VoIP Provider Toll Fraud Attempts

I received an automated email this morning from a VoIP service provider, informing me that:

We received a request to reset the password for the account <account_name> from the IP address 41.76.XXX.XXX but the security question entered was invalid.
As a security precaution we have set your accounts password to: <new_password>
Once you have logged in you will be prompted to change your password immediately.

My first reaction was that this was an attempt to conduct toll fraud using hosted accounts with weak passwords. Toll fraud is one of the largest threats to VoIP systems, and all-too-easy to perpetrate in many instances.

I immediately accessed my account from the web portal to change the new password. This account can be used to incur charges against my balance, or potentially using stored payment information; it should not be protected only with a password that has been sent via email. (not to mention that the newly-set password was weaker (shorter and less complex) than I would like)

Upon login, the provider offered this small bit of additional information:

A large scale scan attack was attempted last night around 1am on our portal logins, therefore you may have received an email with a new password. We apologize if this has inconvenienced you.

The sequence as described seems incongruous:

• large-scale (automated) attempts to reset the password for numerous accounts;
• security question serving its purpose by preventing the attack; yet
• the provider resets all affected (targeted) account passwords.

I certainly appreciate that they take this activity seriously, but their handling of the situation strikes me as the knee-jerk reaction of an incident response team that does not know the full extent or details of the attack, and does not have a formal incident response plan in place. The incident response team should be able to identify which accounts were identified / targeted, for which accounts the security question successfully guessed, which accounts (if any) had their password reset, and which accounts were maliciously accessed. Based upon this information, they can respond accordingly. A simple attempt to reset the password, prevented by the security question, is the type of attack that occurs every single day, and should not require resetting the passwords (in an insecure fashion) of all targeted users.

As for the attack itself, several factors make this provider's web portal susceptible to (and an attractive target for) such attacks:

• no CAPTCHA requirement for login or password reset attempts (initially or for repeated attempts);
• server responses allow attackers to harvest valid account names by differentiating between valid and invalid username submissions. For example:

The account 'nosuchaccount4563' was not found or has been disabled.  

I haven't seen any additional communications from the provider via email, Twitter, etc. No mention of two-factor authentication options on their website. I'm tempted to take my business to different provider with better security practices, but I've had great success with this provider in (authorized) "war-dialing" modem security assessments. As detailed here, I've been able to use up to 30 concurrent outbound lines to dial a massive number of DID lines in a short period of time. So for my part, I've re-set a strong password, ensured that auto-replenishment is disabled for my account, and configured the account to deactive upon balance depletion, limiting the financial impact of a successful attack. From the provider side, here are some useful tips from a company thinking proactively about defense.