When technological development is seemingly moving at the speed of light — and clearly faster than the speed of institutional comprehension — the latest example of flaunting diligence can only be described as ironically amusing.
The Bad News: An 11-year-old kid hacked into a Florida voting website in 10 minutes and had no problem changing the results.
The Good News: It was a simulated activity, using a replica site.
Here’s the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 pic.twitter.com/ovQs7uX7jK
— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
That’s right up there with the 4-year-old who hacked into the FBI website a couple of years ago.
It’s proof yet again that in terms of reacting to online security issues …
Now comes word that another sort of threat has arisen that bears awareness.
At the same DefCon hacking convention in Las Vegas — yes, it’s a thing and it’s been going since 1993 — Martin Vigo, a Spaniard who’s a self-proclaimed security hacker, has discovered a vulnerability that can compromise PayPal via voicemail.
Watch him demonstrate how he takes advantage of PayPal’s option to reset passwords with a phone call that bypasses the user’s interaction-based protocol:
In summary, here’s what Vigo did:
- He set the voicemail’s greeting message to a recording of the keypad tones;
- This tricked PayPal’s system into thinking it’s gotten through to a real person; and
- He then typed the four digit-code into the keypad during the call.
Incidentally, two-factor authentication will not stop this attack.
Once executed, the hackers are off to the races with your money in one form or another.
This hack also compromises resets for the following platforms:
- Apple, and even
- Google Voice
There are two obvious defenses:
- Change the default PIN on voicemail to a long code, or
- Turn off the voicemail service altogether.
With smartphone ubiquity in the online marketing community, who really needs voicemail anymore?
After all, with Caller ID, we see who rang, and it’s a simple matter to tap callback and return the courtesy. As well, for millennials and Gen Z’s, voicemail is virtually obsolete already with the advent of texting.
OK, maybe some in those demographics overdo it, but if they’re living without voicemail, they’ve got one less security leak to counter.
Perhaps in this instance, others might want to consider joining them.