Due to an error in the Lebara website, anyone could take over telephone numbers from customers of that provider. This is evident from research by the NOS after a tip from a source who wants to remain anonymous.
Lebara offered customers the option to move their phone number to another SIM card, but that process turned out not to be properly sealed. As a result, numbers from other customers could also be moved to a new Lebara SIM card.
The security problem has been resolved after reporting by the NOS. “Safety is our top priority, so we resolved it as soon as possible,” said a spokesman. According to the provider, there is “no reason” to believe that the leak has been exploited. The problem was with prepaid SIM cards as well as with subscriptions.
Lebara is a so-called virtual provider, without its own network. In its own words, the provider has more than 800,000 customers. The provider manifests itself with low international rates, among other things.
Receive text messages
If you take over someone’s phone number, you can make calls on behalf of someone and receive their text messages.
The latter is a major risk: many websites use a text message as an extra security measure. If you have to log in, you have to enter a code that you will receive by text message. If you take over someone’s phone number, you will also receive those codes.
That way you could target someone. You would then have to find out someone’s password through another method. If that works, you could, for example, log into someone’s e-mail account or, for example, steal bitcoin.
Verification step
The problem that has now been solved was discovered by the informant who contacted the NOS. He found that he can skip a verification step when porting a Lebara number.
The NOS then succeeded three times to transfer a telephone number that was already in the possession of the NOS to a new SIM card.
To transfer a SIM card, you need two SIM cards: the old one with the number to be transferred and a new one with a temporary number. You actually have to confirm that you have them for both SIM cards by typing a code that is sent by SMS. This should prevent you from taking over someone else’s telephone number.
But it also turned out to be possible to perform the verification twice on the new SIM card, and not once on the SIM card to be taken over. Then the number was transferred without any problems, Lebara confirms. “That is of course very annoying.”
The provider immediately took the switch module off the air after reporting by the NOS and then solved the problem. “It’s a wake-up call,” said the spokesperson. “It shouldn’t happen again.”