Slashdot Mirror
Investigators Replicate Nokia 1100 Banking Hack
Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."
It may be illegal, but the hackers deserve some credit for being able to figure this out.
I think I had one of those & gave it to my 4 yr old nephew to play with / destroy it.
There is a war going on for your mind.
"The modified firmware is then uploaded to the Nokia 1100. Certain models of the 1100 used erasable ROM, which allows data to be read and written to the chip, Becker said."
If that's the case, how hard would it be to desolder a non-flashable ROM and replace it with one that is? It would certainly be more hassle than buying a phone already built that way, but with the right tools and enough effort, why wouldn't any phone be susceptible to this type of attack?
It's nice to see an example of correct use of "hacker" by the mainstream media, even if it's just by chance
I've got one of these in my pocket right now. Do you think it would raise any suspicion if I posted it on eBay now?
Nokia 1100 L000000K! RARE! HACK BANKS!!!
Smart move from Nokia trying to outsell the iPhone
they are actually very widespread, i see that model all over the place. Not everyone wants a top of the range phone, some just want to make calls and use texts. This is one of the few dirt cheap phones available.
from tfa: That application allows a hacker to decrypt the Nokia 1100's firmware, Becker said. Then, the firmware can be modified and information such as the IMEI (International Mobile Equipment Identity) number can be changed as well as the IMSI (International Mobile Subscriber Identity) number, which allows a phone to register itself with an operator.
Uh... this ability is hardly unique to this device, I have a feeling there's something else they're not telling us.
e to the pi i plus one equals zero
Correct. The real defect here isn't the phone, it's the system it's spoofing. This phone just makes it easier to construct the spoof.
If you mod me down, I shall become more powerful than you could possibly imagine.
Bidding has started ...
http://catalog.ebay.co.uk/Nokia-1100-Mobile-Phone_W0QQ_fclsZ1QQ_pidZ56002720QQ_tabZ3
Don't make your problems my problems!
Here on /. we're always bragging about find good use for old hardware. Well these guys did just that, and now you're going to chastise them for it.
You people have been asking for us to recycle our electronics for years now, bitching about throwing away cell phones, and their toxic batteries. This guys deserve some sort of award for this.
Good job
where can I get one?
Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
For implementing such a flawed banking transaction protocol.
Don't bother replying, I know the answer is no-one.
Nullius in verba
Is this one particular factory in China, by some chance?
No, if you happened to read the article you'd find out it was the Bochum, Germany factory.
There are three kinds of lies: lies, damned lies, and statistics.
I'm guessing it won't take long for these phones to be outlawed in the EU though.
Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
1. physical access to SIM-card to get the IMSI
2. info on bank account / phone number
3. hacking in PC/internet connection to determine if/when the code is used.
4. raise no suspicion when a code is sent and not received by the original recipient, and recipient is not able to call/being called or send/receive text because the original phone will be blocked until it is paired again with the GSM-system (power cycled)
5. you need to have a bank that does have this system. (mine does not)
so not as viable as it looks.
There's an app for that...
What crazy bank sends *TANs to mobile phones in the first place?? Even this possibility would be a reason for me to terminate the contract.
I really recommend chipcard based systems. I use a class 2 terminal, and HBCI. It's not only much more comfortable, it's also on a completely different level in terms of security.
(In case you do not know how it works: Everything between the chipcard controller and the bank system basically only forwards encrypted packets. And if anything meddles with them, it detects this. You need the card, and a code of six numbers, and the server associates a user with that login. Every transaction that follows this, has to be accepted by the chipcard/terminal. The ones with keypads *and* displays are the most secure, because they show the details of the transaction *on* the terminal, and you have to say ok *with* that terminal. So the only open hole that I know of, is physical tinkering with the card and the terminal. Which still would be pretty hard, but not impossible. But if anyone can do this, I'm fucked anyway. ^^ [Oh, and of course, if you know of any problems with this system, I'm happy to hear them.])
Any sufficiently advanced intelligence is indistinguishable from stupidity.
But isn't that actually the tough part? That's the whole key to GSM.
Cloning a SIM is supposed to be non-trivial and should be nigh-impossible if you cannot get physical access to the person's SIM. I know there was an issue where the secret keys in the SIMs weren't random enough, but that's a long time ago now, newer SIMs are not subject to that problem.
As to the thing about erasable ROM, I thought something like the iPhone 1G had been completely pwned and should be as subject to an IMEI cloning hack as any of these phones.
http://lkml.org/lkml/2005/8/20/95
If all the carriers discontinued service to these models they would render them useless.
I wasn't aware that the model of the phone was part of the GSM protocol. Even if it was, if you can program the phone to lie about the IEMI or IMSI, then you can program the phone to lie about the phone model to the provider.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
This article is plain stupid, Nokia 1110 has nothing than other phones in the same Nokia DCT4 family don't have, while DCT4 firmwares can be decrypted, Nokia DCT3 phones(Nokia 3310, etc) are much more well suited for this job, given the fact that already exists an open source(GPL) firmware in C for this devices... And about SIM cloning, YOU CANÂT clone a GSM SIM card in seconds!!!! The most advanced software for clone SIM cards(SimScan - http://users.net.yu/~dejan/) still has to do some brute-force to extract the Ki key, witch is designed to never leave the card, while we can extract IMSI with no problems , to clone a SIM card, you need two values: IMSI and Ki, and without Ki, IMSI is worthless...
I'm guessing it won't take long for these phones to be outlawed in the EU though.
Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.
Don't forget hookers. I think it's illegal to mention drugs and guns without mentioning hookers. And just to be safe, let's mention blackjack.
Sure I'm paranoid, but am I paranoid enough?
Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.
I would have had faith in that statement before the credit crisis of 2008 took hold.
"All great wisdom is contained in .signature files"
According to the other posts earlier in this thread, the critical thing about this phone is that the firmware is a flashable ROM that can be easily reprogrammed. So the critical thing is that you can easily get this phone to lie, about the phone account used, and about anything else that would be transmitted over the standard GSM protocols. So the GP is correct: locking out the phone type - assuming it was possible, wouldn't do any good because the phone could be reprogrammed to impersonate something else.
It is extremely unlikely that the existing cell tower/receiver infrastructure could be used to determine that a phone is an 1100 impersonating some other model (or even upgraded to do so). It would be better to spend the development costs on revamping GSM to use a secure handshake protocol with large asymmetric key sizes and non-removable private keys, and securing OOB control channels with AES. Good luck getting police forces and spook agencies to roll over for that one though.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
The ING Bank, formerly Postbank, in The Netherlands does a TAN over phone, for one, but only optionally*; you have to sign up for it.
It's actually reasonably secure. You need to log in with username/password first, then you have to set up the transaction, then you have to wait for the TAN by phone, and then enter that. It's quite nice when, say, abroad and you do need to do some banking while abroad. If you're away for a month or more, you might have rent to pay, for example; not everybody accepts 2 months' rent, or allow you to pay upon your return.
Odds are that you'll have your phone with you - so why lug around another (USB) device, a card, etc. Worse yet, who says you can actually plug a USB device into the internet cafe you happen to be at?
Combine that convenience with the odds that somebody 1. has your username/password and 2. has a copy of your phone in terms of what would be needed to pull this off, are so tiny that - as per other replies - I think there's something more going on here than just duping the network and getting the TANs intended for another person, somehow; it would be far -more- likely a burglar took your actual phone and found your username/password written down on it or something.
The networks don't just authenticate the phones here, they will simply -not- allow a second copy of an IMEI on the networks. If that happens, they -will- investigate, triangulate, and send in the forces to find out wtf happened that they got a duplicate IMEI. Obviously that may be different outside of the nl-be region (i.e. I'm not even sure how they handle it in germany; but it was my understanding that practically all networks only allow a single ID and red flags get raised when a duplicate pops up)
* That said, I don't use it. My phone could die, and I would be f'n stuck until I got a new phone to drop the SIM in. Worse yet, I could lose my phone - which is always a possibility for any goods you take with you everywhere, all the time.
I just work with the long list of TAN numbers printed out on a sheet of paper** The bank asks me for the TAN number corresponding to a given index, I type it in, transaction completed. The only way for that to be intercepted is for it to be done so somewhere along the snailmail line, and any tampering with the envelope/etc. would be glaringly obvious.
Yes, that paper can be stolen (which would be noticeable) or even copied, and -if- they then have my login information as well, I'm still screwed. But at least there's no possibility of some manner of 'eavesdropping', short of a high powered telescope aimed at my window from an undisclosed location, and I can't easily 'lose' it as I might a phone, as I'm not carrying that list with me all the time. Slight sacrifice of convenience, but I'll live.
** Ideally they would send two pages, one with the indices randomized, one with the TAN numbers, that could then be kept in separate locations and simply overlaid to find the TAN corresponding to an index, but this can be done manually if one were just shy of a tinfoil hat.
=====
I have yet to be convinced by anybody that one of those 'calculators' / USB devices + a card + lord knows what else is actually more secure without being glaringly less convenient, than what I'm working with now. But maybe I haven't heard the right arguments yet.