In the first week of October 2020, a 10,000-word article suddenly became popular on the Internet in China and has been read more than 10 million times. The title of this article is Thrilling War caused by the theft of a mobile phone.
Like its title, this article describes what a Chinese experienced after his wife lost her mobile phone.
In this article, he gives a detailed account of how the hacker controlled all his wife’s online and financial accounts and cleaned up the bank balance step by step in the 12 hours after the phone was lost. The author works as an Internet information security engineer, but he failed to stop it from happening.
Of course, in the end, these assets and accounts were recovered.
This article is too long and contains too many situations that are only suitable for China. But it also includes a lot of things for Internet users in all countries to think about: when we can manage everything through the Internet, a loss of control of the Internet will cause us to lose everything.
We have streamlined the original article to make it easier for English readers to understand. Let’s take a look at how the battle took place.
At 19:30 on September 4, 2020, the author’s wife found the author who was accompanying his child in the barber’s shop and told him that her mobile phone had been stolen. The location where the phone was stolen was in the community where they lived, so they initially thought they might find the lost phone and did not report the loss of the phone number. This led to the beginning of the nightmare.
We use a simplified timeline to illustrate their next direct encounter, and explain how these things happen in later paragraphs:
20:51 on September 4th
The thieves traveled across Chengdu from the crime scene to a high-tech industrial park. The phone appears to have been handed over to a hacker and the SIM card was removed from the original phone.
21:24 The device is removed from the cloud service
The author found that the phone was briefly online through Huawei’s cloud service, but the hackers used the SMS verification code to log in to Huawei’s cloud service and delete the device from the author’s Huawei account.
The author called China Telecom customer service center for the first time to try to report the loss of the rival phone number. The service password of the phone number has been changed, and the author submits the recent call record and the China Resident Identity Card Number cross-verification to report the loss of the mobile phone number.
21:48 The mobile phone number has been unfrozen.
The author found that the frozen mobile phone number was still active. After contacting the customer service of China Telecom again, the author was told: “The status of reporting loss has been lifted by another user.” The hackers remotely unfroze the phone number using cross-validation of recent call records and China Resident Identity Card Number.
Due to the end of business hours in the China Telecom business hall, the author is unable to completely abolish the old SIM card and apply for a new SIM card. The author and the hackers fell into a cycle of freezing and unfreezing.
00:23 on September 5th
The author’s Alipay and Wechat accounts were remotely logged out from the standby device, meaning the lock screen password of the lost phone was cracked.
The author quickly logged into all his wife’s commonly used website accounts with mobile phone numbers and applied to freeze, report the loss or change it to a temporary alternate mobile phone number. The author mistakenly thought that he had preserved his assets.
The author shuts down the SMS receiving service of the mobile phone number in the site of China Telecom.
The telecom business hall opened for business and the SIM card replacement was completed by the author’s wife at 9:08.
However, after trying to dial the phone number, it was found that the mobile phone inserted the new SIM card did not respond. The author inquired about the China Telecom and learned that “call transfer” was set up. The author relieved the call transfer.
The author begins to check the lost assets and retrieve all accounts. Since he had modified all the online accounts tied to his mobile phone, he thought there was no loss of assets, but he was wrong.
He found that the assets in one of his wife’s bank cards had been emptied and there was an extra loan on her. In the following week, he recovered the lost assets and eliminated loans with the help of police, Internet companies and telecom operators, but thieves and hackers remained at large.
How did this happen?
Seeing here, the stereotype of many foreign readers may have begun to play a role-because China’s Internet applications are not secure, which leads to everything.
But in fact, the reason why this article caused a sensation on the Chinese Internet is that the whole thing is inconceivable to the Chinese. Almost all Internet applications in China have joined the 2-factor verification model since 2016.
The same is true of the products that appeared in this case, most of which adopted a multi-factor verification method to ensure the security of the account.
Exactly how hackers successfully transfer assets with only the ownership of mobile phone number is like a puzzle that involves the following questions:
1.How is the lock screen password of the phone cracked?
2. How do hackers spend money without a “payment password”?
Shopping on the Chinese e-commerce platform requires an additional “payment password”. The payment password is different from the login password and cannot be reset by the SMS verification code. In most cases, you need to use both the user’s Resident ID number and the SMS verification code to set a new password.
3. How do hackers bypass face recognition?
You are reading Panda!Yoo
A blog about modern Chinese culture and consumption trends. If you are interested in Chinese food, drinks, games, movies, novels, dramas, please follow us.
Consumer loans in China are reviewed by artificial intelligence and it is possible to obtain loans within an hour of application even in the second half of the night. But the problem is that to apply for a loan, you need to submit photos of identity documents and face recognition verification.
4. How does a hacker get a complete bank card number?
The consumer loan will be released into a bank card, but you must provide the full number of the bank card. The account name of the bank card must be the same as that of the loan applicant, which means that the hacker must get the full number of the bank card of the owner.
China’s mobile banking is not allowed to display the complete bank card number, e-commerce platform can, but need to enter the payment password.
5. How did the hacker know the resident identity card number of the owner?
China Telecom needs to provide identity card numbers and communication records to lift the freeze. If there is no ID card number, the freeze on the mobile phone number will not be lifted.
When the thief stole the phone, it was locked. This means that hackers need to rely solely on the control of the phone number to complete the whole process: crack phone lock screen password, get ID number, valid document photo, owner’s photo, complete bank card number, payment password.
Some of these mysteries are explained in the second half of the original article:
How is the lock screen password of the phone cracked?
The author did not mention which model of Huawei’s phone, but the version of its mobile phone software is EMUI 5.0, which was released in 2016. There is a loophole in the cloud service that comes with this version, which allows users to change the lock screen password while remotely locking the phone through Huawei’s online service.
The hacker transferred the SIM card to another phone, then used the SMS verification method to change the author’s Huawei online service password, changed the phone’s lock screen password and unbound the device from the author’s Huawei account.
This makes it unnecessary for hackers to log in to the owner’s Internet accounts on a new device in the process of stealing more accounts. Because logging in on a new device makes it easier to trigger the risk control system of an Internet applications.
How did the hacker get the Resident ID number?
According to the retrospect, the hacker may have obtained the ID number of the owner in two ways.
One is the official App of “Human Resources And Social Security Department of Sichuan Province”. The App only needs to log in through the SMS verification code and display the full ID number. The App itself does not contain any financial information and cannot do anything.
It is designed to query only some information, so it uses a lower level of security.
Another way is the leaked social engineering data. In the past five years, there have been many leaks of hotel customer reservation information around the world, and the Resident ID number and mobile phone numbers often appear at the same time in the data involving China.
With the ID number, the hacker will be able to unfreeze the phone number at any time.
From the author’s description of the China Telecom customer service center, the hackers seem to have made up a story to convince customer service staff that the “repeated freezing and thawing” is due to “lovers’ disputes”. This reduces the vigilance of customer service.
How do hackers get the “payment password” of e-commerce websites?
The hacker did not get the payment password, and the hacker re-registered the account using the owner’s mobile phone number, ID number, and completed the KYC(Know-Your-Self) authentication using the ID number and forged face picture.
When the author regains control of the mobile phone number and plans to log in to his Alipay and Suning accounts. He logged into two other brand new accounts, but these accounts used his information.
In these two new accounts registered by hackers, the “payment password” is set entirely by the hacker, and the author does not even know what the payment password is.
It is speculated that the hackers used photos on the lost phone and deepfake technology to bypass face recognition KYC.
How does a hacker bind a bank card to a newly registered account?
Since 2019, China UnionPay and major Internet companies have launched a service called “Express Card binding”.
The service is designed to help consumers bind their bank cards to online services more quickly without entering full bank cards number.
When the user has completed the KYC authentication on the Internet platform, they only need to enter the mobile phone number consistent with the bank record to bind all bank cards to the internet platform.
The hacker binds the owner’s bank card to the zombie alipay account created in the previous step through “Express Card binding”. And by entering his own “payment password”, let the Internet platform display the complete bank card number. This has become the preparatory work for applying for a loan.
How can the hacker successfully apply for a loan?
So far, hackers have the ID card number, a complete bank card number, and a way to bypass face recognition. They only need to forge valid documents of the owner to apply for a loan.
According to the text message, the hacker successfully applied for loans at two different institutions around 3: 00 in the morning.
This is because there are few human employees involved in the approval process of Internet consumer loans in China (with an amount of less than 10,000 yuan). It is based entirely on the automated interface with the credit system and big data’s risk control system to judge whether a person’s loan application is qualified or not.
In the perspective of the algorithm, the owner uses her mobile phone device, mobile phone number, applies for a loan to her bank account, and pass a dynamic face recognition. Everything looks perfectly normal and there is nothing suspicious.
So far, almost all the problems have been explained.
However, it should be noted that these processes are speculated by the author afterwards and may not be consistent with the reality.
After sorting out the methods of the hackers, the author of the original article wrote the article mentioned at the beginning and reminded everyone to pay attention to the risks.
Most of his wife’s losses have been recovered, but thieves and hackers are still at large. China Telecom Sichuan Branch changed its account freeze rules after the case, so that any remote unfreeze operation can only be carried out once a day, which means that the biggest loophole in the whole case has been fixed.
So what can we learn from this story?
The inspiration of this story to the world
This case is extremely rare all over the world because it seems to hide a hacker who is familiar with the business processes of all Chinese Internet companies.
Today, in most cases, hackers tend to use more underground industry data or technical loopholes to launch attacks, because almost all Internet company now use multi-factor authentication to ensure the security of user accounts.
But in this case, the hackers only made use of the technology slightly, and more often found the conflict and failure zone between different Internet businesses and financial institutions in the field of risk control.
This means that outside China, hackers can establish similar attack chains as long as they are familiar with the business of diffrent Internet companies.
The first lesson of this case is that the two-factor verification does not always seem to be effective, especially when one of the “factors” in the two-factor verification can be “lost” or self-centered “reset”.
In this case, the China Resident ID number is easy to lose, and the control of the mobile phone number can be self-centered “reset”.
China Resident Identity Card Number is one of the bases for KYC verification on many platforms, while KYC is regarded as “one of the factors” for other two-factor authentication.
According to Chinese regulations, a citizen’s identity card number will not be changed for a lifetime, which means it will be leaked through various channels, such as hotel attendants, bank staff, airlines and, of course, Internet databases.
ID cards system are not unique to China. In the United States, social security numbers and driver’s license numbers are often used as KYC certification materials, but they are also unreliable. Because you need to show these two ID cards to many people in your life, and their numbers are difficult to change.
The second lesson of this case is that Single sign-on Login is not reliable.
Internet users in other parts of the world often do not rely on their mobile numbers to log on to all Internet services as they do in China, but they use Google, Facebook and Email.
This means that if the theft of a mobile phone number in this case is replaced by a stolen Google or Facebook account, it can happen anywhere in the world.
In particular, you should avoid using the same account to log in to your entire capital flow. To put it simply, your online banking, Paylater, Robinhood and Amazon accounts should use different emails to prevent hackers from making money flow work with single attack.
In addition, when one of your accounts is stolen, you should not only report the loss and freeze the stolen account, but also report the loss and freeze other accounts associated with the lost account as quickly as possible.
The third lesson of this case is that those applications with low security levels are of great value to hackers.
People always think that only accounts that can move funds directly deserve our attention, but in fact you don’t know how hackers will use your information, so all Internet services should be considered to have the same security priority.
In this case, a low security priority service that can only query the ID number is used to obtain key information about the unlocked asset account.
Similar things can happen in other countries and other situations. For example, we can imagine that a hacker might be able to hack into your Fetch Rewards, and steal receipts to initiate a massive refund.
However, for ordinary people, overprotection is also a problem.
The last part of the original article calls on everyone to set the PUK(Personal Unblocking Key) of the SIM card. This is an almost unbreakable lock to ensure that only the correct password can be entered to turn on the communication function of SIM. It can prevent the SIM card from being moved by thieves to another mobile phone to continue to use after the phone is lost.
But as a result, in the following week, countless readers locked their SIM cards by mistake and had to replace them with new SIM.