Ums megaphone personal account login. A vulnerability in the Megafon.UMS service allows access to SMS messages

Youtube

Tired of the screen and memory of your mobile device being cluttered with a large number of applications? The Megafon company has found a way out of this situation. It offers its subscribers to use a special service. UMS from Megafon allows you to combine all social networks and email accounts in one resource. In addition, here the client of the cellular operator will be able to send SMS and MMS messages, as well as exchange files (video, audio, photos) with other subscribers using this service.

Features of the service

UMS is a universal set of services that allows you to communicate via social networks, exchange messages, send MMS, work in email, and also view your feed. This means that cellular operator clients will not need to waste the memory of a tablet or mobile device on a large number of applications and clutter the screen with them.

If there is such a need, users can log into the UMS service using the web interface through the “Personal Account” using one password. This is done for the convenience of Megafon subscribers, because in this case you won’t have to remember passwords for different accounts (social networks, email, etc.). The service has a clear structure, and even a schoolchild can use it. With the help of UMS, a client of a cellular company will be able to:

Receive and send messages on social networks.
Store MMS and SMS messages.
View feeds on most social networks (due to the fact that clients can connect to such services).
Receive or send email.
Filter messages (blacklist unnecessary senders).
Receive notifications that an incoming message has arrived via SMS.
Import and save contacts from the phone book in the memory of your mobile device.

In addition, using UMS, Megafon subscribers can set up answering machines on MMS and SMS channels.

Benefits of the service

Working with MMS and SMS messages via UMS Megafon is very comfortable. Megafon subscribers have access to the message history storage service. And if the service user no longer needs such a service, you can disable it. As for the operation of banking services, the history of SMS messages from them will not be saved for the purpose of client confidentiality. This rule also applies to service messages sent by Megafon.

In addition, subscribers can use the function of forwarding and delayed sending of MMS and SMS messages to the numbers of other subscribers. You can add a signature to sent messages (added automatically). Also, the service can send messages to other cellular network clients within the system. However, the number of messages that can be sent is limited (no more than 70 per day). If the subscriber to whom the SMS or MMS is sent does not use the UMS service, then the cost of the shipment will be calculated automatically (depending on the sender’s tariff plan).

As for sending messages on social networks and emails, there are no restrictions on their number per day. To start working with UMS, you will need an application on any mobile platform (WindowsPhone, iPhone, Android) or you can go to the operator’s website.

Cost and connection methods

To get into the UMS “Personal Account”, you must enter the same password that is used for a similar login on the official Internet resource of the mobile company. This is done for the convenience of users who constantly forget data. In addition, you can log into UMS through the mobile application on your gadget.

You don't have to pay anything to use the service. As for sending an SMS message via UMS, it will be sent at a fixed cost of the mobile operator client’s tariff plan. To connect to the service, you must go to the official Megafon Internet resource and enter a password. Then an item will appear on the screen where you will need to accept the terms and conditions of the mobile operator.

Next, the client of the cellular company will receive an SMS message with a confirmation code, which will need to be entered into the window that appears. After this, the subscriber will be able to use the UMS service by logging in through the “Personal Account”. There is no connection fee for the subscriber. A Megafon client can use other services to connect to the service:

By dialing the combination of numbers and symbols *598*1# on your mobile device.
Send the word “ON” or “ON” by SMS command to number 5598. There will be no charge for such an action.

You can start using the UMS service immediately after registration.

Over the past 4 days, a wave of complaints from Megafon subscribers has begun to appear on the Internet. The bulk are associated with unauthorized subscriptions to paid SMS services. This became possible due to the presence of a vulnerability in the new UMS service.
The situation is aggravated by the weakness of legislation in the Russian Federation and the lack of effectiveness in solving such crimes by law enforcement officers. For the operators themselves, apparently, it is simply not profitable to solve the problem of stealing funds from subscribers’ accounts using SMS subscriptions.

Returning to Megafon, a security hole was found and exploited in the service for working with social networks and UMS messages. This service was launched by the operator in December 2012. One of the advantages is full-fledged work with SMS messages, providing functionality for reading and sending messages. Subscribers are connected to it automatically; to do this, they need to enter their phone number and password for the Service Guide service.

Outwardly, everything looks convenient for subscribers, but this is only external. If the Service Guide service has at least some semblance of protection with entering a “security code”, then in the case of UMS there is the possibility of brute-forcing passwords. Considering that most numbers use only a digital combination, it is only a matter of time before the password is selected, and given that the length can be 4 characters, finding the password is very fast. Having received the login password, attackers gain access not only to the subscriber’s SMS messages, but also to the Service.Guide system. Currently, this security hole is used to implement mass paid SMS subscriptions. According to messages appearing on the network, the operator, for its part, declares the need for a written request for a refund. But, if at the very least a loss of funds can be noticed in the case of using a SIM card as the main SIM card, then in the case of a SIM card in modems, the problem will only become known when a significant debt arises on the account.

Another pitfall that may appear soon may be related to the SMS functionality. One of the most serious dangers may be access to Internet banking and manipulation of a bank account.

I recommend checking your personal account settings and disabling access to the UMS service in the form in which it is currently introduced; there are a large number of pitfalls; this can be done in the Service.Guide service.

Comments:

Recently, gamers have no problems at all with choosing a computer case, since there is a whole...

Intel has introduced a rather unusual Honeycomb Glacier laptop, which is a gaming solution...

Nothing new has happened in the gaming peripherals market for quite a long time, since companies have already used everything...

At Computex 2019, FSP showed the CMT710 computer case, which has a design...

X2 Products has introduced the Abkoncore Cronos 710S computer case, which is designed to...

The Megafon personal account is a special account for Megafon cellular subscribers in which they can view all information on their expenses and independently manage services.

When you click on the link lk.megafon.ru, a welcome window from your Megafon personal account will appear in front of you, in which you will need to enter your login and password to log in. In the login field, enter your phone number. It is important that the number belongs to the Megafon operator.

In the password field you must indicate your password for your personal account. But if you don’t have it, you can log in without it; read on to learn how to do this.

How to log into your personal account

The method described above was how to get to the LC through a special official website. However, this is not the only way to use this service.

You can use your mobile phone, having previously downloaded a special application from the market, App Store or on the operator’s official website. To access the application, you will also need authorization. To do this, you can use the previously obtained confidential data for the site. If you have not received it before, you can do this using the algorithm described above.
You can also log in through your social media account:VKontakte, Facebook or others. To do this, you will also need to download a special application. For example, for the first social network it is located at the link vk.com/sgmegafon. In this case, in addition to the standard set of services, you will be able to use your account: share news, read friends’ posts, etc.
If it is not possible to log into your account via a desktop computer , and the application is not installed on the phone, you can use an alternative method - enter it through a special number by sending a corresponding request to the system. To do this, type the combination on the keyboard *105# and make a call. Then you will be connected to the account menu, which is designed as a USSD version.
An analogue of this version is ability to manage your account via short number 0505. Only in this case the system will supervise you in voice mode via audio recording.

Did you know? In this case, the management of the account takes place through the introduction of special requests, and the activation of services is carried out by entering the appropriate codes.

How to register

To log into your MegaFon personal account, registration is required. Only after this you can receive your unique password and log in. To complete the registration procedure, the subscriber will need to type the address lk.megafon.ru in the search bar of the browser. In the open window in the upper left corner there will be a login form for the service, through which you can get into it.
To register you will need user's personal number,which allows you to obtain a unique password. You can get it in several ways. First of all, you can send a request to the service by entering*105*00# . Then you need to press the call button and wait for an SMS message, through which you will receive authorization data.
MegaFon has provided an alternative way to find out the password to your personal account. You must send a message containing 00 to phone number 000110, after which the necessary information should come. If these methods do not work, you can dial 0505, where the robot will tell you step by step what actions you need to take.

Important! In the latter case, you will not receive a ready-made password; you will need to provide it yourself. Think of it in advance.

Only after receiving this data can you resolve the issue of how to enter your MegaFon personal account. After opening the authorization form, you must enter your phone number and the password obtained through any procedure described above. Then press the enter button and you will be redirected to the desired page. Now you have access to all the functions provided by this service.

Important! If you enter the wrong password five times in a row, access to your account will be blocked. You can remove the blocking if you obtain new information using any of the methods described above..

How to recover your password

Sometimes a situation arises when you need to know how to recover the password to your MegaFon personal account. To recover your password, you can use the same methods that are provided for obtaining it for the first time, that is, described above. If you do this through the website, the system will require you to provide the code word that was entered during registration. If you do it through your phone, it will send you the password via SMS without requiring confirmation.

To change your password, just go to your personal account, From there, go to settings, where you can find the item for managing this data. By going into it, you can change the secret data to the required one. Another method that allows you to change your password via SMS. To do this, a message is sent to number 000105 with the following content: "PAS new password." You can create a new one by typing a service request on your phone *105*01#, after which you need to enter new data.

Features of Megafon personal account

A subscriber’s personal account with a mobile operator is no longer exclusive. This service makes it easier to provide, use and manage other operator services in a short time, without being distracted by communication with the subscriber department. MegaFon, like other operators, provides access to the service only to its subscribers. The service, called “Service Guide,” is provided by default, automatically; the subscriber only needs to register and log in to the account. We will tell you how to do this below.

In your Megafon personal account you can take advantage of the following features:

Monitor the status of your Megafon personal account and top it up if necessary
Disable/enable additional services and options, as well as manage your tariff plan
View balances of service packages and extend them if necessary
See the number of accumulated bonus points and spend them
Use all this from any device, be it a smartphone/tablet/PC
get detailed information about calls;
activate the “Promised Payment” service;
receive a report on the transactions performed;
block a number;
change tariff;
connect or disconnect any service;
transfer money to another MegaFon account;
to get a consultation.

The recently introduced UMS service is designed as a modern interface that embodies various ways of receiving and sending messages, including on social networks. The application has two interfaces - for smartphones and WEB. The service allows you to combine various communications in one application, which is very convenient for users. When entering the service, you must enter a special password, so almost all Megafon subscribers with corporate numbers will not be able to use the service. Everyone else can easily get the password through their phone number.

The presented service of the Megafon operator is intuitive and quite convenient, so we can say with confidence that users will like UMS. In general, it opens up quite a lot of useful opportunities for users:

you can store all the contacts that are in the phone book;
the system notifies subscribers about each incoming message via the standard SMS channel;
it is possible to launch an answering machine for MMS messages, as well as SMS;
all correspondence can be filtered according to the created black list;
users can correspond on social networks;
you can view the feeds of popular social networks;
it is possible to connect different accounts;
Megafon users can receive as well as send mail.

But in reality, this is not all the capabilities of the Megafon service. All of them are worth considering in more detail to understand what the popular mobile operator in Russia offers its subscribers.

Contacts

The application interface allows you to reserve contacts, as well as import them from files and add them manually. The contact reservation function is especially interesting - you need to download the service, copy the contacts and then synchronize them with Megafon. This function is equally convenient and beneficial for users and operators. In this case, the operator receives the social connections of each registered subscriber, and users receive the simplest and fastest synchronization of contacts between different devices.

Messages

This section shows all types of messages, and correspondence is permanently stored on the server. The function is convenient if the user changes his phone and wants to save all messages. To ensure security, you need to set a complex password; in addition, you need to configure mobile unlocking using a pattern or password.

You can manage messages using a special setting that does not apply to chats, social networks, or instant messages. This section allows you to perform the following operations:

create a blacklist and send messages to spam;
set up auto-response;
set redirection;
disable or enable storage on the operator's server.

You can send messages to several subscribers at the same time, even configuring the sending time. The user can receive voice messages in the UMS system. A useful “Spam” function has been added to the interface, which removes advertising messages. The user can determine the numbers from which spam comes from independently in the settings.

Social networks and mail

You can connect various accounts of the social networks you use to the UMS service. The main feature of this function is that users can simultaneously send messages to several sites, after which they appear in the feed. The service displays absolutely all events on its feed that occur on the social networks of connected accounts. The function is convenient only if there are few “friends” linked to your account. The user can view news from just one social network after selecting it in the appropriate menu. Additionally, the service makes it possible to configure a mail collector from different mailboxes. The interface is very simple, has a minimal set of functions: reply and view.

Application Features

The presented service from the Megafon operator consists of three sections:

“Profile” allows you to set up a profile in the system, link messages and accounts, and report your balance. Here you can configure message management, synchronize contacts, link message contacts and accounts;
“MIX” takes you to a general section where news and messages from social networks are downloaded, and you can “like” or give replies. By sliding the screen to the right, you will open the settings for displaying data in this section. By turning on the “chat” item, you will receive all messages sent to you from social networks and mobile phones. Using chat, you can add a contact to the blacklist or call him. You can add photos to messages and schedule sending times. To view messages in the feed, you need to move the window to the right, and then select posts;
"Contacts" UMS. In this section you can view a list that contains contacts from messaging systems, social networks and phone; you can identify the service only by its icon. To find the desired contact, you can use the search bar - you need to drag the contacts down.

Now Megafon users do not have to install a large number of applications and “clog” the device’s memory with them. If necessary, this application can be viewed using a WEB service. For most users, this feature will be very convenient, since it eliminates the need to remember all passwords for their own accounts.

UMS is conveniently configured to work with various types of messages, since it allows you to save the history of correspondence. This feature can be disabled. However, banking service history is not saved for security reasons. The same applies to the Megafon operator itself. Users will enjoy the feature of delaying forwarding and forwarding messages to other numbers. In addition, you can send messages automatically with the addition of a signature.

In general, the UMS interface is quite understandable, but as experts note, it still lacks stability, basic functions and connection quality. The intuitiveness and ergonomics of the Megafon application are at a sufficient level. However, it requires considerable improvements, including the ability to link chats and accounts and work in low-speed networks. The future of the application depends entirely on its improvement by the operator, and Megafon is working on this.

Features of the service

UMS is a universal set of services that allows you to communicate via social networks, exchange messages, send MMS, work in email, and also view your feed. This means that cellular operator clients will not need to waste the memory of a tablet or mobile device on a large number of applications and clutter the screen with them.

Receive and send messages on social networks.
Store MMS and SMS messages.
View feeds on most social networks (due to the fact that clients can connect to such services).
Receive or send email.
Filter messages (blacklist unnecessary senders).
Receive notifications that an incoming message has arrived via SMS.
Import and save contacts from the phone book in the memory of your mobile device.

Read also Simple methods for activating free minutes on Megafon

In addition, with the help of UMS, Megafon subscribers can set autoresponders on MMS and SMS channels.

Benefits of the service

The functionality of MegaFon's UMS service is very similar to the functionality of the legendary ICQ application and other similar messengers

But there are also significant, pleasant differences, which, in fact, I will talk about in my article.
Let's start with the most important thing, how does UMS MegaFon differ from ICQ:
The ability to send a message not only to the application, but also to a mobile phone.
Receive messages not only in the application, but also from other cellular subscribers (any operator). In other words, you receive a message via the Internet from any mobile phone. At the same time, it is not necessary to keep the SIM card in your phone; you can easily put it on a shelf.
I really liked the “Delayed sending” function; you can specify the date and time of message delivery. If you send a message to a person who does not know about such a program, then, for example, you can write him a whole ode and send it in parts every hour... In general, there are many options for using this function, you just need to use your imagination. For example, you can send birthday greetings a few days before the actual birthday so you don't forget.
Send the coordinates of your current location.
The remaining functions that are available in the application, in general, repeat the set of functions of traditional ICQ, I will describe it very briefly:
Free messaging within the program with low Internet traffic consumption.
Ability to send multimedia content.
View message history, and even if you received a message on your phone, it is duplicated on the server. Thus, it is quite possible to restore SMS history if the phone is lost. The history will be stored from the moment you register for the services and enable the setting to save SMS.
Ability to send messages from a computer and from smartphones based on Android, Windows Phone and iOS operating systems
Connecting to social networks, exchanging messages and using them.

Below I will provide instructions for using the MegaFon UMS service.

1. Connect to the service from your phone. Connection: SMS “On” or “On” (without quotes) to number 5598 (free message).
*598*1#
2. You must obtain a password for the Service Guide service. To do this, dial *105*# and the call key on the phone that will be used to register in the application. You should receive a password in response. Remember or write it down.
3. Go to the website: https://messages.megafon.ru/user/toUserPage.do

4. Enter your phone number, password, and security code. Click the "Login" button.
5. Next, you are taken to the main menu of the program (when you first log in, you should be asked for confirmation to connect to the offer, accept it).

6. I think there is no point in explaining further what to do.
The registration process on mobile devices is similar. The only difference is that before proceeding to step 1, you will need to download the program from the play market or App Store. Through the search you can easily find it by entering the query “UMS”, produced by MegaLabs.

In case you do not want your SMS to continue to be saved on the server, it is better to disable the MegaFon UMS service.

Disable:
SMS “Off” or “Off” (without quotes) to number 5598 (free message).
*598*2#
If you have any questions or just liked this article, please leave comments and subscribe to the news.

Sometimes there is a need to view MMS in your Megafon Personal Account. These messages arrive not only to the recipient’s device, but also to the company’s server, where the user can open all types of media messages: photographs, audio recordings, video files. But before using the opportunity to view MMS, you must complete certain procedures: connecting to the service, registering in your account.

Connecting the service

In order to view MMS in your Personal Account, this service must be activated. As a rule, the connection is made automatically when the SIM card is activated. But in some cases, for example, if the service was disabled or automatic settings were not installed, you have to activate it yourself. To do this you only need to take a few steps:

go to the official website www.megafon.ru and open the “Services” window located in the top field of the page;
in the drop-down list click tab "Basic services" and select MMS;

connect MMS by dialing the USSD command *105*308#. In response to the request, you will receive a notification about the activation of the service.

If you need to disable this option, you need to enter the command *105*308*0# in the USSD request line.

In the "MMS" section, you can also see the list of operators who have the ability to send multimedia messages to Megafon.

Registration in your Personal Account

If you are not able to view incoming MMS messages on your phone, you can do this via a computer by registering in your Personal Account on the official Megafon website.

To do this, go to the Megafon main page and select the active tab "Personal Area". There are two windows here. In the first, you need to enter the Megafon number of your mobile device, which will act as a login. In the second window you need to enter a password to activate your “Personal Account”. It can be obtained using one of several options:

via USSD request: dial *105*00# on your phone keyboard and send a request to the operator using the call button. In response, you will receive a message containing the password to access your account;
send a short SMS message with one Latin letter S from Megafon number to service number 000111. Within a few minutes you will receive a response with a password to log into the system.

After entering the received data, after a few seconds of initialization and loading of parameters, an automatic transition to your "Personal Area". If something was entered incorrectly, a warning entry on a red background will appear at the top of the window, with errors and recommendations for the next actions.

After activating your “Personal Account”, your mobile device will receive an SMS notification that you have received an MMS. This message will also indicate a password so that you can gain access to view MMS through your Personal Account.

View message

After entering your “Personal Account”, its main page will open, on which the “Inbox” tab will immediately be displayed, indicating the number of MMS messages sent. When you click this tab, all messages will be displayed with a detailed description of information about the sending subscriber, the date and time the MMS was received.

To view the MMS message of interest, you need to double-click on it with the mouse or click “Read”. After that, it will completely unfold and open in the form in which it was sent. Unlike many other telecom operators, Megafon makes it possible to view both regular photos and video and audio files on its website.

Here you can immediately send a response MMS by going to the “Reply” tab. To do this, you just need to attach the required file.

Important:In order to protect your computer from viruses and malware, view MMS only through your Personal Account. Messages from an unfamiliar number asking you to view media files on a third-party resource can be detrimental to your device.

Features of using the service

After connecting, the user can view all received messages at any time through the Personal Account. When using the service, you should take into account the features of this service:

All incoming and sent messages are stored for three days. If they are not saved in a timely manner, the MMS will be deleted;
The Megafon server is often overloaded, so a notification about receiving an MMS with a password for viewing may arrive with a significant delay. If you need to receive an urgent media message, then to quickly receive it, it is best to contact the Megafon support service;
The size of a transmitted MMS message for Megafon cannot exceed 1 MB. Otherwise, it cannot be delivered to the server;
viewing MMS through your Personal Account in your home region is completely free for Megafon subscribers. When using the service in roaming, the cost of traffic for downloading messages will be paid according to the terms of the established tariff.

Important:In order for the MMS to be received correctly, the sender must dial the number only in the international format: +7 9ХХ ХХХ ХХХХ.

Alternative method: viewing using the UMS service.

You can view received MMS using the new UMS service presented by Megafon. Using UMS, a subscriber can view and store MMS messages for a long period of time: from three months or more. Messages received and sent via UMS are free of charge. To connect to this service, you can use one of three options:

Connection through your Personal Account. To do this, you need to log into your Personal Account. Open "Options and services". Here you need to click on the tab "Additional". After opening it, a list with possible connections will appear on the page. Find the UMS service and click the “Connect” button. If the connection was successful, you will receive an SMS indicating that the service has been activated.

Connection via SMS; to do this, from the Megafon number you need to send a message with a small text “On” or “On” to the number 5598.
Connection via USSD request. Dial the command *598*1# from the Megafon number.

Content thieves will crawl into any hole. Fortunately, greed fails them, and after a large-scale “raid” on wallets, the loophole is closed and the stolen money is returned. Another confirmation that everything is bad with legislation in the field of mobile content.

More precisely, not bad, but not at all. There are no effective instruments of influence, and no one wants to use the existing ones. There is a lot of hassle, the effectiveness is low, law enforcement officers are not interested in messing around. And it’s not profitable for the rest.

This time, the “eye of the needle” for the “content camel” turned out to be the universal portal for working with messages and social networks UMS (Unified Messaging Solution), launched in December last year, i.e. less than three months ago. One of the key advantages of the service is full-featured work with SMS messages: from a web portal or a special application you can send SMS from your number, set up filters, etc. Incoming SMS are also duplicated and saved, and you can respond to them directly from the web interface and, if desired, the complete archive of messages remains with you, which can be useful when changing devices. You can read our review of this platform; the key quote for today’s analysis is:

“Registration in the system occurs automatically when you first launch the application and enter your phone number plus the password from the Service Guide. If you have not used Service Guide before, the easiest way is to set the password with the USSD command *105*01*password#password# (instead of the word “password” - the combination of numbers you selected for the password).”

In short, the UMS service has implemented a user-friendly and progressive user registration scheme: when entering the UMS portal, registration occurs automatically after entering the phone number and password to the Service Guide. Legally, this is quite acceptable, since the service is free, plus there is a conscious user action (registration on the portal with entering a password). For example, the paid SMS+ service, which is largely similar in functionality, must first be activated through self-service systems. And with UMS they decided to make life easier for the user; there is no need to connect any services either using the USSD command or through the Service Guide. This undoubtedly increased the “friendliness” of the service, but created additional opportunities for an attacker.

Event

On the afternoon of April 4, I received an angry letter with a detailed description of the subscription that had materialized on the number. Quotes with permission of the author:

“...I am a subscriber of MF North-West. Last night I received an SMS “Your account has been used to log into the web portal https://messages.megafon.ru (see screenshot above). I didn't pay much attention to her, because... sometimes you receive SMS with an offer to download MMS, SMS and something else. I went to the page using the link and saw something from Megafon. But because I didn’t use this service - I forgot.

Then a second SMS arrived (an hour and a half later) with a digital code and the text “Do not tell anyone your personal code.” Then I immediately called the Megafon contact center (it’s good that I have a VIP tariff and the wait for an operator is less than a minute). During the conversation, another SMS came with the text that a subscription had been issued to my phone number. The operator told me that he had “subscribed” to a paid subscription from the site spinyla.net, from which I was immediately unsubscribed (but they managed to withdraw 20 rubles). I also left a request for a refund (20 rubles). Today I received an SMS that the request was approved, but the money has not yet been credited to my account. Let's wait.

The password in the Megafon Service Guide can only be specified in numbers (yesterday's century, but oh well). But it’s not my birthday, it’s my old phone number, where I moved from about 10 years ago. Accordingly, it is almost impossible to find it by brute force. The question is where did they get the password? Three options in my opinion:

Megafon website was hacked
The password was “taken” from the Google Chrome / Opera password storage (I use them)
The password was “taken” from the My Balance application (mbalance.ru) for iPhone

Point 1 looks unlikely. Point 2 too: no viruses were detected on the computer. Point 3 remains as the closest to reality. I don’t want to believe it, but?”

Finding a password for the Service Guide is really almost useless. In addition to the captcha at the entrance, there are various restrictions on the number of attempts and, most likely, all other security systems. In my memory, the login procedures were reworked and “finished” three times, and these were only externally noticeable improvements.

Therefore, I assumed either that the passwords were stolen by a Trojan, or that the password was guessed through logging into the UMS portal. There is no captcha provided there, which greatly facilitates the “automation” of selecting a password for a number. Or, more likely, matching a phone number to a specific password. The fraudster doesn’t care what phone numbers he works with, and simple passwords like 123456 are used by thousands, if not tens or hundreds of thousands of subscribers.

Chronology

I dug around on the Internet and found a whole collection of identical complaints about connecting a “left” subscription with a complete coincidence of all the symptoms. Starting from the receipt of the SMS “Your account has been used to log into the web portal https://messages.megafon.ru...” and ending with all other attributes, right down to the general “content partner” (site www. spinyla.net). The timing of the events also roughly coincided: from the late evening of April 3 to the early morning of April 4.

The geography is very different: Moscow, St. Petersburg, Krasnoyarsk, Volga region. In one case, all four phone numbers in a family were “affected,” which indirectly fits into the assumption of an automated search: either “neighboring” numbers were purchased at the same time, or, more likely, all four numbers used one common password for the Service Guide.

On the afternoon of April 4th there was no generalized information yet, and subscriber services were broadcasting whatever they wanted. From “You signed up yourself!” to “Make sure that no one knows your password in the Service Guide.” It must be assumed that the same complaints triggered a mechanism to find out the reasons and take action, and towards evening there was certainty in the answers.

On the morning of April 5, a message appeared on MegaFon’s website about “preventive maintenance” and restrictions on the functioning of other applications related to the use of the Service Guide. There are coincidences, but it looks more like urgent emergency “work” to eliminate vulnerabilities rather than “preventative”.

By the evening of April 5th, the epic of content hacking was (hopefully) successfully completed. The security gap was patched, and the money stolen from the accounts was returned. Those who didn’t notice the write-off will never notice anything. For those who noticed and started making a fuss, they are now announcing the official wording about technical problems with the equipment and an erroneous subscription connection. The version, of course, is funny: there was a glitch in the software that connected subscribers to the UMS service, sent an SMS message or entered a number on the website, received an SMS with a code, entered it and subscribed. God forbid us from such “failures”, this is already called the “rebellion of the machines”.

What was it?

We won’t know all the details, and MegaFon won’t tell you. I read about very similar cases in early March, also a subscription and also with the connection of the UMS service. True, the victim wrote about SMS+, but he could have made a mistake or not heard. To connect SMS+, you need to select a password at the entrance to the Service Guide, and this is a thankless task. And, most importantly, completely unnecessary in the presence of a “friendly” UMS.

Judging by the screenshot of the details, the theft process is completely automated, the programmers did a great job. Pay attention to the time: according to the numbers, the subscription was registered two seconds after receiving the SMS message with the code. Looking up, reading and entering four numbers manually in two seconds is hardly physically feasible. Almost certainly, the selection of blocks of numbers at the entrance to the UMS portal is also well automated; for a possible income of 20 rubles per day, no one will pore over this manually.

Judging by the time interval between successfully selecting a password and connecting a subscription (in different examples, from one and a half to five hours), the “event” is carried out in two stages: first, a portion of successfully selected phone/password pairs is prepared, then these pairs are processed by subscriptions. The whole process is then repeated for the next block.

I can assume that the monetary potential of this scheme was assessed a long time ago, the software was ordered/written, and fellow content creators have been stealing from “leftist” subscriptions for more than one week. Now either greed has taken over, or the program has fallen into the hands of a stupid person. Who, wanting too much money “here and now,” inadvertently launched a fraud tracking mechanism. You have to be more modest, more modest.

It’s scary to imagine how many fascinating stories have passed through the camera’s anti-fraud departments. And how many stories have not yet passed and, perhaps, will never pass. They will return (or not return) what was written off to the complainant and forget about it. Still, we need to resolve the issue in principle, and not engage in patching up security holes and developing scanty “Content Bans.” We would disable everyone’s access to any paid content and enable it only upon written request. Oh, dreams...

Conclusions for us

What you and I should take away from this story.

Although there is a saying about shells that don’t hit the same place twice, I would check the UMS service connection in the Service Guide just in case. What if you once connected it “to try”, but didn’t turn it off or forgot?

If the service is not connected, then upon the first successful login to the UMS portal, its automatic connection is triggered, and the entry “The composition of services has been changed” appears in the Service Guide, indicating the date and exact time.

At the same time, an SMS message is sent to the phone warning about successful login to the UMS portal using user data (phone number and password). For us, this is an important “bell”, after which you can have time to disable the service and/or change your password. Subsequent visits to the portal occur unnoticed by the user. At least I didn’t have any SMS warnings, I checked.

Don’t be lazy to use a password of the maximum length and categorically refuse traditional combinations like 12345, date of birth, etc.

Paying attention to “mysterious” SMS messages and not rushing to erase them from your phone’s memory can be useful for reconstructing the picture of what happened.

Ums megaphone personal account login. A vulnerability in the Megafon.UMS service allows access to SMS messages

Features of the service

Benefits of the service

Cost and connection methods

How to log into your personal account

How to register

How to recover your password

Features of Megafon personal account

Contacts

Messages

Social networks and mail

Application Features

Features of the service

Benefits of the service

Connecting the service

Registration in your Personal Account

View message

Features of using the service

Alternative method: viewing using the UMS service.

Event

Chronology

What was it?

Conclusions for us

Related links

Popular articles

Latest articles

Sections

Pages

Special projects

Contacts