Edit: This is a fictitious story, there is no utility company, our villain in this story “the utility company” is an example. However attacks like this occur every day, so I wanted to shine light on how they happen in a proof of concept that was displayed properly to my audience in a safe environment and with an entertaining back-story. Take the article with a grain of salt and always be responsible in disclosure. I hope that you enjoy the read.
One day a user was checking their mail and had realized that they failed to take care of a utility bill. Frantically, they took steps to pay the bill online via the self-service web application. The application was fairly simple and straight forward. In order to “authenticate”, if you could call it that, was to enter the account number and hit a button to continue. Upon hitting the button needed to continue the payment process the user was displayed a page with several pieces of personally identifiable information (the same data in a phone book):
- First & Last name
- Phone number
In such an angry state of mind the user tried to login as fast as they could, mashing the keys that consisted of their assigned account number so that they can get the sting of another bill out of the way. Hitting the enter key displayed the usual page that they were used to seeing, asking them to confirm account information, except something this time was very different. The name was not correct, it was someone else’s name that lives in the same state as the user, and obviously uses the same utility company. Confirming the account number was correct the user noticed that the last digit was the issue, it was exactly one digit above their account number. Typically this indicates that the account numbers are based on incremental values (more than likely auto_increment). Are you thinking what I am? This could be scraped. So I setup a test lab with my own code and fake data to test a proof of concept.