Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Work Around Two-Factor Authentication With Social Engineering

Posted by Unknown on from the duh-you-need-three-factors dept.

mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."

9 of 186 comments (clear)

  1. Account security by Fjandr · · Score: 4, Insightful

    This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.

    1. Re:Account security by enoz · · Score: 4, Insightful

      A Hardware Token (such as RSA Securid) would have prevented TFA's fraud. SMS is clearly not a good replacement for real Two-Factor authentication, though it is cheap for the banks to implement compared to other options.

    2. Re:Account security by LordLucless · · Score: 5, Insightful

      SMS is clearly not a good replacement for real Two-Factor authentication

      Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

      The fail at this point wasn't that the bank implemented security poorly - it's that the Telco did. They didn't even have one-factor authentication. They asked for two points of information - customer number and DOB - neither of which can reasonably be considered a secure secret. Even then, the Telco is following the process that it has been mandated to follow by the government - including the data that should be used to verify identity. If the government are going to mandate requirements for business processes, then they should either be damn sure what they're mandating is secure, or they should explicitly leave security implementation up to the business.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    3. Re:Account security by jamesh · · Score: 3, Insightful

      Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

      It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

  2. must post before I even read the article :) by Anonymous Coward · · Score: 2, Insightful

    "George Craig .. was told that his .. mobile phone .. was used as a tool in the attack .. the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours" link
     

  3. Re:Not Thieves by TheVelvetFlamebait · · Score: 5, Insightful

    Whoosh!

    Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible. The GP is taking a dig at people who subscribe to this view.

    --
    You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
  4. The first factor by wvmarle · · Score: 4, Insightful

    Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.

    The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.

    Anyway it is the classic story of when something goes wrong, it's usually not a single issue that went wrong. It's almost always an array of factors that have to come together "just right" to make it work. While it may be a good idea to review the security of the SMS as second factor, one should also look at how the criminals got their hands on the first factor and the rest of the information.

  5. Re:Victim never knew a thing? by 93+Escort+Wagon · · Score: 3, Insightful

    Porting between carriers and devices, in most cases, requires so little authentication it's rather disturbing. It does not require any meaningful ID of the person before proceeding or at least I'm not aware of a carrier that does.

    But the problem is - post Ma Bell, when the carriers used to make the customer jump through numerous hoops and bend over backwards before they'd allow you to port your number to a different company, people screamed bloody hell. This current state of affairs is the way it is because it's basically what the customers (and their politicians) demanded.

    I'm not saying it's right - just that it's not completely the carriers' fault.

    --
    #DeleteChrome
  6. Re:Not Thieves by TheVelvetFlamebait · · Score: 5, Insightful

    Sorry to double post, but I wanted to add something extra (not that it contradicts your viewpoint in any way). All property is artificial. It's an abstraction of possession that's protected by law. Let's say that I have a banana, and you take the banana from me, with no previous arrangement made between us. I now no longer possess the banana, but you do. What is there in the natural world to say that I "own" the banana and not you? Clearly possession is not enough.

    Our laws define ownership. Without them, natural law would basically be along the lines of "It's yours until someone stronger takes it". People tend to place far too much importance on possession, not realising that what really underpins property is a complicated series of laws, without which property would hold no weight. It is but another reason why picking on intellectual property purely because it refers to something intangible is not really a valid concern (not that you do that, of course).

    --
    You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.