Scammers Work Around Two-Factor Authentication With Social Engineering

mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."

Victim never knew a thing?

[icebike]

Including that his phone didn't work any more?

Was he traveling out of country or what? That must have been one fast shopping spree.

Re:Victim never knew a thing?

[Fjandr]

He received an SMS which he believed to be from Vodaphone, stating that they were having network difficulties and he would experience loss of cell service for the next 24 hours.

Re:Victim never knew a thing?

FTA: "As the port request was processed, the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours. This bought the criminals time to commit the fraud."

Re:Victim never knew a thing?

[srjh]

As someone on Vodafone in Australia, this should immediately have started ringing alarm bells.

No way they'd have the problems fixed in 24 hours.

Re:Victim never knew a thing?

[tdelaney]

Considering it's the Vodafail network, a 24-hour outage would be considered normal service.

Re:Victim never knew a thing?

[w0mprat]

Porting between carriers and devices, in most cases, requires so little authentication it's rather disturbing. It does not require any meaningful ID of the person before proceeding or at least I'm not aware of a carrier that does.

Re:Victim never knew a thing?

[93+Escort+Wagon]

Porting between carriers and devices, in most cases, requires so little authentication it's rather disturbing. It does not require any meaningful ID of the person before proceeding or at least I'm not aware of a carrier that does.

But the problem is - post Ma Bell, when the carriers used to make the customer jump through numerous hoops and bend over backwards before they'd allow you to port your number to a different company, people screamed bloody hell. This current state of affairs is the way it is because it's basically what the customers (and their politicians) demanded.

I'm not saying it's right - just that it's not completely the carriers' fault.

Re:Victim never knew a thing?

[deniable]

Or tell you about it.

Re:Victim never knew a thing?

[FatLittleMonkey]

It's disturbing when the scammers have better customer service than the actual phone company.

Re:Victim never knew a thing?

Victim never knew a thing?...Including that his phone didn't work any more?

Was he traveling out of country or what? That must have been one fast shopping spree.

You realize some people aren't married to their cell phone, right? I routinely go 2 or 3 days without using (or even looking at) mine.

Re:Victim never knew a thing?

[Dan541]

My bank has the audacity to tell me that. "Email is not secure" yet somehow the phone is ok.

Account security

[Fjandr]

This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.

Re:Account security

[Pubstar]

Thinking about the attack that they did, even the way Chase has to send a verification code every time you log in to a different computer would be useless against this attack. They could just have it send the verification code to the phone through SMS.

Re:Account security

[enoz]

A Hardware Token (such as RSA Securid) would have prevented TFA's fraud. SMS is clearly not a good replacement for real Two-Factor authentication, though it is cheap for the banks to implement compared to other options.

Re:Account security

[LordLucless]

SMS is clearly not a good replacement for real Two-Factor authentication

Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

The fail at this point wasn't that the bank implemented security poorly - it's that the Telco did. They didn't even have one-factor authentication. They asked for two points of information - customer number and DOB - neither of which can reasonably be considered a secure secret. Even then, the Telco is following the process that it has been mandated to follow by the government - including the data that should be used to verify identity. If the government are going to mandate requirements for business processes, then they should either be damn sure what they're mandating is secure, or they should explicitly leave security implementation up to the business.

Re:Account security

[iluvcapra]

Unfortunately zero banks in the US (or Australia) offers SecurID. PayPal does, but they don't really offer modern bank features, like bill pay or check/"cheque" writing, and the average bank wouldn't want to support such a thing, because there's no demand and it would intimidate customers -- irrationally, but so what? You'd need a bank reg.

Stories like this make me want to put all my money in Bitcoins. I HATE the whole Bitcoin concept and think its a crock, but with a Bitcoin at least I'm in charge of the security policy.

Re:Account security

Etrade has SecurID.

Re:Account security

[jamesh]

Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

Re:Account security

[jamesh]

Unfortunately zero banks in the US (or Australia) offers SecurID

I've had a token (not RSA but equivalent) for years for my bank account in Australia.

Re:Account security

[mjwx]

This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.

I agree, but the average person does not unfortunately.

The average person will view this as the bank trying to get in the way of them and their money. In Australia there will be huge sensationalised reports about the EVIL BANKS stealing from hard working Aussie battlers and keeping all that dastardly profit for themselves where as in reality, the new security measures cost more to implement but the real problem is Bazza from Frankston is too dumb and lazy to learn how to keep his cash secure.

So the system we have is probably the best system we're going to get. Its the worst the dumbest will put up with. They dont care about their own security, hence the bank has to protect them.

In either case, the fraud victim will get their money back, telco's will make it harder to port numbers over. As far as attacks go, this one takes a lot of effort and some money to start. Futher more, it requires the hacker to live in Australia and register their SIM card in Oz (which you require photo ID to buy, well in theory anyway). So to find the attackers, they need to locate the SIM (telco's will turn that over without question) then ask the Telco who bought the SIM and what ID they used.

Re:Account security

or the business could maybe go out on a limb, spend some executive bonus pool money, and maybe take some responsibility on its own and try to do a bit better than what was mandated. at least in yhe us the mandated requirements are not likely to have been handed down from on high, but instead exactly what they proposed just to get congress or the regulators off their backs...
but this would take an executive team to look a bit past their country club social instincts, sacrifice a bit of the sociopathic "shareholder value" today, etc. oh, and take responsibility.

Re:Account security

[iluvcapra]

Maybe I spoke too soon.

Re:Account security

[Hognoxious]

SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two.

The phone number isn't something you have. It's something that anybody could have.

Re:Account security

I'm using a Vasco token with HSBC Australia ... (not advertising either .. just sayin' ..)

Re:Account security

[iluvcapra]

I'm an HSBC customer in the US, after scouring their site I can find no mention of tokens or SecurID. It's annoying.

Re:Account security

My bank uses paper. The codes for confirming operations are on a piece of paper and behind a scratch-to-read protective layer. Sure, it can be stolen, but I usually notice it when somebody breaks into my house, as opposed to having no reliable way to check if my phone or PC has been broken into.

Re:Account security

[LordLucless]

The same could be said about anything. The seed for your token generator isn't something you have - it's something anybody could have.

Re:Account security

[tsotha]

Bank of America offers something they're calling a "Safepass Card", which looks suspiciously like SecurID to me.

Re:Account security

[Fjandr]

Given how much is being linked to a cellular number, I actually would support making number portability more difficult (in that securing a process almost always makes that process more difficult/complex).

Unfortunately, politicians seem to swing from one extreme to another with little in between, so any regulations mandating increased security are likely to either be completely ineffective or much more inconvenient than necessary.

Something like SIM registration seems like it would go a long way toward combating this sort of hijacking, and should be relatively easy to implement.

Re:Account security

[mjwx]

Given how much is being linked to a cellular number, I actually would support making number portability more difficult (in that securing a process almost always makes that process more difficult/complex).

Something like SIM registration seems like it would go a long way toward combating this sort of hijacking, and should be relatively easy to implement.

We've go the same problem as with the banks. After banks and speed cameras, telco's are the favourite targets of the sensationalist bollocks brigade.

Any move to make it more secure will be met with scorn and venom from anyone who doesn't want to understand why it's happening. Right between signing up for the Vodafail page and complaining about how bad their teclo is.

Re:Account security

[bloodhawk]

Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

You are confused. SMS to your mobile IS TWO FACTOR AUTH. just because it sucks doesn't make it not two factor auth. Besides when directly targetted there are very few good two factor auths that are practical that can't be defeated by a well targetted scam such as this. RSA/Vasco tokens can be stolen as can Smartcards or USB keys and when you are talking about scams in the amount of this article then the theft of a token isn't that much of a reach either. It isn't like it takes long to empty a bank account.

Re:Account security

[Jeremi]

The seed for your token generator isn't something you have - it's something anybody could have.

Err, how? (Besides physically stealing your token generator, I mean)

Re:Account security

[jamesh]

You are confused. SMS to your mobile IS TWO FACTOR AUTH

you said "Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.". I said "It sure does". I wasn't disputing that password+mobile number was two factor auth, I was disputing that it was a reasonable choice.

I may be a bit out of date here but I thought that sniffing an SMS wasn't really that difficult for a sufficiently motivated criminal... but maybe it's sufficiently difficult with today's 3G networks? Last time i checked most carriers didn't encrypt GSM communications, which makes the second factor more about the SMS itself than the phone number.

Re:Account security

What he wanted to say is "your phone number is not a physical item". Thus it is not really two-factor authentication in the usual sense, it uses something you know and something someone else temporarily mapped to you, with that mapping being entirely outside your control.

Re:Account security

[jonwil]

Considering my mobile number was previously registered with Vodafone in my mums name (at the time I signed up, I didn't have enough credit history to get a postpaid plain in my own name) and I was recently able to switch it from Vodafone to TPG Mobile without either entity seeing any kind of actual ID (and I dont remember providing ID when I first signed up to TPG for ADSL either) I doubt that there are as many requirements on getting a SIM card as there should be.

Re:Account security

[LordLucless]

It all depends on the security of the authority that issued you your generator - much the same as your mobile number. If they hand out your generator seed willy-nilly - the way telcos appear to do for mobile number porting requests - you're just as vulnerable.

The issue here isn't that the technology wasn't good enough, it's that the trusted authority shouldn't have been trusted.

Re:Account security

[93+Escort+Wagon]

It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

Google promotes it as well - is it okay to call them stupid in this case, or do we still give them a pass?

Re:Account security

Since when was receiving a validation code over insecure unencrypted PSTN connect and then over GSM/CDMA considered a "what you have" factor? No, it's just another "what you know factor" which makes a total combination of two. Not proper two-factor authentication, at least time-synced tokens with one way hashing can at least emulate "what you have".

Re:Account security

[cyssero]

Wrong, the Commonwealth Bank (bank in TFA ) offer 2FA hardware tokens (à la SecureID) as an alternative to NetCode (the 2FA used in this instance). They offer this primarily to customers travelling overseas (and can't/don't want roaming) or those who are frequently out of coverage zones.It's free, too.

Re:Account security

[jonwil]

Both HSBC Australia and the Bendigo Bank offer hardware tokens.

Re:Account security

[thegarbz]

Erm there's many banks that offer SecurID in Australia:
Suncorp
Westpac
NAB
ANZ
Commonwealth Bank offer them to limited customers only.

As for the US I think Citigroup uses them too.

Re:Account security

However there's a difference here: There are cases where you legitimately want to transfer a phone number to a different phone. However there are no cases where you legitimately want to transfer a hash seed to another generator. Of course the bank also needs your hash seed to generate the code, but then, if the bank's computer is cracked it's probably easier for the attackers to just access your account directly.

Re:Account security

[Bert64]

Well, not RSA, some other form of token where the customer (in this case the bank) keys it themselves.
The idea of buying a token that's already loaded with key material is an epic fail, as proven by RSA when they got owned a few months ago.

Re:Account security

[Bert64]

Security is inconvenient, if a business implements tougher security than its competitors then users will flock to the more convenient competitors...

Losing customers in this way has been judged to cost more than the resulting fraud from weaker security, and so this is how its done.

Re:Account security

[deniable]

My brother has one from Commonwealth. He spends a lot of time outside mobile coverage but with 'net access. (At least when the generator is running.)

Re:Account security

[xaxa]

Last time I ported a number between UK carriers I was sent several text messages to each phone.

It used to be that you couldn't start the process until you'd received a letter with a code (PAC - Porting Authorisation Code), but they were happy to tell me the code over the phone.

(But anyway, my bank uses the encryption key stored on my debit card to authorise similar transactions.)

Re:Account security

Charles Schwab offers a secure token on request 2-factor authentication

Re:Account security

[Sparr0]

They could get the serial number off your token generator and compromise the token provider's database. I've replaced token generators with software token generators in the past to streamline helpdesk operations, we had a database full of the token keys. If that got compromised, it would be bad.

Re:Account security

[jjo]

I have a Safepass card. It's been some time since I got it, but I think it cost me about $20. Whenever I want to make an online payment to a previously-unknown payee, I need to enter the code from the hardware token. While it's true that the token could be stolen, thieves would have to intercept my username/password, then steal the token without my discovering the theft in time to notify the bank. Not impossible by any means, but probably difficult enough to induce the thieves to look for easier prey. I think my investment of $20 and a few extra keystrokes is well worth it.

Re:Account security

[ebyrob]

I'm confused, are you saying the whole token system is poorly designed? The database should only contain the public key equivalents for the physical token generators. The private key equivalent data shouldn't exist anywhere outside the key-fob.

(It's like you're saying stealing the password file would give you remote access to a UNIX system, without further decryption/password guessing)

Re:Account security

[GNious]

[..]thieves would have to intercept my username/password, then steal the token without my discovering the theft in time to notify the bank.

So, they should steal you as well? Or render you unable to contact your bank in the near future.

Re:Account security

[downhole]

It was my understanding that intercepting SMS was extremely difficult, barring things such as stealing or hacking the phone itself or getting the carrier to transfer the number to your SIM card, as they apparently did here. Again IIRC, GSM (and the other cellular variants) are encrypted, and the only hack of that I've heard of was when somebody at a security conference set up a man in the middle attack with a hacked GSM cell that tricked the phone into running in unencrypted mode, so you'd have to get close to the intended victim and transmit with enough power to get the phone to associate with your cell over the real cell.

Re:Account security

[StikyPad]

And this doesn't demonstrate that Two Factor Authentication is worthless either. If thieves have to select their targets more carefully, (because there's no point jumping through such hoops to impersonate someone with $2.50 in their checking account) it will reduce identity theft rates overall, which is good, and create as an enemy those with the most resources fight back, which is also good.

Re:Account security

[Archangel+Michael]

SMS is not a good replacement for Two-Factor Security. I use GoogleVoice for my SMS two factor authentication, not my Cell Phone. If I lose my Cell phone, I don't have to worry about someone getting my two-factor authentication codes. My phone uses a different GV number than I use for my Two-Factor Auth.

I rarely us real SMS anymore because GV just is so much more convenient for me.

Re:Account security

[Jeremi]

It all depends on the security of the authority that issued you your generator - much the same as your mobile number. If they hand out your generator seed willy-nilly - the way telcos appear to do for mobile number porting requests - you're just as vulnerable.

Sure, but since a cell number was never intended to be a secure ID, there are various scenarios where a cell company needs to hand out information about it... hence the problem. I can't think of any scenario where a token-generator company would need to hand out your token-fob's seed. In fact it would be best if they don't even keep a record of it. One would hope that a company whose sole purpose was security would be aware of the security implications of doing either of those things. (whereas a cell phone company's primary focus is on keeping its customers connected, not on keeping their cell numbers unknown)

Re:Account security

You gotta be on site or in the Telcos network. Sec there should be some degrees better then call center competence.

But the funny bit: You can never be sure :).

Regards,

Martin

Re:Account security

If the private key equivalent data did not exist outside the key-fob, how would a software token generator (such as for your phone) get configured to duplicate your tokens?

Re:Account security

[errandum]

if you sign something with your private key, whoever has your public key can check if it was you or someone else that did it or even if any of the two was altered. It's a property of the scheme.

Same if someone encrypts something with your public key you'll only be able to access the information if you have access to the private key.

Re:Account security

[errandum]

so, if someone gets access to your google account, won't that compromise you even further?

Re:Account security

[errandum]

Independent of whoever programs the system you're only as safe as they are. And after that fiasco I'd sooner put my trust on RSA than most entities (quite sure they are paranoid-secure now).

Re:Account security

[mjwx]

Considering my mobile number was previously registered with Vodafone in my mums name (at the time I signed up, I didn't have enough credit history to get a postpaid plain in my own name) and I was recently able to switch it from Vodafone to TPG Mobile without either entity seeing any kind of actual ID (and I dont remember providing ID when I first signed up to TPG for ADSL either) I doubt that there are as many requirements on getting a SIM card as there should be.

Which is why I said in theory.

Just about every Australian knows, if one store knocks you back, just keep going until you get one that's hungry enough for the commission that they'll fudge the paperwork. Doesnt normally take long.

In theory, they are meant to ask for ID, I was in a Telstra store where they wouldn't sell a SIM to Norwegian tourists without seeing their passports. On my way out of the store (15 minutes without being served) I suggested to the Noggies that they try the Optus shop across the road.

Re:Account security

Anonymous Coward to /. ID 813939 (bloodhawk): *you* are the one being confused.

Never did it write it wasn't two-factor auth. He said it wasn't "real two-factor auth" and later on "which makes the SMS as a second factor all but useless".

I realize you may feel secure with your SMS as a 2nd factor but it doesn't exactly make the method bullet-proof (TFA proves me right btw).

Take this: pick a username made of 5 letters and a password made of 1 digit (first factor: something you know) and now give me your mobile phone number to which I'll send 1 digit (second factor). That's two-factor auth right? So it rocks right? Because all people are saying is that there are f*cking good two-factor auth (login/password + RSA token challenge to login + RSA token challenge to valid any transfer above $$$ [at least when done correctly]) and then there are f*cking lame two-factor auth.

What makes you think that someone saying "SMS as a second factor is useless" means "this isn't two-factor auth" is beyond me. I think *your* confusion comes from the fact that you (and the people who upvoted you +5 insightful) comes from the fact that you happen to have this lower, lame, shitty form of two-factor auth.

I'm prefer my RSA token.

All two-factor auth don't provide the same security.

You can't argue with that because you're wrong. And stop transforming what others are saying. Nowhere did anyone write it wasn't two factor auth.

People just pointed out it was f*cking shitty two-factor auth compared to things like RSA (not bulletproof, nothing is but thousands times better than your shitty SMSes).

Re:Account security

I have a Safepass card. It's been some time since I got it, but I think it cost me about $20. Whenever I want to make an online payment to a previously-unknown payee, I need to enter the code from the hardware token. While it's true that the token could be stolen, thieves would have to intercept my username/password, then steal the token without my discovering the theft in time to notify the bank. Not impossible by any means, but probably difficult enough to induce the thieves to look for easier prey. I think my investment of $20 and a few extra keystrokes is well worth it.

Sure, just wait until you have enough money in that account for us thieves to pay attention to you.

Not Thieves

They didn't steal anything real.

I don't believe in imaginary property.

Re:Not Thieves

[CohibaVancouver]

I don't believe in imaginary property.

Please send me all your money, via wire transfer. Thank you.

Re:Not Thieves

[gnawingonfoot]

I don't believe in imaginary property.

Please send me all your money, via wire transfer. Thank you.

Clearly he doesn't have any--otherwise he wouldn't feel that way.

Re:Not Thieves

[TheVelvetFlamebait]

Whoosh!

Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible. The GP is taking a dig at people who subscribe to this view.

Re:Not Thieves

[bill_mcgonigle]

Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible

You mean the kind that gets inflated away to worthlessness?

Re:Not Thieves

[Calos]

Yeah, the same as the little slips of paper-cotton blend and the hunks of worthless metal that represent their physical counterparts.

Re:Not Thieves

[TheVelvetFlamebait]

Yes indeed, the kind that has never once inflated away to worthlessness.

But, if you disagree, I'd be happy to trade my 12 year old car for, oh let's say, 100,000 of those worthless, electronically-stored dollars? Think about it; you give me some worthless, replicable data, and I give you something that will give you at least a year's worth of transport. It's a positive bargain!

Re:Not Thieves

Money is made property through laws. The property is not the bit pattern on the bank's computer (you don't own the number on your bank account, you own the amount of money given by that number). Money on your bank isn't naturally property (there's nothing which would physically stop you from increasing one account without decreasing another), it's made property-like through rules (it simply is forbidden to create money that way).

OK, so how is this different from ideas, which are also made property-like by law? Well, simple: The value of money to society would be actually zero if it were not protected by law. Money has value exactly because it is protected. However the value of ideas to society would increase if they were not protected. Of course the protection increases the ability for the individual to profit from an idea (actually, as it is handled currently, even that is not true; it's only the big corporations which are able to profit from protected ideas). But individual profit at the cost of the society is nothing which should be encouraged.

Re:Not Thieves

Well, I'm willing to give you a copy of the data telling the money on my bank account (it's just a number, after all) for your car. Indeed, if the number on my bank account is too small for you, I happily type a much larger number for you. However I demand that the number on my bank account is not modified in the process.

And yes, the data is replicable (indeed, I hope that the bank replicated it in the form of a backup; of course that unfortunately doesn't mean I've got at least twice the money, despite the bank holding that data at least twice). The data on the bank is not the money. The data on the bank only tells me how much money I own. The importance of that data is that it's the way how it is verified that I indeed own that amount of money (reduce that number, and no one will believe me that I indeed own more that that number tells, unless I can prove it with the help of other data).

Captcha: profits

Re:Not Thieves

[TheVelvetFlamebait]

Clearly you accept that valuable items need not be tangible. And, from what I can tell, you accept that some intangible items should be subjected to property laws. You've now gone to the next logical step which is to argue that ideas specifically should not be treated as property. The theme of this argument is that ideas are more valuable with less restrictions on them, which is undeniably true. An idea benefits only those who can access its implementation, and the more freedom they have to use and play with the idea, the more likely they are to develop some of their own.

None of the above is in any serious dispute. The problem arises from cultivating ideas in the first place. Plenty of people can have some kind of a brainwave along the lines of "Wouldn't it be cool if ...", or perhaps mentally work out some of the details. However, it is a lot less common to find someone with the knowhow, the means, and the opportunity to make an idea come into fruition. This, of course, depends heavily on what the idea entails, but always the implementation is harder to foster than the idea.

None of my inventions came by accident. I see a worthwhile need to be met and I make trial after trial until it comes. What it boils down to is one per cent inspiration and ninety-nine per cent perspiration. -- Thomas Edison

The 1% is cheap, and the rest is where almost all the value lies. This is the part that we support with intellectual property laws. As valuable as an idea without restrictions may be, the often overlooked genesis of the idea must be protected or encouraged somehow, because otherwise it makes no economic sense to expect people to put themselves through it. If we can find a way to protect the 99% of invention, while making ideas more free, I would support it 100%. Otherwise, I will stick with the best system we have until a demonstrably better one comes along.

By the by, not only corporations make money off ideas. Counterexample? Minecraft.

Re:Not Thieves

[TheVelvetFlamebait]

However I demand that the number on my bank account is not modified in the process.

Can you give me an explanation as to why you would make that demand (you could be jeopardising your free car)? For a worthless piece of data, you seem awfully possessive of it.

The data on the bank is not the money. The data on the bank only tells me how much money I own.

That's fair enough. Could you tell me why you should get any control whatsoever of this piece of data which is stored on the bank's private property? Why should they not be allowed to change the number at their whim? I mean, if they decided to set the number to 0, it's not like you've lost anything. You had no money before, and you have no money now. The only thing that's changed is the potential to gain money. But as we all know from multiple discussions about the **AA and copyrights, potential to gain money is not worth anything real, and should not be protected by law. Or am I missing something here?

Re:Not Thieves

[TheVelvetFlamebait]

Sorry to double post, but I wanted to add something extra (not that it contradicts your viewpoint in any way). All property is artificial. It's an abstraction of possession that's protected by law. Let's say that I have a banana, and you take the banana from me, with no previous arrangement made between us. I now no longer possess the banana, but you do. What is there in the natural world to say that I "own" the banana and not you? Clearly possession is not enough.

Our laws define ownership. Without them, natural law would basically be along the lines of "It's yours until someone stronger takes it". People tend to place far too much importance on possession, not realising that what really underpins property is a complicated series of laws, without which property would hold no weight. It is but another reason why picking on intellectual property purely because it refers to something intangible is not really a valid concern (not that you do that, of course).

Re:Not Thieves

Can you give me an explanation as to why you would make that demand (you could be jeopardising your free car)? For a worthless piece of data, you seem awfully possessive of it.

Well, OK, I'm willing to make a concession here: I allow the data to be modified, as long as it is not decreased. I allow any amount of increase, though. I'm not at all possessive at the exact value, I just don't want a lower one.

Could you tell me why you should get any control whatsoever of this piece of data which is stored on the bank's private property?

Because I have a contract with the bank giving me that control. Note that the same contract also limits my control, so I cannot just increase the amount on my own; I have to pay them money to increase it, or have to have another one decreased by the same value. On the other hand, I can get money from them in return of them decreasing that number accordingly (except if that number is too negative). Moreover, they give me even limited control of other numbers: I can increase them, but only by decreasing the number on my account by the same amount. This is a very useful thing because there are people willing to give me things if I increase their bank account number by a large enough value.

But as we all know from multiple discussions about the **AA and copyrights, potential to gain money is not worth anything real, and should not be protected by law. Or am I missing something here?

You are missing that whether something is worth anything real and whether it should be protected by law are two very different questions. For example, legally owning slaves is worth a lot, but I think we both agree that it should not only not be protected by law, but even forbidden.

Whether something should be protected, merely allowed or forbidden by law should not depend on whether you can potentially gain money from it. It should be dependent on whether allowing or forbidding it gives a net gain or net loss. For slavery, forbidding clearly gives a net gain. For bank accounts, protecting clearly gives a net gain. For copyright and patents, the current system clearly gives a net loss. Completely removing copyright would probably not be a good idea, but limiting it to a much shorter duration (say, ten years from publication) I think would give a net gain.

Re:Not Thieves

Except that you're forgetting the fact that banks ("are supposed to", please don't de-evolve this thread into a banking industry discussion) have adequate liquidable reserves to cover every dollar in their vaults, physically and figuratively.

But I don't subscribe to the "all property is tangible" theory anyways.

Re:Not Thieves

[TheVelvetFlamebait]

Well, OK, I'm willing to make a concession here: I allow the data to be modified, as long as it is not decreased. I allow any amount of increase, though. I'm not at all possessive at the exact value, I just don't want a lower one.

That sounds consistent with larger numbers having larger values, but not so consistent with it being worthless either way. You're not being very convincing here.

Because I have a contract with the bank giving me that control.

OK, let's start being clear here. What I'm claiming you own is not the number itself (it's a number that probably occurs in many places), nor the physical bits that it's stored upon (they're owned by the bank), but you own being the subject of the bank's duty to pay a person money when you decide to lower that number. You claim that this is not ownership, merely some mechanics tied to a contract.

First of all, this duty is not worthless. The proof of this is to simply ask anybody on the planet to relinquish this duty to you, and ask them what they'll pay for it. For the vast majority of people, they won't accept any amount less than what is stored in there. This tells us that, to them, the duty of the banks to pay them money in exchange for lowering their balance is worth to them at least what the balance reads. This is literally the definition of subjective monetary value: how much a given person will trade for the object in question. So, we have at least proven that, while completely intangible, this duty is not worthless.

If you decide to define property in a way that excludes this duty, you may. Do not expect the courts, or anyone else, to agree with you on that point. You must remember that property, even of tangible objects, is an abstract, artificial concept that is enforced only by law. It is up to us to decide what to treat as property, and what not to treat as property, as well as what to call property and what not to call property. In this case, we have this duty, which has worth like property, is forbidden to be taken or otherwise abused like property, that can be bought, sold, and otherwise transferred like property. To me, to many others, and to the courts, this is sufficient to consider it property, as it shares all the core properties that make up the concept of property. Like I said, you're free to make exceptions, or impose further arbitrary restrictions to your personal concept of property, but if you want others to share your view, you need to be more convincing.

You are missing that whether something is worth anything real and whether it should be protected by law are two very different questions. For example, legally owning slaves is worth a lot, but I think we both agree that it should not only not be protected by law, but even forbidden.

I wasn't claiming that copyrights should be protected. I was pointing out that so many on /. have decided that a potential to gain money should not be protected by law, specifically because they consider it not to be "real". I think that distinction is probably better placed at the feet of the people whose view I was attacking.

Whether something should be protected, merely allowed or forbidden by law should not depend on whether you can potentially gain money from it. It should be dependent on whether allowing or forbidding it gives a net gain or net loss. For slavery, forbidding clearly gives a net gain. For bank accounts, protecting clearly gives a net gain.

I'm with you so far. You, of course, realise that this makes any quibbles over what constitutes property utterly moot, right?

For copyright and patents, the current system clearly gives a net loss. Completely removing copyright would probably not be a good idea, but limiting it to a much shorter duration (say, ten years from publication) I think would give a net gain.

Well, I don't think it's nearly so clear that it's a net loss, in that we would be better with no copyright than with copyright as it is now, but yeah I agree shorter terms would be appropriate.

Re:Not Thieves

You, of course, realise that this makes any quibbles over what constitutes property utterly moot, right?

No, because property is a legal concept (I don't belong to those who think there's a natural right linked to it; in the original state of humanity, the hunters-gatherers, there was no concept of property). That legal concept includes the assumption of indefinite duration of ownership rights (if you own something, you continue to own it unless you voluntarily give it away, or until you die (in which case you can decide who shall get ownership afterwards). Only in rare cases property can be taken away from you, and in those cases you have to be properly compensated.

This concept does not fit intellectual "property" because there the special rights are given for a limited time. By calling it "property" you implicitly evoke a mindset where it "belongs to you" and therefore has to continue to be your own indefinitely.

Re:Not Thieves

[eugene+ts+wong]

HI!

I am the anonymous coward that posted the original comment. Thanks for defending the view. I think that I would have never been able to do it as well as you. I only stumbled on to the idea after reading about the summary above. I get the impression that you have thought through this for quite some time.

I definitely meant it in the way that you did, but I wasn't as serious about it as you are. Now that I have read your comments, you really won me over even more.

Keep it up.

Re:Not Thieves

No, if they would have that, they'd be unable to operate. They have enough reserves that they can give out the amount of money which can be normally expected to be needed (and some more to cover less likely, but not too unlikely spikes in the demand of money). The legal requirement is that they have to have at least a certain fraction of the money as reserve (how large that fraction is is an important instrument to control the amount of money in use). But if all people at once would come to the bank and want their money in cash, the bank would be unable to give it to them (that's exactly what happened to many banks in the Great Depression).

Indeed, there exists more money than cash, so it would be even physically impossible to pay out all existing money in cash.

Re:Not Thieves

[TheVelvetFlamebait]

You, of course, realise that this makes any quibbles over what constitutes property utterly moot, right?

No, because property is a legal concept

Touche, but I was more thinking of quibbling over what we think should constitute property. If you want to cite legal definition, that's at least something we can independently verify. However, by taking this stance, you are also shooting yourself in the foot. You can't argue that intellectual property is not property, taking property by its legal definition, when the law defines intellectual property. Everything you said that property must entail is broken by intellectual property. To argue that it's not property, you have to ignore that it is property in the eyes of the law.

Re:Not Thieves

[TheVelvetFlamebait]

Hey thanks! It's always nice to hear a little bit of positive feedback. The last time I argued with someone on /., he told me that I needed to go back to the first grade and read up on Aristotle. :-)

Re:Not Thieves

[JesseMcDonald]

Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible.

It's not a very good counterexample. There is no property "stored electronically at the bank". The bank's records, electronic and otherwise, are merely accounting data, describing the tangible property (cash) which the bank owes to each customer in exchange for their deposits. If those records were wiped out it wouldn't destroy any actual property or the bank's obligations to its creditors (depositors); it would just make it rather more difficult to reconstruct what those obligations were.

When you deposit cash at a bank, you aren't exchanging tangible property for intangible (electronic) property, you're exchanging tangible property in the present for a claim to tangible property in the future. You do this because the bank is offering to pay back more in the future than you deposited (interest), and/or because it's more convenient to hold and trade electronic IOUs, property claims, than the property itself.

TL;DR: You don't need to invent intangible forms of "property" to explain the operation of a bank. Ordinary tangible property is sufficient to the task.

Re:Not Thieves

Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible. The GP is taking a dig at people who subscribe to this view.

It's a stupid count example.

Re:Not Thieves

[bill_mcgonigle]

Yes indeed, the kind that has never once inflated away to worthlessness.

Present rate is 98% depreciation per century.

But, if you disagree, I'd be happy to trade my 12 year old car for, oh let's say, 100,000 of those worthless, electronically-stored dollars?

Old cars make for bad money. They depreciate at an even worse rate.

But if you have a car that's worth 100,000 FRN's today and somebody willing to trade that car for a stable money (e.g. gold), I'd gladly engage in that 3-way trade because I'll be far ahead of both of you in a decade.

Re:Not Thieves

[Fned]

Whoosh!

Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible.

It's a stupid counterexample, though. Bank balance isn't about property at all, it's about access restriction. Only you are supposed to have access to the data that represents your money, in order to exchange it for property. Which it isn't.

Hell, even physical cash isn't technically property. It's value is entirely defined by what actual goods and services you can trade it for.

Re:Not Thieves

"money is the promises men keep"

Re:Not Thieves

[TheVelvetFlamebait]

I'm thoroughly bored of this thread now, but I can't resist debating with one of my freaks.

You don't need to invent intangible forms of "property" to explain the operation of a bank. Ordinary tangible property is sufficient to the task.

Yes and no. You seem very biased against calling it property for "it can be explained in other terms" to imply that "it should be explained in other terms". Besides which, isn't all property just a series of legal obligations and agreements? Property could be described perfectly without making reference to the term property. It is through these that property is legally defined. If you think the term property should exist at all, I submit that you also need a better reason for concluding that a bank balance is not property.

The reason why bank balances (or more precisely, the duty that the bank has to honour its debts to you) is property is because it is valuable, it is legally tied to you to do with as you please. You may buy it, sell it, or trade it for its afore-mentioned value. What other attributes does it require in order to qualify as property?

Perhaps a better counterexample would be private information. Again, private information is valuable, legally tied to you, and able to be bought, sold, or traded. If it is not our property, then an explanation is required as why we should get any control over how it is distributed at all. Why should we get to control this information, and not other pieces of information? The reason is because, well, it's ours. You can try to carefully explain it, dodging any words that suggest ownership, but in the end, our private information is for us to use as we please, and for others to use only as we permit.

Re:Not Thieves

[JesseMcDonald]

The reason why bank balances ... is property is because it is valuable, it is legally tied to you to do with as you please. You may buy it, sell it, or trade it for its afore-mentioned value. What other attributes does it require in order to qualify as property?

Except that you can't actually buy/sell/trade bank account balances without the cooperation of the bank. Your actual rights as a depositor are limited to withdrawing the money owed you from your account, either on demand or after a predetermined time depending on the type of account. The privileges of writing checks and/or performing electronic transfers without first withdrawing the money are the result of a separate agreements between you and the bank, and subject to various limitations.

Perhaps a better counterexample would be private information. Again, private information is valuable, legally tied to you, and able to be bought, sold, or traded. If it is not our property, then an explanation is required as why we should get any control over how it is distributed at all.

That is perhaps an even worse counter-example from my point of view, since I don't hold that we should get any control over how such information is distributed once it leaves our hands. Information is only private to the extent we actually keep it confined to our (tangible) property; once it's out in the wild, others are free to use it as they will. It's only our information in the sense of our parents, our children, our discoveries—something related to us, not something we own or have any exclusive right to.

Besides which, isn't all property just a series of legal obligations and agreements?

No, the legal obligations and agreements are about property, not property in their own right.

At the most fundamental level, an item of property amounts to some aspect of the universe which one can use to accomplish some action. Property need not consist of matter; alternatives include a bounded volume of space, or stored energy.

Property rights, in turn, are freedom from interference in that use, established from the first use of the property in an action consistent with the existing rights of others, and possibly transferred from person to person via contract. Such rights are only meaningful when it is actually possible for others to interfere—something that is only true of tangible property. The right to use your property is not exclusive except insofar as another's use would interfere with your own. With "intangible property" that is an impossibility, which means there is no point in the concept. It would be rather like claiming the right not to be eaten by giant pink unicorns from the ninth dimension. There is no reason for anyone to care whether you have the right or not, since there is no way it could ever be violated.

must post before I even read the article :)

"George Craig .. was told that his .. mobile phone .. was used as a tool in the attack .. the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours" link
 

Social engineering is cheating

Magically hacking everything is so much more interesting.

Re:Social engineering is cheating

[thisnamestoolong]

Yes, but only if you have a gun to your head and are getting a blowjob while you do it...

physical card; sms and l/p

I guess this is why, we have SMS auth, your banking login/pw and a per-contract physical card with a grid coordinate numeric system.

The physical card could be duped assuming one would know the algorithm to generate such information and what coord the website is taking for that particular transaction, but that seems too be too much hassle as we have not had any such case reported thus far.

Re:physical card; sms and l/p

[viperidaenz]

I don't believe those cards have their numbers generated by any algorithms, its a randomly generated grid of characters. You need physical access to the card - like stealing someones wallet, copying it and returning it before they notice its missing

Re:physical card; sms and l/p

If someone is keeping it in their wallet it would be easier than you might think, you can read cards without physically swiping them through a traditional card reader, especially the not so common no-swipe enabled cards.

Re:physical card; sms and l/p

[xaxa]

If someone is keeping it in their wallet it would be easier than you might think, you can read cards without physically swiping them through a traditional card reader, especially the not so common no-swipe enabled cards.

It's a piece of cardboard with numbers printed on it. Good luck reading that without removing it from the wallet.

Re:physical card; sms and l/p

stuff like wallets that are opaque to normal light are not so opaque to things like microwaves and other bands of the spectrum.

The Blame Game

[enoz]

So the banks say it's not their problem, it's the fault of mobile operators for making numbers portable. Yet the banks were offered access to the national mobile database so they could check if a number was recently ported, but declined to use the information. Meanwhile the fraudsters are getting away with their winnings...

Re:The Blame Game

[xous]

It wouldn't make a significant difference even if they did.

There are thousands of examples of carriers being tricked into forwarding numbers by 3rd parties. I do it all the time for customers that port into us if something goes wrong with the porting process.

Often all I do is:
1. Identify myself as $MYNAME from $MYCOMPANY. (NOT $THEIRCLIENT)
2. State that I'm calling on behalf of $THEIRCLIENT.
3. Tell them that $THEIRCLIENT is in the process of moving to our services and need to forward the number temporarily.
4. Carrier asks for the forwarding number and it's generally done in 1-2 hours.

The only shred of validation that might happen is them checking my caller id. I've never needed an account number, billing contact name, authorization code, or anything. Just the phone number.

I've even offered to pay for the forward but been declined because I'm not $THEIRCLIENT. They were happy enough to charge the $THEIRCLIENT on my behalf.

Phones/SMS/etc will never be a reliable way to verify an account holder because it really can be anyone on the other end.

Re:The Blame Game

[enoz]

But the point is banks could have access to see if a number was recently ported. If they detected a number was ported they could take further action or require additional authentication. The banks choose not to use this information, and customers are defrauded.

Re:The Blame Game

[Z00L00K]

This is one reason for me to not trust security solutions using mobile phones.

And if the target has a smartphone it's theoretically possible to intercept text messages and forward them to the perpetrator keeping the victim completely unaware of the attack.

One thing that perpetrators also can use is Over-the-air programming to reconfigure the phone, and as an end user you can't tell if it is your legitimate operator that wants to reconfigure your phone or someone else.

Re:The Blame Game

[rtfa-troll]

So the banks say it's not their problem,

No they didn't. They paid up fully and automatically. First they blocked his account:

The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.

Then they sorted everything out and paid for everything automatically.

Craig is satisfied that CommBank has done everything it can to resolve his specific matter, and he applauded the work of the bank's fraud squad.

They had even been part of a group which had investigated the MNP security fixes available but decided not to implement them because of security problems.

“We explored the Mobile Number Portability Database and decided not to progress the solution at the time due to limitations which we believed may have exposed our customers to undue risk," the spokesman said.

I hate banks in general as much as the next man in the times of this crisis induced by some of them but lets at least blame them for the evil things that they really have done. This is not one of them.

Re:The Blame Game

[LordLimecat]

Phones/SMS/etc will never be a reliable way to verify an account holder because it really can be anyone on the other end.

Thats true with ANY kind of authentication, except for some kind of mythical, perfect, no-side-channel-attacks biometrics.

Re:The Blame Game

The reason 2-factor authentication works is that a would be fraudster has to burglarize the victims home, which is a hoop not many are willing to go though. Making a phone call is trivially easy compared to that.

Re:The Blame Game

[EnempE]

I believe the government forced the number portability onto the mobile operators in the name of fair competition, so really it is the government's fault ....

... or the butler, somehow that guy is involved.

note that the police have the guys on CCTV but no reported crime from the party that lost the cash (the bank) and hence no reason to continue investigating.

Re:The Blame Game

[mjwx]

I hate banks in general as much as the next man in the times of this crisis induced by some of them but lets at least blame them for the evil things that they really have done. This is not one of them.

Only because they are forced by the law to do what they did.

Banks can make things incredibly painful for people if they get hurt by fraud if they want to. One of my former bosses with a $20K AUD platinum card from an unnamed 3 letter Aussie bank had almost 19K swiped from it by card copiers a few years back. A lot of crap sent to Thailand, Russia, China and other places we couldn't prosecute. Basically he reported that he didn't make any of these transactions but the bank said they had to investigate. After a few days of being jerked around by the bank he called the Banking and Financial Services Ombudsman (BFSO) who could do little else but force the bank to give him a deadline for the investigation, they did, no more then six weeks.

So for six weeks, my former boss was $19K in debt with a 17% interest rate on that. 5 weeks and 6 days after the BFSO got involved the bank said they will refund the $19K, however they still sent him a bill for the interest as they had passed the 30 day interest free period on that card. Of course my boss fought this, and the bank dragged it out to over 2 months before finally reversing the debt.

So banks will help you if you're a victim of fraud, they'll even do it quickly if you're lucky or the case generates a lot of PR. But dont pretend banks are doing it out of the kindness of their heart. They _have_ to give your money back by law, but they dont have to do it kindly.

Re:The Blame Game

But the point is banks could have access to see if a number was recently ported. If they detected a number was ported they could take further action or require additional authentication. The banks choose not to use this information, and customers are defrauded.

Right, that is true. But it is not required of them by law in AU (in the US the FCC does have some restrictions) although it would have been wise. However, you're still blaming the wrong people. The phone Carrier is the company who got scammed, not the bank. The bank is actually who caught on to the scam, blocked most of the transfers, and alerted their customer.

The fault lies mostly with the phone company, and also the AU government for not putting any decent regulations into place.
Porting requests get a little bit complicated. You do not call your current carrier to request porting to another carrier, you call a new company and setup services and sign a LOA (Letter of Agency) which they submit to your current carrier for the port-out request. At least that's how it works in the USA.
The process is the same in AU, but not the verification.
From the Vodaphone Q&A site regarding number porting processes:
"If you wish to port your Vodafone mobile number to another network, you will need to contact the new network, who will then arrange the port."

And:
This appears to only require a telco’s customer service representative (call centre agent) to ask some very simple questions – such as a customer number and date of birth – to verify identity.

The problem is that the porting process happens too quickly and without any physical verification of identity on the part of the new carrier.

Re:The Blame Game

[Bert64]

You bring up an interesting point, a lot of companies including banks will call you up to discuss various things...
They often block their caller id, so the call comes up as anonymous...

When you answer, the company expects *you* to authenticate yourself to them and will often refuse to authenticate themselves to you... I even had someone use the line "well we're a big company" on me this week... How do i know that? Anyone could call up and say the same thing...

Re:The Blame Game

[deniable]

Does that forward SMS? I've only ever seen calls forwarded.

Re:The Blame Game

[Bert64]

In the UK, a card issuer is required to immediately credit the money back to you and then carry out their investigation... I imagine this is specifically so interest charges don't rack up in the interim. That way the customer doesn't have to care how long it takes.

Re:The Blame Game

[deniable]

Most likely because there are more legitimate ports than not. You port your number and the bank shuts you out. Happy customers then storm the local branch.

Re:The Blame Game

[drinkypoo]

Regardless, you sue everyone, because EVERYONE is at fault. And then we all lose in the long run, since they pass the costs on to their other customers.

Re:The Blame Game

[bigtech]

Interesting -- out of curiousity, in what country?

Re:The Blame Game

[LordLimecat]

Or they could call and ask for the second factor, or they could find a sidechannel flaw in the second-factor token, or they could hack into RSA and compromise the SecurID tokens....

As I said, the only thing that is truely restricted to "something you have" in all scenarios is a perfect implementation of biometrics. Anything else can be gotten around.

Re:The Blame Game

I know which bank you are talking about and I used to work with the people who ran that department. I've also run fraud departments at other credit card companies.

Don't assume that instances like this are the result of banks deliberately dragging their feet in the hope customers give up. Usually fraud attacks happen in waves. When a big one occurs, the fraud department suddenly has hundreds or thousands of extra cases to deal with. Their resources get totally overstretched. Staff numbers can't easily be increased because fraud management is one of the most specialized parts of credit card operations. So the flood of cases get prioritised by closeness to the deadlines set by Visa/MC or industry regulators like the BFSO. And staff make mistakes.

Re:The Blame Game

[Lunzo]

hahaha perfect implementation of biometrics.

No such thing exists, and I believe it's theoretically impossible. When you use sensors to read the physical world there is always noise in the reading. So even the same fingerprint won't look exactly the same if scanned twice. That means there's always a fudge factor when matching is done by the biometrics.

Also there is the anecdote of a security researcher putting on a latex glove then touching his finger to the scanner. He was let in because the fingerprints of the previous people who were authorised were left on the scanner.

Re:The Blame Game

[xous]

They could see if the number was recently ported, yeah.

They would not be able to see if I called up your carrier and had your number [b]forwarded[/b].

Lets say the phone companies $8/h CSRs are absolutely infallible when it comes to social engineering. You've still got hundreds of relatively poor CSRs that may or may not take a few hundred dollars to forward a number somewhere.

The bank should not be validating account ownership based on who answers the phone. It's far too easy to steal a phone, tap a line, or use other methods to compromise the circuit. To be completely honest I'm not even a fan of the automated letters that they send to your house with an access code on them either as all anyone needs to do is acquire your mail. It's not difficult to have the post office redirect mail or just steal it while your not home.

The best way for a bank to allow resets would be an in person visit with photo id and have photo on file to compare it with. Inconvenient, definitely. Reasonably secure? Yeah.

Doesn't two factor mean 2 pieces of info?

Two factor means 2 pieces of id (what you have, what you know). How'd they get his password (what you know)? Or did the bank decide that one new-technology-Out-Of-Their-Control-factor (what you have) is enough? Cell phone second factor is all cool (and cheap), but it's out of your control. Something like a secure token is much more controllable but unfortunately, more costly.

Re:Doesn't two factor mean 2 pieces of info?

Really? A $10 Yubikey is more costly?

Re:Doesn't two factor mean 2 pieces of info?

[Mr.+Freeman]

Cheap 2 factor isn't too costly, but it's less secure. The more secure ones, like RSA, cost about $100 per token. (Although, how secure those are is really up for some debate since they fucked up a few months ago).

Re:Doesn't two factor mean 2 pieces of info?

[Bert64]

I wouldn't call RSA at all secure... The fact that they provide all the keys is a terrible idea and always was, them fucking up was always an accident waiting to happen.

I wouldn't trust any such system unless i could seed the device myself. There is no reason for the vendor to supply the seeds.

With a properly configured Yubikey, only two parties would have the necessary seed values - myself and the organisation i'm dealing with. If someone successfully hacked Yubico it wouldn't help them attack me.

Re:Doesn't two factor mean 2 pieces of info?

[xaxa]

I would think the smart card authentication devices like this are quite cheap. The debit card already needs the chip (to authenticate transactions in shops in the UK, and many other countries), and the reader probably doesn't do much.

What's the point of this story?

While some are better than others, no form of security is absolutely 100% perfect in every way. In case you hadn't noticed. News at 11.

Re:What's the point of this story?

[bill_mcgonigle]

The point is that if you trust your cell phone to be a 2nd authentication factor for your banking, you've contracted out your security to [the dumbest customer service rep at] your mobile carrier.

Also, being broke is probably a pretty good strategy for avoiding these kinds of problems.

Re:What's the point of this story?

[rtfa-troll]

no form of security is absolutely 100% perfect in every way..

Right; but that's not something new. No bank vault has ever been 100% safe either. The difference is that the bank takes responsibility for that so they ensure that it's "good enough", whatever that means. If money gets stolen from the bank vault they don't say "oh that was money from your account; sorry". With electronic security, there's often a level where they blame the failure of their own security measures on "identity theft" and make it the customer's responsibility. Two factor authentication of this kind is fine for a transaction of a few thousand dollars; It's not enough for transactions of hundreds of thousands of dollars. For 45k AUD that's a judgement call. `

This case is not like most American and some European banks though; Commonwealth Bank discovered the problem its self, is paying off the cost of the transaction and, even so, warned their customer. When they take the responsibility for the losses then what systems to use or not use become their commercial judgement. They looked at an MNP security system and decided there was something wrong with it. Maybe they now change their mind, maybe not. That's exactly the right thing. Hopefully they can persuade Vodafone to at least send a text message warning customers that their number is being ported before they actually do it in future.

Re:What's the point of this story?

[Arancaytar]

Also, being broke is probably a pretty good strategy for avoiding these kinds of problems.

If you're not broke, you don't need to worry either, because the scammers can soon fix that.

Re:What's the point of this story?

[justforgetme]

Well, that all might be true but
1) that is not a hole in auth, it is a policy hole in the fourth party (carrier)
2) I believe, since the carrier is bound legally to the person with a contract to allow him and only him to use that telephone number, they should be fined a humongous sum and charged for criminal offenses for a) toying with customer private data b) invalidating their contract to said customer c) not having clear policy for such things d) being a company while apparently they can't even approximate the digestive output of a monkey having eaten rotten bananas. Another way to handle such mishaps would be to stone the rep along with every single one of his superiors. public skewering might also work. ...
Damn did I get infuriated by this!

Re:What's the point of this story?

[Mitchell314]

From personal experience, I can inform you that it's not. If your account has some positive number in it, I can assure you there's a sea of pricks waiting to empty it, no matter how small.

Re:What's the point of this story?

[sortius_nod]

You're missing the point of the GP's post. You rely on the fourth party, but really, you know little about their security requirements. I personally refuse to use 2 factor unless it's via a time sync key (can be done easily via a phone app) as any message being sent to you can be intercepted in various ways.

Re:What's the point of this story?

[GrpA]

Not True. The product is AFAIK, A Telstra product under which they use SMS to provide a "token" as an additional factor.

Given that there have been many confirmed examples of MNP ( Malicious Number Porting ) in Australia, this is known weak security. Under the circumstances, its entirely reasonable to assume that the Bank knew this was likely.

However I can't see them rushing out to address the issue in the near future. In fact, with some banks, it's impossible to turn off the ability to transfer out large sums of money. You can turn it off easy enough, but anyone who accesses the system can turn it back on by default by clicking a screen saying you agree to the risk. :(

All the major banks in Australia have this form of security. On the other hand, all the credit unions ( everyone except the "Big 4" Banks ) use VIP ( Verisign Identity Protection IIRC ) which can be downloaded to most smartphones and works as a soft-token.

Security in Australia, as with much of the world, is severely compromised by CEOs and CTOs who really don't understand it and as long as they can blame someone else, then due diligence is done.

GrpA

Re:What's the point of this story?

[Bert64]

1) no it's a hole in the auth, since they used a known weak method that relies on the security of the telco over which they have no control

2) the problem is how do they authenticate that it is the customer requesting the number porting?
Most likely they will ask some "security questions" over the phone which a good social engineer will know the answers to...
If doing it in person in a shop they just ask for a signature, which ofcourse is totally arbitrary and trivially easy to fake...

Even if the telco has strict policies, how is the actual number porting carried out? Usually it is based on carriers trusting each other not to submit rogue requests, so all it needs is one rogue or compromised carrier...

Re:What's the point of this story?

[DarwinSurvivor]

Unless you have credit, in which case they'll just max THAT out.

Re:What's the point of this story?

[justforgetme]

Ok, 1 can be seen that way, you are correct but for 2) no. telcos should just ban most of their phone "services". In my country you can call pretty much any mobile phone serivces company (if you have a contract with them and call from the subscribed sim) and request to upgrade your plan. Seriously, some only validate the name and birthday. No account ids no personal data. You could easily upgrade someone who went to the toilet and let him worry about the 48month legislative hell you have to go through to get a phone company to release their "recorded converstions" to court and prove it wasn't you who ordered the upgrade.

Burn them I say, burn them while you still can!

Re:What's the point of this story?

Commonwealth Bank discovered the problem its self, is paying off the cost of the transaction and, even so, warned their customer. When they take the responsibility for the losses then what systems to use or not use become their commercial judgement.

They can afford to wear the costs because they make enormous profits gouging on interest rates and fees.

Re:What's the point of this story?

[errandum]

I doubt the CEOs implemented the system, it was most likely an incompetent engineer. And you can't rely solely on the time based apps, you need to consider all the clients that still use phones from the 1990's. A hybrid system that supports both forms of identification would be ideal.

And please tell me what do they have to win with having an insecure system? Your whole speech was going great until you pointed the CEOs as the ones responsible..

Re:What's the point of this story?

[dopaz]

They win lower business costs, and depending on their compensation package that could mean they indirectly win more income.

Re:What's the point of this story?

[quenda]

The point is that if you trust your cell phone to be a 2nd authentication factor for your banking, you've contracted out your security to [the dumbest customer service rep at] your mobile carrier.

Worse. The thief just needs your mobile phone and account numbers (e.g. stolen from mailbox, or trash) to port your number within minutes without any human approving it.
The names on the accounts do not even need to match.
Two-factor authentication by SMS is almost worthless in Australia.

Re:What's the point of this story?

"All the major banks in Australia have this form of security."

Looks at hardware RSA token from Suncorp.com.au, really?

I've also seen Vasco token offered by a few banks. Even Westpac will offer you a token if you ask nicely (they'll switch you over to be a "business" customer at the same conditions as a personal account.)

Re:What's the point of this story?

[dgatwood]

no it's a hole in the auth, since they used a known weak method that relies on the security of the telco over which they have no control

No, worse than that, it's not true two-factor security. It's one-factor. In order to be two-factor security, you must have two items, e.g. things you have or things you know, that are separate and distinct and cannot be derived from one another. Lots of folks use their smartphones for mobile banking. Someone cracking your smartphone can potentially access not only your mobile banking credentials but also your email, text messages, etc. Therefore, these cannot be considered two separate and unrelated factors any more than a cryptocard simulator running on your PC is a second factor.

The fact that this attack happened via social engineering is actually fairly unimportant. Even if the social engineering attacks were not possible, a cellular phone would still not be a valid second factor for authentication because people can store credentials on them. When are companies going to learn that two-factor authentication requires a separate hardware device that does not have access to your login credentials and vice-versa?

Re:What's the point of this story?

[GrpA]

Just pointing out how these dodgy ideas that are clearly flawed get implemented in the first place... Usually someone very high up with a good understanding of business, but next to no real security understanding makes the decision.

And as often as not, they will go for price and SMS-only gateways such as this are 1/2 the price of even soft-token systems. I've spoken to a few corporate managers about this subject, they often conclude that the risk of their data/funds/whatever being targetted are low... Very much a "Why would anyone want to hack a here in Australia?" type of mentality.

What do they have to gain? They get the cheaper price and if they get audited, they can show the glossy brochures that show using SMS to send tokens is really secure... And often they use the excuse "If it wasn't secure, the banks wouldn't use it" even when presented with evidence of MNP. :(

As for hybrid systems? Yes, both RSA and VIP offer hybrid solutions that will allow phone-SMS of tokens as necessary, though it's still the same security hole. Just a slightly smaller hole. Like comparing a Cliff-side-drop to an exposed mineshaft. You're less likely to fall into a mineshaft but both will kill you - :(

Engineers implement the systems, but engineers do what they are told. :)

Don't take this as an Anti-CEO/CTO rant. Most of those guys are pretty good. It's more a reflection on how their motivation for reducing cost while only having to get ticks in the appropriate boxes usually drives the choice of technology. Sometimes even when a particular technology is well known to be flawed.

GrpA

Re:What's the point of this story?

[peetgr]

In South Africa you have to go to the bank branch, with bank card and ID document, to set a monthly limit to transfers outside your portfolio. You can also go in and request a temporary increase (if you've just borrowed money and want to pay a few debts off) - startting immediately and ending on a date you specify. There is two-factor validation via SIM though for every beneficiary you add, or once-off beneficiary payments.

Re:What's the point of this story?

[pgpalmer]

you need to consider all the clients that still use phones from the 1990's

One needs to consider clients with phones over 11 years old? Considering that phones seem to increase in capability almost as much as desktop computers, if somebody is using the same phone for over 11 years they must be quite the penny pincher.

Re:What's the point of this story?

[errandum]

If your 11 year old phone still works, why change it? Not everyone is a tech junkie and will only use their phone to make calls and send messages. My mother's phone still only has green and black pixels (: (all I bought for it was a 10€ battery a few years ago)

Complicated fraud....

This is nothing but social engineering and lax security resulting in very minimal loss for the bank. It would cost more banks to address the issue than simply pay off damages.

You'd never hear about real cases, where perps create reverse lookup tables, clone cards and clean banks for millions, because that would really make you, the consumer, doubt security of financial institutions.

CBA Security is ok.

[Whiteox]

To operate with that bank on-line, you need an Internet acc number (which is different to a normal account number), and at least a password. Additional secret question knowledge is required for 2 answers to set up a new transfer. Then, and only then is the SMS verification code needed. He must of been very slack to have made all that info available to the scammers.
Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.

Re:CBA Security is ok.

[mjwx]

To operate with that bank on-line, you need an Internet acc number (which is different to a normal account number), and at least a password. Additional secret question knowledge is required for 2 answers to set up a new transfer. Then, and only then is the SMS verification code needed. He must of been very slack to have made all that info available to the scammers.
Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.

I've had United Community shut down my card because it was used in a Thai ATM. Thailand is not an unusual destination for Australians (for those in other nations playing along). I rang them at my expense (OK, about A$0.5 a minute, but still) and they said they would not unlock the card even though I could verify I was in Thailand and still in possession of the card. For the rest of that trip I had to go into bank branches to withdraw money, with passport and all.

As a side effect, I learned there is a nice Thai lady who works at Siam Commercial Bank with the same birth date as me.

As a more permanent fix, I withdrew my funds out of United Community the day I got back and closed all of my accounts. I'm with NAB now, despite a lot of small complaints (mostly around their internet banking site and SFA branches open on a Saturday) they've performed to expectations. Also, NAB Gold is great for travelling and shopping overseas (0% currency conversion fee).

Re:CBA Security is ok.

[xaxa]

Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.

They have lots of ways the red flag is raised.

I forgot to get cash one weekend, and there isn't a convenient cash point between home and work. I bought lunch at work, for about £1.80, on a credit card, three days in a row. Then I paid the local council over the phone for some evening classes for a year in advance -- £240. That was blocked.

I've told them I travel frequently within Europe. These transactions aren't blocked, but apparently it helps if I pay for the transport with the same card.

There's a free number to call to inform the bank if I'm leaving the country, so I used that before travelling to the USA (which is as dodgy as Thailand -- due to not having PIN verification on in-store credit card transactions).

was this really two-factor?

[MikeyO]

This wasn't a failure of "two-factor authentication" this was a failure of the bank to have actually require two factors. It seems that the bank was relying on one of the two factors to be a "something you have" factor, which was the client's mobile phone, when in reality it was just another "something you know" factor. The "something you know" being just the phone number itself.

Re:was this really two-factor?

[blacklint]

No, the scammers convinced the victim's phone company to transfer the number to a different account. Meaning they then had control of the second factor.

Re:was this really two-factor?

[BradleyUffner]

No, the scammers convinced the victim's phone company to transfer the number to a different account. Meaning they then had control of the second factor.

I'd argue that an account doesn't satisfy the intent of the "something you have" part of 2 factor authentication. "Something you have" seems like it should be something physical, not a non-physical entity such as a phone account. If it could be tied to the physical cell phone via hardware ID it could work.

Re:was this really two-factor?

[MikeyO]

what was the second factor then? Something you know and... ____ what?

Re:was this really two-factor?

Something the phone company has.

People are so careless about security

[Cherubim1]

This fraud should not have occurred if the victim had been more vigilant about his online security. The crooks would, in addition to obtaining an sms token, have to also obtain a valid userid and password. Clearly, if they were able to get both of these details using social engineering or a keylogging trojan then the victim must be a careless and clueless idiot. He admits tio using an insecure machine for his online banking and is surprised at the outcome ? This is another good reason why a trusted and secure OS like Linux makes more sense for online banking.

Re:People are so careless about security

HAte to break it to ya, but there are a butt load of keyloggers for Linux too. If you want to live in a bubble of ignorance then you are the sort of person the next article will be about.

Re:People are so careless about security

The most secure solution would be to have a separate computer only used for online banking, booting from a readonly medium, and having nothing installed which isn't needed to access the bank account. Of course few people are going to go to that extreme.
But thinking about it, a netbook running a well configured Linux system used only for online banking should come close to this. Not really readonly, but I guess with SELinux you could get close.

Re:People are so careless about security

[Bert64]

The bank could supply a LiveCD... You want to do online banking (or require that transactions over a certain amount) then you boot the livecd.

Instead, they try to foist snake oil software on you like Trusteer Rapport (http://www.digit-security.com/blog/?p=47) which just adds additional unnecessary cruft onto your machine.

If someone got a keylogger installed on your machine they have privileged access to it, so then its purely a case of pot luck as to which software is able to bypass the other first.

Re:People are so careless about security

Most sheeple (at least here in the UK) hate HSBC's RSA key but love other banks who use phones. Do you really think they want to carry around another device (eg a live USB, who the hell uses CDs nowadays?) which they don't even understand?

Check out CitiBank:

CitiBusiness Online

I'm in the process of moving everything here as they have the best security I've seen of any bank. Their customers laugh at this article.

Steam & Netcode.

NetCode is a form of two-factor authentication that issues Commonwealth Bank’s online banking users with SMS messages before allowing them to transfer large amounts of money to unfamiliar accounts. When a new, large or unorthodox transaction is attempted online, the bank sends a verification code to the account holder’s mobile number. The code is then typed back into the online banking section as an additional authentication measure.

Doesn't Steam use Netcode when you use a different browser than it's expecting? What about Google?

The first factor

[wvmarle]

Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.

The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.

Anyway it is the classic story of when something goes wrong, it's usually not a single issue that went wrong. It's almost always an array of factors that have to come together "just right" to make it work. While it may be a good idea to review the security of the SMS as second factor, one should also look at how the criminals got their hands on the first factor and the rest of the information.

Re:The first factor

[jareth-0205]

The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.

This isn't the same as number porting. Porting is rerouting a number to a different SIM card, effectively permanently changing the network operator for a paritcular number. Many customers will have this on their number ,so if you stop it then you won't be able to use SMS for possibly a majority of users.

Re:The first factor

[wvmarle]

Indeed. Later I read the article, and found out the number had actually been ported to a completely different network.

How that is possible without putting down a signature and showing an ID document (if only at the receiving network!) I really can not understand. And I would think that this is a problem that goes much further than just allowing attackers to intercept banking details.

And besides, if they get the old network to give up the number, it has to go somewhere: attacker must have registered an account with the other network where the number can be ported to.

It's all in all a quite complex case, and because of that clearly highly targeted.

Re:The first factor

Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.

Yeah, they sure did. And the article is missing a critical key piece of information.
When you port a number, you call your NEW carrier to setup services. THEY send the port request to your current carrier, you don't do that part yourself. It works like that in AU and in the US, but here in the US we use some different authentication methods.

In the US, the new carrier has to have a signed LOA (letter of agency) and a recent hardcopy billing statement from the customer in order to submit the request to the current carrier. I don't know if AU has any such requirements, all I found in the links was a requirement that the current carrier has to contact the customer when they get a port request.
So right off the bat my first question is this: If Vodaphone actually called the customer to verify information, WHO the fuck did they talk to? Now, obviously it was the scammers, but NOT using the cell phone number because it had not yet been ported! So the scammers must have already compromised his phone account and updated his contact information to a different number, or convinced someone to forward phone calls, etc. Now it's also possible that the phone company took an inbound call and never called the number they had on file, but again that is their failure.

My point is that there had to be more compromise than the article reveals at first. And in all cases, it keeps coming back around to the phone carrier. Yeah, the bank should probably look at a better authentication system, but I really can't find much (if any) fault with them for this story.

Re:The first factor

[Bert64]

This is exactly what they do...

When i ported my number a few years ago, i had to:

Show proof of address in the form of a utility bill (anyone can print a fake one of these)
Make a random mark on a piece of paper with a pen, a "signature", anyone can fake this even easier

and that was that, porting process started.

Re:The first factor

[darkmeridian]

I can't wait for everyone to use apps like Google Authenticator to set up two-factor authentication. SMS is a hack, and it is better than not having two-factor authentication at all. However, an app that resides on the phone would require access to the actual phone itself and can't be stolen using remote means (that I can think of). LastPass is the only third-party app I can think of that uses GA for added protection, but hopefully banks will work with Google to set this up for their websites as well.

Re:The first factor

[wvmarle]

If this "authenticator" is an app running on your phone, then it is limited to people with a phone capable of running that. So that must be a smartphone for starters. And running a supported OS. I don't know the numbers but I wouldn't be surprised if in most countries that's still a minority. Otoh virtually everyone has a mobile phone, and all of them can receive SMS.

Re:The first factor

[tlhIngan]

How that is possible without putting down a signature and showing an ID document (if only at the receiving network!) I really can not understand. And I would think that this is a problem that goes much further than just allowing attackers to intercept banking details.

And besides, if they get the old network to give up the number, it has to go somewhere: attacker must have registered an account with the other network where the number can be ported to.

Simple, a case of identity theft. They get your name and fake your signature at the receiving network. Your original network won't care (well, they do care, but imagine the hue and cry from the crowd if they have to "get permission" from the old carrier - because no carrier wants to lose a customer and they'd love to hold you by the phone number by refusing to authorize the transfer.)

Doing this attack is just a bit more creative than the usualy identity theft cases where they just apply for loans and such in your name, at a fake address.

Re:The first factor

[wvmarle]

And network accepts customers without asking them to show an identity document? If so that's a major part of the problem. And would make theft of tel. nrs. very easy.

It's the telco miss, what's the root pwd for ...

[Grindalf]

This is funny, it's like the old phrack magazine from the 80s where you have kids pretending to be the telco working on the line asking for the root password to complete a job. Nostalgia ain't what it used to be ...

After reading the comments...

[mwvdlee]

The 20-20 hindsight is strong in this one.

Number portability

[grahamm]

Number portability should be for moving between providers while retaining the same number (to save having to give the new number to all contacts).

When I have moved a number to a new (PAYG) handset (keeping the same provider), the process required me to quote the IMEI of both handsets as well as answering security questions. For a contract phone (which one would assume is what a business owner would have), surely the only time the number should need moving a new handset is when the handset is changed as part of the contract - in which case it should not be possible to move the number simply by making a phone call.

Re:Number portability

[Bert64]

Thats down to the network...
For any GSM based network with sim cards, moving to a new handset is as simple as swapping the sim.

Moving the number is completely separate, they ported the number to a completely different provider.

Wrong victim

[petes_PoV]

they intercepted a victim's two factor online banking codes

Surely the victim here was the bank. They are the ones who gave away money to people who weren't entitled to it. They were the ones who allowed a weak form of authentication to be accepted. They are the ones who will bear the eventual loss.

The person who's account was used did nothing wrong. He didn't disclose any confidential information and (from what I've read) complied with the terms of his account.

We need to get away from defining the victims of these crimes as being the person who's name is on the account that was used - the account that the bank wrongly withdrew money from and gave away to the scammers. Unless we start identifying the true victims as being the financial institutions who we entrust with our money, yet have weak and inappropriate security measures the time will come when they shift the expectation and liability, so that the customer will bear the loss for something that is neither their fault not within their control.

Those are NOT two factors!

You got to be kidding me! A openly available information as the first "factor"?? This is what you get for acting like information can be owned. Idiots!

I have proper two-factor authentication here. With a encrypted chip card, a special pinpad reader that is tamper-proof, and FinTS which allows that reader to connect with the bank directly, without even my own PC being able to tamper with it. It shows me the actual transaction the PC requested from the bank. Only when I stick in the card, enter the code, and press "OK", will my bank ever do anything transaction-wise!

If somebody wants my PIN, I just have to destroy the card, and he can have all he wants. It won't help him one bit.
If somebody steals my card, that won’t help him too. Also I will go to my bank and invalidate the card. So now even the PIN won't help him.
And the PIN is a *biiit* longer that the usual 4 numbers, so guessing it like with EC cards is not an option. It will take at least a multiple of the time it takes me to invalidate the thing. ^^

Why is it even legal to do it otherwise? And why the hell do you use a bank that doesn't do this?
(If there is no such bank in the US, that would be quite the market gap. Just advertise that you're the *only* bank with *actual* security, and put a page online showing why. [That way they can't sue you for saying you're not the only one.]
But honestly, don't you have the Deutsche Bank over there? That's a German bank (obviously). And here in Germany, they offer the exact setup I described above. They don't openly advertise it, but they offer it. So maybe they do in the US too.)

It gets better

[thegarbz]

Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.

Commonwealth Bank for first time external transfers not only requires the traditional two factor authentication but also requires you to answer two secret questions. These are normally stock questions like the name of your pet, your mothers maiden name, etc.

To pull this off they likely knew quite a damn lot about him.

The downside to the bank in question is that all you need to raise your daily transfer limit is the SMS code, no additional questions.

Something you...

[syousef]

Something you know, something you have, something you are - pick any two.

I thought it was something you forgot long ago, something you just had stolen, something you were before they beat the shit out of you and started cutting body parts off.

Banks don't keep money in bank vaults.

[Colin+Smith]

I assume that's something you picked up from the movies. Any bank which stored a significant percentage of cash in a bank vault would be out of business pretty quick.

And the money in "your" bank account is the bank's money, not yours. You loaned it to them therefore it's their responsibility. If they happen to try to pass that responsibility back to you... Well, you'd have to be pretty dumb to sign that contract.

Your relationship with your bank is that of a creditor. The money is no longer yours, and the bank can pretty much do what it pleases with the money.

The responsibility for security lies with the bank.

HTH.

there's a solution to this

[dutchwhizzman]

People are quite outraged since this turns out to be default, even for not customers of the bank in question, but this is how a Dutch bank solved this: If you change provider, SIM card or phone number, you can't use your phone for tokens for at least 48 hours. All telco companies send *all* their changes to that bank, so they can compare it against their records of customers phone numbers. It's a gross invasion of privacy, but it does work against this form of weakness in this form of 2 factor authentication.

What authentication now?

I'm sorry, reading the synopsis I just got the the phrase "willing secretary" and then my mind started to wander... What are we talking about again?

all that work...

for 45k dollars? I would have gone for at least 10x more if you are going to that kind of trouble and breaking all those laws.
45k harvest from outside the country (nigeria, romania, etc) is a payday.. but not in-country, and subject to local jail

Let me fix that for you

[Legion303]

"Vodaphone employees tricked. Humans still weakest link in security chain. Film at 11."

Better SMS authentication

Sounds like the bank goofed up their SMS authentication.

My bank does similar SMS authentication, but with additional
twist. The SMS message from my bank does not have an
authentication code, but an authentication code index. After
verifiyng that tranfer destination SEPA account number and
EURO amount are correct, I look up real authentication code
from bank printed authetication code card, and type that
code to my bank's web interface. The bank printed card is
credit card size when folded, and includes 300 one-time-use
index + authentication code pairs. I get a new card from my
bank office when those 300 index + code pairs are about to
run out.

Even if criminal hijacks a phone number, a SMS message
saying "type authentication code for index 277" does not
help him at all if he does not have my authetication code
card. Criminal would need all these: my web bank access ID,
password, SMS message (phone), and authetication code card.

Easy info = not secure

[pgpalmer]

Don't use easily-attainable information such as your phone number and place of work as security details. It's one reason why I hate it when websites force you to select from a pre-selected list of "security questions", such as "Where were you born?" or "What was your father's name?". That is not secure information.

To date, I've only come across one website that allows you to set both the question and the answer. And that was a government website. *shrugs*

There's a hole in this story

[Vrtigo1]

When you port a mobile number (at least in the US), there is a period during which you can't receive SMS messages from SMS aggregators (the bulk messaging APIs banks and other companies use to send automated messages). After I ported my number from AT&T to Verizon, my BofA SMS messages stopped working. I called the bank and they instantly knew that it was because I had recently ported, so it must be a common problem. It took about two weeks for them to start working again.

So either this is different in Australia, or there's a big hole in this story.