Vodafone voicemail uses caller id for authentication

This article is about a security risk that I found while using Skype and Vodafone voicemail. In this article I will dive into a specific situation concerning the security of one’s Vodafone voicemail (Netherlands) in combination with Skype‘s ability to spoof the caller ID. Besides that I look at the main concern: trusting a caller ID for authentication purposes.

The problem is simple. Vodafone NL offers their customers a voicemail service. If you call the voicemail service from your own mobile phone, you get direct access to the voicemail inbox without needing any form of authorization. It seems the mobile’s caller ID is used for authentication. Skype, on the other hand, has a ‘feature’ that allows you to assign your own mobile number as a caller ID for Skype-Out calls. This means you can spoof your caller ID, if you authorize it with Skype, for which you only need to respond to an SMS sent to the device once.

So, if I could trick a victim into lending me his/her mobile for only 5 minutes, I could abuse that moment to register the mobile number with a Skype account. This would allow me to access the victim’s Vodafone voicemail, because Skype allows you to spoof the number, and Vodafone authenticates you to a voicemail box based on the caller ID. So, I only need my Skype account to access the victim’s voicemail. An even simpler method could be by using a service provider that allows me to spoof a mobile number, like SpoofCard claims to do. You would then only require the victims mobile phone number. Scary!

So Vodafone voicemail (NL) is vulnerable for this “hack”. But what about other service providers that rely on the caller ID?

For example the ‘ABN AMRO Saldo voor de iPhone‘ [iTunes], a banking applications for the dutch ABN Amro bank that allows you to see your bank account’ balance (requires a 4-digit PIN). Or what about the ‘Rabo Bankieren‘ [iTunes] used for banking with the dutch Rabobank that only requires a 5-digit PIN to see your bank account’ balance? By circumventing the caller ID as being part of the authorization of these applications, the only security layer left is a 4 -or 5-digit PIN code, which IMHO is not enough any more.

Of course, the same principle applies to SMS text messages, like described in the article Twitter and Jott Vulnerable to SMS and Caller ID Spoofing (dhanjani.com), but for the sake of simplicity I will not go into that right now.

So what do you think?

• Do you think this is a security risk or not?
• Is the caller ID something that is easy to fake?
• Why is Skype allowed to spoof the caller ID? Is this something anyone can do on any phone network?
• Should service providers be allowed to trust the caller ID for authentication purposes?
• Have you seen service providers using the caller ID for authentication purposes?

In my opinion trusting the called id for authentication purposes imposed a security risk. Developers should be aware that trusting a caller ID should not be an authentication method solely by itself, but always as an addition to another. In my opinion, service providers should not use the caller ID alone for authentication!

And remember, if Paris Hilton can hack into a voicemail, anyone can! ;-)

I merely used the examples of the ABN Amro and the Rabo Bankieren application as an example to think deeper about security and privacy concerning the use of these (very handy!) financial applications, but its clear that they do not rely (and probably also not even send) the caller ID to the bank’ server, so a probable risk with using the caller ID as authentication for these applications is irrelevant.