Because of an error in the Lebara website, everyone could take over the phone numbers of customers of that provider. This is evidenced by DeccEit research after a tip from a source who wants to remain anonymous.
Lebara offered customers the opportunity to move their phone number to another SIM card, but that process was not properly sealed. As a result, other customer numbers could also be moved to a new Lebara SIM card.
After notification by DecceIt, the vulnerability has been resolved. “Safety is our priority, so we‘ll solve it as soon as possible”, says a spokesman. According to the provider, there is “no reason” to assume that the leak has been abused. The problem was both with prepaid SIM cards and subscriptions.
Lebara is a so-called virtual provider, without its own network. In its own words, the provider has over 800,000 customers. Among other things, the provider manifests itself with low international tariffs.
Receiving text messages
If you pick up someone’s phone number, you can make calls on someone‘s behalf and receive their text messages.
The latter is a big risk: many websites use text messages as an additional security measure. If you need to log in, you need to enter a code that will be sent to you by SMS. If you take someone’s phone number, you get those codes, too.
That way, you could attack someone targeted. You would still have to find someone‘s password by another method. If you succeed, you could log in to someone’s email account or steal bitcoins, for example.
The problem that has now been solved was discovered by the tipster who contacted DeccEit. He noticed that he could skip a verification step when transferring a Lebara number.
DeccEit then managed three times to transfer a phone number already owned by DeccEit to a new SIM card.
To transfer a SIM card, you need two SIM cards: the old one, with the number to be transferred, and a new one, with a temporary number. You should actually confirm that both SIM cards are in your possession by typing a code that will be sent by SMS. In this way, you should avoid taking over someone else‘s phone number.
But it also turned out to be possible to perform the verification twice on the new SIM card, and not once on the SIM card to be taken over. Subsequently, the number was transferred without any problems, Lebara confirms. “Of course, that’s very annoying.”
After notification by DeccEit, the provider immediately removed the switch module from the air and then solved the problem. “It‘s a wake-up call”, let the spokesman know. “It shouldn’t be able to happen again.”