A new report has been released which claims that armed with nothing more than a spoofed IP address and a phone number, anyone could access private customer information contained within the Verizon database.
The vulnerability was somehow discovered by BuzzFeed, of all places, which worked closely with Verizon to get the gap closed once they had a chance to evaluate the details of the breach.
The site received a tip-off from the CIO of the security firm Cinder, Eric Taylor, who had been testing the technique for a number of weeks before cluing BuzzFeed into the operation. The trick combines a minor amount of technical skill with classic social engineering tactics by spoofing an IP address of a Verizon customer, and then contacting the Verizon help center through the Internet provider’s website.
As long as the hacker has the phone number and address of their intended victim (something that’s easy to glean from emails or social engineering tactics), the Verizon chat center would automatically open the account as long as it detected that the IP address being used to connect matched up.
Verizon says it has a system in place designed to prevent this sort of problem from putting customers at risk, in the form of a PIN code that must be entered whenever a customer support representative is handing over sensitive information. The problem is this lock can be easily subverted as long as the hacker has access to an answer for one of the three security questions that are tied to a particular account.
According to Verizon, the error occurred due to a problem with the code of its website that was implemented on April 22nd, and has since been patched up after the company was contacted both by BuzzFeed and Taylor personally.