Slashdot Mirror
Scammers Work Around Two-Factor Authentication With Social Engineering
mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."
Including that his phone didn't work any more?
Was he traveling out of country or what? That must have been one fast shopping spree.
Sig Battery depleted. Reverting to safe mode.
This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.
They didn't steal anything real.
I don't believe in imaginary property.
"George Craig .. was told that his .. mobile phone .. was used as a tool in the attack .. the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours" link
Magically hacking everything is so much more interesting.
So the banks say it's not their problem, it's the fault of mobile operators for making numbers portable. Yet the banks were offered access to the national mobile database so they could check if a number was recently ported, but declined to use the information. Meanwhile the fraudsters are getting away with their winnings...
Really? A $10 Yubikey is more costly?
I don't believe those cards have their numbers generated by any algorithms, its a randomly generated grid of characters. You need physical access to the card - like stealing someones wallet, copying it and returning it before they notice its missing
To operate with that bank on-line, you need an Internet acc number (which is different to a normal account number), and at least a password. Additional secret question knowledge is required for 2 answers to set up a new transfer. Then, and only then is the SMS verification code needed. He must of been very slack to have made all that info available to the scammers.
Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.
Don't be apathetic. Procrastinate!
This wasn't a failure of "two-factor authentication" this was a failure of the bank to have actually require two factors. It seems that the bank was relying on one of the two factors to be a "something you have" factor, which was the client's mobile phone, when in reality it was just another "something you know" factor. The "something you know" being just the phone number itself.
The point is that if you trust your cell phone to be a 2nd authentication factor for your banking, you've contracted out your security to [the dumbest customer service rep at] your mobile carrier.
Also, being broke is probably a pretty good strategy for avoiding these kinds of problems.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
no form of security is absolutely 100% perfect in every way..
Right; but that's not something new. No bank vault has ever been 100% safe either. The difference is that the bank takes responsibility for that so they ensure that it's "good enough", whatever that means. If money gets stolen from the bank vault they don't say "oh that was money from your account; sorry". With electronic security, there's often a level where they blame the failure of their own security measures on "identity theft" and make it the customer's responsibility. Two factor authentication of this kind is fine for a transaction of a few thousand dollars; It's not enough for transactions of hundreds of thousands of dollars. For 45k AUD that's a judgement call. `
This case is not like most American and some European banks though; Commonwealth Bank discovered the problem its self, is paying off the cost of the transaction and, even so, warned their customer. When they take the responsibility for the losses then what systems to use or not use become their commercial judgement. They looked at an MNP security system and decided there was something wrong with it. Maybe they now change their mind, maybe not. That's exactly the right thing. Hopefully they can persuade Vodafone to at least send a text message warning customers that their number is being ported before they actually do it in future.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
This fraud should not have occurred if the victim had been more vigilant about his online security. The crooks would, in addition to obtaining an sms token, have to also obtain a valid userid and password. Clearly, if they were able to get both of these details using social engineering or a keylogging trojan then the victim must be a careless and clueless idiot. He admits tio using an insecure machine for his online banking and is surprised at the outcome ? This is another good reason why a trusted and secure OS like Linux makes more sense for online banking.
Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.
The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.
Anyway it is the classic story of when something goes wrong, it's usually not a single issue that went wrong. It's almost always an array of factors that have to come together "just right" to make it work. While it may be a good idea to review the security of the SMS as second factor, one should also look at how the criminals got their hands on the first factor and the rest of the information.
If you're not broke, you don't need to worry either, because the scammers can soon fix that.
Cheap 2 factor isn't too costly, but it's less secure. The more secure ones, like RSA, cost about $100 per token. (Although, how secure those are is really up for some debate since they fucked up a few months ago).
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
The 20-20 hindsight is strong in this one.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Number portability should be for moving between providers while retaining the same number (to save having to give the new number to all contacts).
When I have moved a number to a new (PAYG) handset (keeping the same provider), the process required me to quote the IMEI of both handsets as well as answering security questions. For a contract phone (which one would assume is what a business owner would have), surely the only time the number should need moving a new handset is when the handset is changed as part of the contract - in which case it should not be possible to move the number simply by making a phone call.
From personal experience, I can inform you that it's not. If your account has some positive number in it, I can assure you there's a sea of pricks waiting to empty it, no matter how small.
I read TFA and all I got was this lousy cookie
You're missing the point of the GP's post. You rely on the fourth party, but really, you know little about their security requirements. I personally refuse to use 2 factor unless it's via a time sync key (can be done easily via a phone app) as any message being sent to you can be intercepted in various ways.
they intercepted a victim's two factor online banking codes
Surely the victim here was the bank. They are the ones who gave away money to people who weren't entitled to it. They were the ones who allowed a weak form of authentication to be accepted. They are the ones who will bear the eventual loss.
The person who's account was used did nothing wrong. He didn't disclose any confidential information and (from what I've read) complied with the terms of his account.
We need to get away from defining the victims of these crimes as being the person who's name is on the account that was used - the account that the bank wrongly withdrew money from and gave away to the scammers. Unless we start identifying the true victims as being the financial institutions who we entrust with our money, yet have weak and inappropriate security measures the time will come when they shift the expectation and liability, so that the customer will bear the loss for something that is neither their fault not within their control.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Not True. The product is AFAIK, A Telstra product under which they use SMS to provide a "token" as an additional factor.
Given that there have been many confirmed examples of MNP ( Malicious Number Porting ) in Australia, this is known weak security. Under the circumstances, its entirely reasonable to assume that the Bank knew this was likely.
However I can't see them rushing out to address the issue in the near future. In fact, with some banks, it's impossible to turn off the ability to transfer out large sums of money. You can turn it off easy enough, but anyone who accesses the system can turn it back on by default by clicking a screen saying you agree to the risk. :(
All the major banks in Australia have this form of security. On the other hand, all the credit unions ( everyone except the "Big 4" Banks ) use VIP ( Verisign Identity Protection IIRC ) which can be downloaded to most smartphones and works as a soft-token.
Security in Australia, as with much of the world, is severely compromised by CEOs and CTOs who really don't understand it and as long as they can blame someone else, then due diligence is done.
GrpA
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
1) no it's a hole in the auth, since they used a known weak method that relies on the security of the telco over which they have no control
2) the problem is how do they authenticate that it is the customer requesting the number porting?
Most likely they will ask some "security questions" over the phone which a good social engineer will know the answers to...
If doing it in person in a shop they just ask for a signature, which ofcourse is totally arbitrary and trivially easy to fake...
Even if the telco has strict policies, how is the actual number porting carried out? Usually it is based on carriers trusting each other not to submit rogue requests, so all it needs is one rogue or compromised carrier...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Unless you have credit, in which case they'll just max THAT out.
Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.
Commonwealth Bank for first time external transfers not only requires the traditional two factor authentication but also requires you to answer two secret questions. These are normally stock questions like the name of your pet, your mothers maiden name, etc.
To pull this off they likely knew quite a damn lot about him.
The downside to the bank in question is that all you need to raise your daily transfer limit is the SMS code, no additional questions.
Ok, 1 can be seen that way, you are correct but for 2) no. telcos should just ban most of their phone "services". In my country you can call pretty much any mobile phone serivces company (if you have a contract with them and call from the subscribed sim) and request to upgrade your plan. Seriously, some only validate the name and birthday. No account ids no personal data. You could easily upgrade someone who went to the toilet and let him worry about the 48month legislative hell you have to go through to get a phone company to release their "recorded converstions" to court and prove it wasn't you who ordered the upgrade.
Burn them I say, burn them while you still can!
-- no sig today
I wouldn't call RSA at all secure... The fact that they provide all the keys is a terrible idea and always was, them fucking up was always an accident waiting to happen.
I wouldn't trust any such system unless i could seed the device myself. There is no reason for the vendor to supply the seeds.
With a properly configured Yubikey, only two parties would have the necessary seed values - myself and the organisation i'm dealing with. If someone successfully hacked Yubico it wouldn't help them attack me.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If someone is keeping it in their wallet it would be easier than you might think, you can read cards without physically swiping them through a traditional card reader, especially the not so common no-swipe enabled cards.
It's a piece of cardboard with numbers printed on it. Good luck reading that without removing it from the wallet.
Something you know, something you have, something you are - pick any two.
I thought it was something you forgot long ago, something you just had stolen, something you were before they beat the shit out of you and started cutting body parts off.
These posts express my own personal views, not those of my employer
I would think the smart card authentication devices like this are quite cheap. The debit card already needs the chip (to authenticate transactions in shops in the UK, and many other countries), and the reader probably doesn't do much.
I doubt the CEOs implemented the system, it was most likely an incompetent engineer. And you can't rely solely on the time based apps, you need to consider all the clients that still use phones from the 1990's. A hybrid system that supports both forms of identification would be ideal.
And please tell me what do they have to win with having an insecure system? Your whole speech was going great until you pointed the CEOs as the ones responsible..
I assume that's something you picked up from the movies. Any bank which stored a significant percentage of cash in a bank vault would be out of business pretty quick.
And the money in "your" bank account is the bank's money, not yours. You loaned it to them therefore it's their responsibility. If they happen to try to pass that responsibility back to you... Well, you'd have to be pretty dumb to sign that contract.
Your relationship with your bank is that of a creditor. The money is no longer yours, and the bank can pretty much do what it pleases with the money.
The responsibility for security lies with the bank.
HTH.
Deleted
They win lower business costs, and depending on their compensation package that could mean they indirectly win more income.
People are quite outraged since this turns out to be default, even for not customers of the bank in question, but this is how a Dutch bank solved this: If you change provider, SIM card or phone number, you can't use your phone for tokens for at least 48 hours. All telco companies send *all* their changes to that bank, so they can compare it against their records of customers phone numbers. It's a gross invasion of privacy, but it does work against this form of weakness in this form of 2 factor authentication.
I was promised a flying car. Where is my flying car?
The point is that if you trust your cell phone to be a 2nd authentication factor for your banking, you've contracted out your security to [the dumbest customer service rep at] your mobile carrier.
Worse. The thief just needs your mobile phone and account numbers (e.g. stolen from mailbox, or trash) to port your number within minutes without any human approving it.
The names on the accounts do not even need to match.
Two-factor authentication by SMS is almost worthless in Australia.
I'm sorry, reading the synopsis I just got the the phrase "willing secretary" and then my mind started to wander... What are we talking about again?
"Vodaphone employees tricked. Humans still weakest link in security chain. Film at 11."
No, worse than that, it's not true two-factor security. It's one-factor. In order to be two-factor security, you must have two items, e.g. things you have or things you know, that are separate and distinct and cannot be derived from one another. Lots of folks use their smartphones for mobile banking. Someone cracking your smartphone can potentially access not only your mobile banking credentials but also your email, text messages, etc. Therefore, these cannot be considered two separate and unrelated factors any more than a cryptocard simulator running on your PC is a second factor.
The fact that this attack happened via social engineering is actually fairly unimportant. Even if the social engineering attacks were not possible, a cellular phone would still not be a valid second factor for authentication because people can store credentials on them. When are companies going to learn that two-factor authentication requires a separate hardware device that does not have access to your login credentials and vice-versa?
Check out my sci-fi/humor trilogy at PatriotsBooks.
Just pointing out how these dodgy ideas that are clearly flawed get implemented in the first place... Usually someone very high up with a good understanding of business, but next to no real security understanding makes the decision.
And as often as not, they will go for price and SMS-only gateways such as this are 1/2 the price of even soft-token systems. I've spoken to a few corporate managers about this subject, they often conclude that the risk of their data/funds/whatever being targetted are low... Very much a "Why would anyone want to hack a here in Australia?" type of mentality.
What do they have to gain? They get the cheaper price and if they get audited, they can show the glossy brochures that show using SMS to send tokens is really secure... And often they use the excuse "If it wasn't secure, the banks wouldn't use it" even when presented with evidence of MNP. :(
As for hybrid systems? Yes, both RSA and VIP offer hybrid solutions that will allow phone-SMS of tokens as necessary, though it's still the same security hole. Just a slightly smaller hole. Like comparing a Cliff-side-drop to an exposed mineshaft. You're less likely to fall into a mineshaft but both will kill you - :(
Engineers implement the systems, but engineers do what they are told. :)
Don't take this as an Anti-CEO/CTO rant. Most of those guys are pretty good. It's more a reflection on how their motivation for reducing cost while only having to get ticks in the appropriate boxes usually drives the choice of technology. Sometimes even when a particular technology is well known to be flawed.
GrpA
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
In South Africa you have to go to the bank branch, with bank card and ID document, to set a monthly limit to transfers outside your portfolio. You can also go in and request a temporary increase (if you've just borrowed money and want to pay a few debts off) - startting immediately and ending on a date you specify. There is two-factor validation via SIM though for every beneficiary you add, or once-off beneficiary payments.
you need to consider all the clients that still use phones from the 1990's
One needs to consider clients with phones over 11 years old? Considering that phones seem to increase in capability almost as much as desktop computers, if somebody is using the same phone for over 11 years they must be quite the penny pincher.
Don't use easily-attainable information such as your phone number and place of work as security details. It's one reason why I hate it when websites force you to select from a pre-selected list of "security questions", such as "Where were you born?" or "What was your father's name?". That is not secure information.
To date, I've only come across one website that allows you to set both the question and the answer. And that was a government website. *shrugs*
If your 11 year old phone still works, why change it? Not everyone is a tech junkie and will only use their phone to make calls and send messages. My mother's phone still only has green and black pixels (: (all I bought for it was a 10€ battery a few years ago)
When you port a mobile number (at least in the US), there is a period during which you can't receive SMS messages from SMS aggregators (the bulk messaging APIs banks and other companies use to send automated messages). After I ported my number from AT&T to Verizon, my BofA SMS messages stopped working. I called the bank and they instantly knew that it was because I had recently ported, so it must be a common problem. It took about two weeks for them to start working again.
So either this is different in Australia, or there's a big hole in this story.