Fraudsters stole the VKontakte page of entrepreneur Alexei Mironov due to a vulnerability in the MTS customer identification system. The social network never returned it to its owner and demands the impossible from him. Now he is filing a lawsuit for this on VKontakte. His interests are represented by the Center for Digital Rights.
Alexey Mironov is the founder of the Jeffrey's Coffee chain. This is a franchise of coffee houses in Moscow and the regions. Alexey often communicated with colleagues and partners on VKontakte and led a very popular public of his network there, with more than 50 subscribers.
In November 2018, early in the morning, when Alexei was on a business trip in China, his VKontakte page was hacked. He received SMS from VKontakte, WhatsApp and a message from the MTS operator, which said that forwarding to another number was set up. Aleksey did not set up forwarding, so he immediately got worried and called MTS. They didn’t even immediately determine that there really was a redirect. The operator was able to turn it off only two hours after Alexey called. MTS did not find data on how and when the call forwarding was connected.
Alexey checked access to social networks and instant messengers and saw that he could no longer enter them by phone number. The hackers tied a different number to his accounts. With WhatsApp, the issue was resolved quickly. Immediately after the redirect was canceled, the messenger restored access to the account to the rightful owner.
Alexey wrote in support of VKontakte with a request to return the page and sent a passport photo. In the evening, he received an SMS that the application was rejected, as the current owner confirmed the right of access.
A technical support specialist said that Alexei could voluntarily transfer access to his page to third parties, so they will not restore access to him. Alexey explained the hacking situation, but he was asked to send a confirmation letter from MTS, in which the operator would confirm that a hacking had occurred. Aleksey provided a letter from MTS. After that, the administration of VKontakte demanded that this letter be certified by the police. Such a requirement is very difficult to comply with, because it is not the function of the police to certify the letters and credentials of the signatory. Aleksey was able to block the hacked page only by personally asking familiar VKontakte employees about it. The page has not been returned yet. The only thing that Alexey achieved was the blocking of the account. Now neither scammers nor himself can use it.
The VKontakte support service is a different story. Only authorized users can contact the VKontakte support service. This means that if you have lost access to your page, you must create a new one or ask friends to give access to their pages in order to write to support. Alexey corresponded with support service specialists from his wife's page, and this did not confuse them, although the User Agreement does not allow transferring the username and password to someone else.
The hacking of the page and the further loss of access to the account and the public, obviously, damaged both Alexei's business reputation and his property interests. Not to mention the fact that this allowed a significant amount of personal and commercial information to leak to no one knows where. Fraudsters from the businessman's account asked his friends to transfer large sums of money to them. One person transferred 34 thousand rubles to them. The attackers had access to the personal information of Alexey's account for XNUMX hours.
Lawsuit against VKontakte
Alexey Mironov filed a lawsuit against the social network VKontakte in the Smolninsky District Court of St. Petersburg and is now awaiting the appointment of the case. He asks the court to oblige the social network to fulfill its own agreement, concluded in the form of a User Agreement, and to return access to its page to it. Until now, the VKontakte administration continues to deprive Alexei of access to his account unreasonably, while he faithfully complied with the terms of the User Agreement and immediately informed the technical support service of the social network about the hack. VKontakte refused to restore his access to the page, citing a clause in the User Agreement that prohibits users from transferring their page login and password to third parties. The VKontakte support agent, with whom Alexey spoke, said that you can set up phone number forwarding only when you visit the operator's office and present your passport. In fact, this is not the case, and Roskomnadzor confirmed this in response to Alexei's appeal.
The social network, in violation of the User Agreement, unreasonably restricted Alexey's access to the use of his page. This is a unilateral refusal to fulfill obligations, violating paragraph 1 of Art. 30 of the Civil Code of the Russian Federation. By depriving him of access to the account, VK also deprived Alexei of the rights to administer the public he owns, which is an important intangible asset for him. (We wrote about the public market as a new form of digital property and the peculiarities of concluding transactions with them )
Security holes in the MTS identification system
According to the correspondence conducted by the scammers on behalf of the entrepreneur, it is clear that they knew about his business and business trip. They called the MTS contact center, were able to identify themselves on behalf of Alexei and set up call forwarding. The attackers could have obtained his passport details through social engineering. Alexey Mironov is the founder of the franchise, so many people involved in opening franchise establishments could have his passport data. MTS conducted an internal investigation, but could not establish who exactly set the forwarding and how the attacker intercepted the SMS. The company did not admit guilt, but at the same time offered Alexei a very strange compensation - 750 rubles.
We considered that remotely identifying a subscriber using only correct personal data is a very dubious practice and filed a complaint with Roskomnadzor to verify that such a process of the company complies with the requirements of personal data legislation. As a result, Roskomnadzor sided with MTS, pointing out that managing communication services after remote identification by phone and providing correct personal data is quite normal, and establishing additional methods of protection against such unauthorized actions is a headache for the subscriber himself, and not for the company . (read full answer - )
The hacking of Alexey Mironov's account is not the first case of unauthorized access to the data of MTS subscribers. In 2018, the database of 500 thousand subscribers in Novosibirsk, two intruders, one of whom was an employee of the company. They tried to sell the database at a price of 1 ruble for the data of one subscriber.
In 2016 there were Telegram accounts of opposition activists Georgy Alburov and Oleg Kozlovsky. Their accounts were tied to MTS numbers, and shortly before the hack, the SMS service was disabled on them and forwarding was enabled. The circumstances of the break-in were also not established. In 2019, Oleg Kozlovsky filed a lawsuit against MTS, but the court rejected it.
Protecting the accounts of various web services and applications from hacking is the responsibility of the user. This position is shared by both telecom operators and the regulator itself, according to which they refuse to share these risks with their own subscriber.
The RKN in its response describes it this way:
“... According to clause 2.11 of the MTS Terms, subscribers for identification purposes at the telecom operator are given the opportunity to use the Code Word - a sequence of characters (letters, numbers) indicated by the Subscriber in the form established by the Operator, which serves to identify the Subscriber when executing the Agreement. The subscriber has the opportunity to set a code word both at the conclusion of the contract (in this case it is entered into the contract form along with the mandatory details), and at any time during the execution of the contract. Despite this, the subscriber Mironov A.K. the code word until the moment of the disputed connection to the service was not established. Under such circumstances, only the subscriber, by establishing a code word during identification with the telecom operator, could neutralize the risk of adverse consequences from such situations, but did not take advantage of this opportunity.
Account recovery. mission impossible
A complaint about the inaction of Roskomnadzor has already been filed with the prosecutor's office. Meanwhile, the police remain silent on the crime report. No one reports anything about the results of the investigation within the company either. MTS does not admit any fault. Nobody cares. At the same time, VKontakte continues to refuse the owner of the account to restore access to it until he brings from the police the Resolution on the initiation of a criminal case with the establishment of the indicated facts and a letter from MTS, in which there will be confirmation of the repudiation of the call forwarding service. In a letter with rather lengthy explanations, there is also a requirement that Mironov must also provide a certificate from MTS that he is the sole user (and what, do operators register joint ownership of phone numbers somewhere?) The user of the phone number that was linked to the page. The answer came at the end of last week, and given the deadlock of the situation and the impossibility of reaching an agreement with VKontakte for six months already, we went to court.
How to protect yourself from hacking
Attackers can also gain access to managing a phone number through other vulnerabilities - the SS7 protocol or obtaining a duplicate SIM card with the help of unscrupulous employees of the operator.
SS7 is a technical protocol used by telecom operators. It contains an old and apparently non-removable , which allows you to intercept data transmitted by subscribers during a call or in SMS. Only operators have access to SS7, but attackers can get it by buying access on the dark web from operators in underdeveloped countries or through unscrupulous employees of mobile operators. The attack occurs when a hacker changes the address of the subscriber's billing system to the address of his own. Most often, attackers inform the system that the subscriber is in international roaming, so the easiest way to protect yourself is to disable international roaming if you are not using it.
Aleksey Mironov also did not have a two-factor authentication system set up for Vkontakte. Such a function VK in June 2014. Perhaps she could protect his account from being hacked. It is worth remembering that simply linking an account to a phone number is not two-factor authentication. - this is the protection of entering an account when, in addition to the password, one more action is performed. The most common option is an SMS code. This method is not the most reliable, as attackers can intercept the SMS message. More secure options are a key file, temporary codes, a mobile app, and a hardware token.
Unfortunately, we are forced to live in an era where data protection becomes our own problem. They hope that the operators will be solely responsible in the event of a hack, apparently not necessary. As well as relying on Roskomnadzor, which has long been out of touch with reality in its data protection practice. It is incredibly difficult to break through the armor of the “rejected material” of the district police officer who will be sent your application for a similar case, especially for an ordinary person who does not know how this system works. What remains? Do not forget about digital hygiene, trust mathematics and defend your rights in court.
Source: habr.com