A short video by Symantec demonstrates how a password recovery mechanism for webmail services can be abused if an attacker knows your cell phone number and you’ve registered the phone for password recovery/reset: basically, the attacker can click on the ‘I forgot my password’ link so that a verification code is sent to that phone number by SMS. While the attacker doesn’t see the text from the provider directly, he’s then able to text the potential victim, pretending to be the provider, and requiring the victim to return the code in order to counter unusual or unauthorized activity on the account. If the victim does so, his account is wide open to compromise.
A recent blog by Graham Cluley summarizes the scam rather well, and John Leyden’s article for the Register covers much the same ground. However, there’s more to be said on this type of attack (including a potential email variation), and I intend to do just that in an article due to be published on Monday by Infosecurity Magazine. (Now published here.)