In the last few weeks I took a closer look on caller ID spoofing and the impact which this “feature” can have on todays online services. A few months ago I came across a great blogpost from Shubham Shah which is an Australian security researcher and pentester. You can find the post here.
He did great work 2 ½ years ago – he analyzed the impact of caller ID spoofing on 2 factor authentication on many popular services like Google, Facebook and so on. The caller ID is basically the number which gets displayed on the phone on the receiving end of the call. He was able to bypass the 2 factor authentication on this services quite effectively. For bypassing 2FA he used a long known issue which affects the authentication of voicemails - I will cover this topic in detail later on in this post.