________ SWAT MAGAZINE ISSUE TWENTY-THREE NOVEMBER 1999 ________ / \______________________________________________/ \ / Another bug with Vodafone PAYT \ / By qwaszx \ ----------------------------------------------------------------------- Those of you who are on Vodafone PAYT will know that to get how much money you have left, you need to dial 1345 (there are other ways on the digital service, but the bug doesnt apply to these). When you dial up, the automated woman asks you to type in your mobile phone number. Now Vodafone don't know which phone you are calling from (otherwise you wouldnt have to enter the number in in the first place), so you can type in any Vodafone number you want, and the current balance for that number is shown. This would be useful in social engineering ie. it would be much more convincing if you could quote the persons balance to the operator or something, use your imagination. An offshoot of this is that when you phone up the Vodafone helpline (191), the operator asks you for your phone number (presumably so they can check your details), and again, this suggests that the people at vodafone don't already know your current vodafone number - you could say any number you like - and Bullsh.. ahem.. Social Engineer whatever information you like from that person eg. Operator: Hello, Bob Speaking may I take your number please? You: Yes, its {number of person} Operator: Thank you, now how can I help you? (Ever so kind these people) You: I've just moved house and I wanted to update the registration details - They should be {Random name/address here}. Operator: No - I'm sorry, the details shown here are {Victims address} You: Oh - Right! I must have already changed them! Thank you very much. Operator: Goodbye, and have a nice Day! You: Bye!! Or something like that - you may need to press a little for the information, but as long as you come up with a good excusee, the operators will probably give you anything - in this case an address for your victim which could be used in other cases. Sometimes they ask you for your secret password, but 9 times out of 10 the operators forgot to ask me, and for that 1 time out of 10, just say anything and act like some hacker has messed your phone up (including the password... :) ) I don't know if this works for networks (I only have vodafone), but on cellnet 'U', cellnet have no record of when you last topped up - so in theory, you don't have to top up with in the time limits they set (90 days or something) - except that the prices are so outrageous, that you need to top up every week or so anyway! On cellnet Pre-Pay phones, the balance is stored on the phone itself, so the trick with vodafone balances won't work. --- Written by qwaszx for SWAT Magazine Send comments, suggestions, praise to Send Flames to Standard disclaimer applies - I am not reponsible for what you do with this information, and for any inaccuracies. blah.. blah.. blah......