Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Work Around Two-Factor Authentication With Social Engineering

Posted by Unknown on from the duh-you-need-three-factors dept.

mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."

6 of 186 comments (clear)

  1. Account security by Fjandr · · Score: 4, Insightful

    This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.

    1. Re:Account security by enoz · · Score: 4, Insightful

      A Hardware Token (such as RSA Securid) would have prevented TFA's fraud. SMS is clearly not a good replacement for real Two-Factor authentication, though it is cheap for the banks to implement compared to other options.

    2. Re:Account security by LordLucless · · Score: 5, Insightful

      SMS is clearly not a good replacement for real Two-Factor authentication

      Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

      The fail at this point wasn't that the bank implemented security poorly - it's that the Telco did. They didn't even have one-factor authentication. They asked for two points of information - customer number and DOB - neither of which can reasonably be considered a secure secret. Even then, the Telco is following the process that it has been mandated to follow by the government - including the data that should be used to verify identity. If the government are going to mandate requirements for business processes, then they should either be damn sure what they're mandating is secure, or they should explicitly leave security implementation up to the business.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  2. Re:Not Thieves by TheVelvetFlamebait · · Score: 5, Insightful

    Whoosh!

    Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible. The GP is taking a dig at people who subscribe to this view.

    --
    You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
  3. The first factor by wvmarle · · Score: 4, Insightful

    Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.

    The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.

    Anyway it is the classic story of when something goes wrong, it's usually not a single issue that went wrong. It's almost always an array of factors that have to come together "just right" to make it work. While it may be a good idea to review the security of the SMS as second factor, one should also look at how the criminals got their hands on the first factor and the rest of the information.

  4. Re:Not Thieves by TheVelvetFlamebait · · Score: 5, Insightful

    Sorry to double post, but I wanted to add something extra (not that it contradicts your viewpoint in any way). All property is artificial. It's an abstraction of possession that's protected by law. Let's say that I have a banana, and you take the banana from me, with no previous arrangement made between us. I now no longer possess the banana, but you do. What is there in the natural world to say that I "own" the banana and not you? Clearly possession is not enough.

    Our laws define ownership. Without them, natural law would basically be along the lines of "It's yours until someone stronger takes it". People tend to place far too much importance on possession, not realising that what really underpins property is a complicated series of laws, without which property would hold no weight. It is but another reason why picking on intellectual property purely because it refers to something intangible is not really a valid concern (not that you do that, of course).

    --
    You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.