Suspicious Activity Is Being Detected?… Right?…
Introduction
A few days ago I received a message from a friend who had just had his Deliveroo (food delivery service in the UK) account compromised and someone in London had used it to order a copious amount of food and alcohol; brazen, I know. The interesting part of this story is my friend was blissfully unaware his account had been compromised and was being used to order food until he got a confirmation e-mail that the order had been received. Moments after, he also received an e-mail making him aware his registered e-mail had been changed. Ignoring the fact his registered e-mail was able to changed without confirmation from the currently registered e-mail address, why were the hackers able to log in from a new device, place a large order and change a registered e-mail address without their activity being flagged?
This got me thinking, how many of the commonly used applications in the UK actively check for suspicious logins/activity and, if so, is it possible to bypass them?
I used the following test-case for each of the websites:
* Login to my personal accounts using an obscure VPN – in this case it’s a Japanese one.
* Establish whether my login was blocked or not.
* If my login was blocked and I was hit with a security verification screen, change to a London based VPN to see whether my login was still blocked or if the security verification didn’t actually lock my account.
N.B – I used accounts which didn’t have 2FA enabled for this test. Obviously, 2FA provides far more protection and renders this blog post fairly useless! Tldr: Use 2FA!
Obligatory flow diagram.
Deliveroo
Outcome: It was only fitting we start with Deliveroo as this was the story which started this for me. We’re all already aware that Deliveroo doesn’t seem to look for suspicious logins. At *least* they send you an e-mail when somebody has already changed your registered e-mail address.. without having to verify access your current e-mail address..
2-Factor Authentication Offered: No
Outcome: Facebook seem to take their security pretty seriously. I’ve personally been hit by the dreaded verification screen whilst on holiday and not using my normal device. For the sake of this test I tried again, and yep, blocked. Facebook’s verification test is also extremely difficult to bypass unless you’re the account owner.
Does it persist?: Once you are hit by the Facebook verification screen, your account is completely locked until the verification has been completed. No number of attempts at changing VPN is going to bypass their security check.
2-Factor Authentication Offered?: Yes
Outcome: Malicious login attempts are automatically blocked by Twitter.
Does it persist?: Yes! Another company which have implemented this correctly. No number of attempts at changing VPN is going to bypass their security check.
2-Factor Authentication Offered?: Yes
Hotmail
Outcome: Hotmail are checking for malicious login attempts and request verification through the means of either a registered backup e-mail or SMS; whichever had been set up on the account prior to the login attempt.
Does it persist?: Nope. Simply by switching to a UK VPN and attempting the login again, I was able to access my account.
2-Factor Authentication Offered?: Yes
Amazon
Outcome: Amazon are screening for malicious, successful, logins and ask for verification through means of a code e-mailed to the registered e-mail address.
Does it persist?: Again, not. Simply by switching to a UK VPN and attempting the login again, I was able to access my account.
2-Factor Authentication Offered?: Yes
Gmail / Google
Outcome: Screening is present. Google’s method of verification, if a phone is attached to the e-mail, is very tricky to bypass as it requires physical access to the device in most cases. In scenarios where a mobile isn’t attached, it will ask for the registered recovery e-mail address or the answer to a security question.
Does it persist?: Changing to a multitude of UK based VPN’s did not bypass the verification screen.
2-Factor Authentication Offered?: Yes
Outcome: Checks are being performed for malicious logins.
Does it persist?: Again, not. Simply by switching to a UK VPN and attempting the login again, I was able to access my account.
2-Factor Authentication Offered?: Yes
Conclusion
This blog post could be continued with 100s of more tests but most of the results have the same result – logins are not being screened for malicious logins and if they are, this can usually be bypassed by changing VPN. Not really the ideal protection you want in place for your account.
A simply way to mitigate the risk on this one is to enable 2 Factor Authentication on all platforms physically possible. This all of course is secondary if the providers holding your data do not conduct security testing on their platforms and end up being the next entry on Have I Been Pwned.