security flaw - the security depends on the phone number


#1

From the FAQ:

Can I change my mobile number?

Go to the ‘More’ section of the app and tap ‘Profile’ and ‘Personal details’. You can edit your phone number here.Then, you should log out at the bottom of the ‘Profile’ page and log back in with your new mobile number to verify it.

If you cannot access the app as you need a 6-digit verification code message, please attempt to log in with your old mobile number and then select the option ‘I haven’t Received Code’ to speak to our in-app support.

I did not used the app (can’t confirm it). However, I noticed that there is no mention of password.

So, the phone number owner is the actual owner of the Revolut account.

There are many documented cases when crackers take over a phone number using simple social engineering:

https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/#72b43dbb360f


#2

If i remember correctly you also need to enter a pin.


#3

Hi there. You can change the phone number of your account ONLY if you are logged in which requires Passcode.


#4

I guess revol42’s concern is if someone manages to get control of the phone number (e.g. have the mobile provider transfer the number without proper authorisation).


#5

But you still need to know the passcode.