looking into it as we speak” aka they’re frantically paging technical guys and working out how to write the press release; basically the first few scenes of the PR theatre.
What should O2 do?
Well, all they can do is fix it, try not to do it again and apologise profusely to their customers.
What’s the legal perspective?
I’m not a lawyer, however I think that the Information Commissioner’s Office should look into the incident with regards to compliance with the Data Protection Act 1998. The ICO should deal with the case as they see fit.
Is new legislation needed to prevent this from happening again?
No. This looks a lot like a technical mistake. In my opinion, the DPA covers this well enough and if anything should be given extra teeth, it should be the ICO in being able to investigate things like this.
How does this affect you, Tim?
Well, I’m not an O2 customer, but this could very well have been any mobile network carrier, anywhere in the world. I’m interested in how this will play out and obviously I’m concerned about the theoretical potential implications, even though personally, I think the actual risk, is relatively low. I’d be quite peed off if this had happened to me.
How can I check if it’s been fixed?
Visit this website on your phone. Do you see your mobile number at all? If yes, it’s still broken, if no, it’s fixed.
I’d like to share a few thoughts with you about a book I’ve been reading recently, which has really inspired me whilst being greatly amusing.
At Barcamp Manchester, they were giving away copies of this book; I picked up one to look at later – I could always ebay it later. Never before has a book of such calibre caused me so much amusement, I seriously recommend this book for it’s outstanding range of comic delights.
“The Microsoft Jokebook”.
The book, whose copyright is owned by Microsoft, describes itself as a book for Application Architects, Testers and Quality Assurance Specialists and Developers and alleges to capture and summarise the key security processes which “should be” in your development process.
The book is themed in the style of the highway code, with random icons with captions such as “12 hours’ coding – need a coffee” and “Warning – unstable coding ahead”. Presumably this is meant to interest and entertain the Developers and System Architects reading the book, however unless they are between the ages of five and fifteen (and sometimes I think they are), the icons do nothing but assist with visual puns comparing coders to roadsigns in a manner which would make even the Black Death seem like stand up comedy.
Whilst reading through the book, several things struck me; it was full of useful tips for developers. And it’s incredibly convenient for them to provide URLs for detailed reference linking to the Microsoft Developer Network. Indeed, no one can doubt that this must be extremely handy…
I mean, every developer loves copying out URLs like
I can just see them, reading through the book and thinking,
I don’t know very much about the
/GScompiler switch to detect buffer overuns in C++. I know I’ll type in this 50+ character URL for a quick reminder. At least I know it will be just as much fun as this awesome book is because they have thrown in a random string of characters to test my memory skills!”
As a book to improve security awareness of developers, I was highly impressed with it’s awareness of good security practises. Even as someone with limited knowledge in the security field, I was happy to see that it was suggesting that development teams should use custom cryptographic algorithms. Everyone knows that the most secure systems are those with custom security schemas, brand new patented encryption algorithms, not to mention proprietary authentication systems which give them a competitive edge over other systems.
Because I’m a generous person, and love to donate treasured possessions to good causes. I have already perfected my .NET programming skills to the most secure method possible and thus wish to donate this book to someone else and let it inspire them like it inspired me.
Leave a comment if you are interested in having it…
- Custom crypo systems are seriously bad. Read Schneier.
- The safest way of coding .NET is not to code it.
- This is funny. Laugh.
This website has been online what? less than four days and already I’m learning how to upgrade it – in theory the security has been compromised
From Slashdot: “The recent 2.1.1 release of the popular blog software WordPress was compromised by a cracker who made it easier for to execute code remotely.”