Scammers Work Around Two-Factor Authentication With Social Engineering

mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."

Re:Not Thieves

[TheVelvetFlamebait]

Whoosh!

Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible. The GP is taking a dig at people who subscribe to this view.

Re:Account security

[LordLucless]

SMS is clearly not a good replacement for real Two-Factor authentication

Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

The fail at this point wasn't that the bank implemented security poorly - it's that the Telco did. They didn't even have one-factor authentication. They asked for two points of information - customer number and DOB - neither of which can reasonably be considered a secure secret. Even then, the Telco is following the process that it has been mandated to follow by the government - including the data that should be used to verify identity. If the government are going to mandate requirements for business processes, then they should either be damn sure what they're mandating is secure, or they should explicitly leave security implementation up to the business.

Re:Not Thieves

[TheVelvetFlamebait]

Sorry to double post, but I wanted to add something extra (not that it contradicts your viewpoint in any way). All property is artificial. It's an abstraction of possession that's protected by law. Let's say that I have a banana, and you take the banana from me, with no previous arrangement made between us. I now no longer possess the banana, but you do. What is there in the natural world to say that I "own" the banana and not you? Clearly possession is not enough.

Our laws define ownership. Without them, natural law would basically be along the lines of "It's yours until someone stronger takes it". People tend to place far too much importance on possession, not realising that what really underpins property is a complicated series of laws, without which property would hold no weight. It is but another reason why picking on intellectual property purely because it refers to something intangible is not really a valid concern (not that you do that, of course).