Scammers Work Around Two-Factor Authentication With Social Engineering

mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."

Re:Victim never knew a thing?

[Fjandr]

He received an SMS which he believed to be from Vodaphone, stating that they were having network difficulties and he would experience loss of cell service for the next 24 hours.

Account security

[Fjandr]

This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.

Re:Account security

[enoz]

A Hardware Token (such as RSA Securid) would have prevented TFA's fraud. SMS is clearly not a good replacement for real Two-Factor authentication, though it is cheap for the banks to implement compared to other options.

Re:Account security

[LordLucless]

SMS is clearly not a good replacement for real Two-Factor authentication

Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

The fail at this point wasn't that the bank implemented security poorly - it's that the Telco did. They didn't even have one-factor authentication. They asked for two points of information - customer number and DOB - neither of which can reasonably be considered a secure secret. Even then, the Telco is following the process that it has been mandated to follow by the government - including the data that should be used to verify identity. If the government are going to mandate requirements for business processes, then they should either be damn sure what they're mandating is secure, or they should explicitly leave security implementation up to the business.

Re:Account security

[jamesh]

Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

Re:Account security

[mjwx]

This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.

I agree, but the average person does not unfortunately.

The average person will view this as the bank trying to get in the way of them and their money. In Australia there will be huge sensationalised reports about the EVIL BANKS stealing from hard working Aussie battlers and keeping all that dastardly profit for themselves where as in reality, the new security measures cost more to implement but the real problem is Bazza from Frankston is too dumb and lazy to learn how to keep his cash secure.

So the system we have is probably the best system we're going to get. Its the worst the dumbest will put up with. They dont care about their own security, hence the bank has to protect them.

In either case, the fraud victim will get their money back, telco's will make it harder to port numbers over. As far as attacks go, this one takes a lot of effort and some money to start. Futher more, it requires the hacker to live in Australia and register their SIM card in Oz (which you require photo ID to buy, well in theory anyway). So to find the attackers, they need to locate the SIM (telco's will turn that over without question) then ask the Telco who bought the SIM and what ID they used.

Re:Account security

[tsotha]

Bank of America offers something they're calling a "Safepass Card", which looks suspiciously like SecurID to me.

Re:Account security

[mjwx]

Given how much is being linked to a cellular number, I actually would support making number portability more difficult (in that securing a process almost always makes that process more difficult/complex).

Something like SIM registration seems like it would go a long way toward combating this sort of hijacking, and should be relatively easy to implement.

We've go the same problem as with the banks. After banks and speed cameras, telco's are the favourite targets of the sensationalist bollocks brigade.

Any move to make it more secure will be met with scorn and venom from anyone who doesn't want to understand why it's happening. Right between signing up for the Vodafail page and complaining about how bad their teclo is.

Re:Account security

[bloodhawk]

Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

You are confused. SMS to your mobile IS TWO FACTOR AUTH. just because it sucks doesn't make it not two factor auth. Besides when directly targetted there are very few good two factor auths that are practical that can't be defeated by a well targetted scam such as this. RSA/Vasco tokens can be stolen as can Smartcards or USB keys and when you are talking about scams in the amount of this article then the theft of a token isn't that much of a reach either. It isn't like it takes long to empty a bank account.

Re:Account security

[jamesh]

You are confused. SMS to your mobile IS TWO FACTOR AUTH

you said "Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.". I said "It sure does". I wasn't disputing that password+mobile number was two factor auth, I was disputing that it was a reasonable choice.

I may be a bit out of date here but I thought that sniffing an SMS wasn't really that difficult for a sufficiently motivated criminal... but maybe it's sufficiently difficult with today's 3G networks? Last time i checked most carriers didn't encrypt GSM communications, which makes the second factor more about the SMS itself than the phone number.

Re:Account security

[Sparr0]

They could get the serial number off your token generator and compromise the token provider's database. I've replaced token generators with software token generators in the past to streamline helpdesk operations, we had a database full of the token keys. If that got compromised, it would be bad.

Re:Account security

[jjo]

I have a Safepass card. It's been some time since I got it, but I think it cost me about $20. Whenever I want to make an online payment to a previously-unknown payee, I need to enter the code from the hardware token. While it's true that the token could be stolen, thieves would have to intercept my username/password, then steal the token without my discovering the theft in time to notify the bank. Not impossible by any means, but probably difficult enough to induce the thieves to look for easier prey. I think my investment of $20 and a few extra keystrokes is well worth it.

Not Thieves

They didn't steal anything real.

I don't believe in imaginary property.

Re:Not Thieves

[CohibaVancouver]

I don't believe in imaginary property.

Please send me all your money, via wire transfer. Thank you.

Re:Not Thieves

[TheVelvetFlamebait]

Whoosh!

Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible. The GP is taking a dig at people who subscribe to this view.

Re:Not Thieves

[TheVelvetFlamebait]

Sorry to double post, but I wanted to add something extra (not that it contradicts your viewpoint in any way). All property is artificial. It's an abstraction of possession that's protected by law. Let's say that I have a banana, and you take the banana from me, with no previous arrangement made between us. I now no longer possess the banana, but you do. What is there in the natural world to say that I "own" the banana and not you? Clearly possession is not enough.

Our laws define ownership. Without them, natural law would basically be along the lines of "It's yours until someone stronger takes it". People tend to place far too much importance on possession, not realising that what really underpins property is a complicated series of laws, without which property would hold no weight. It is but another reason why picking on intellectual property purely because it refers to something intangible is not really a valid concern (not that you do that, of course).

Re:Not Thieves

[TheVelvetFlamebait]

Well, OK, I'm willing to make a concession here: I allow the data to be modified, as long as it is not decreased. I allow any amount of increase, though. I'm not at all possessive at the exact value, I just don't want a lower one.

That sounds consistent with larger numbers having larger values, but not so consistent with it being worthless either way. You're not being very convincing here.

Because I have a contract with the bank giving me that control.

OK, let's start being clear here. What I'm claiming you own is not the number itself (it's a number that probably occurs in many places), nor the physical bits that it's stored upon (they're owned by the bank), but you own being the subject of the bank's duty to pay a person money when you decide to lower that number. You claim that this is not ownership, merely some mechanics tied to a contract.

First of all, this duty is not worthless. The proof of this is to simply ask anybody on the planet to relinquish this duty to you, and ask them what they'll pay for it. For the vast majority of people, they won't accept any amount less than what is stored in there. This tells us that, to them, the duty of the banks to pay them money in exchange for lowering their balance is worth to them at least what the balance reads. This is literally the definition of subjective monetary value: how much a given person will trade for the object in question. So, we have at least proven that, while completely intangible, this duty is not worthless.

If you decide to define property in a way that excludes this duty, you may. Do not expect the courts, or anyone else, to agree with you on that point. You must remember that property, even of tangible objects, is an abstract, artificial concept that is enforced only by law. It is up to us to decide what to treat as property, and what not to treat as property, as well as what to call property and what not to call property. In this case, we have this duty, which has worth like property, is forbidden to be taken or otherwise abused like property, that can be bought, sold, and otherwise transferred like property. To me, to many others, and to the courts, this is sufficient to consider it property, as it shares all the core properties that make up the concept of property. Like I said, you're free to make exceptions, or impose further arbitrary restrictions to your personal concept of property, but if you want others to share your view, you need to be more convincing.

You are missing that whether something is worth anything real and whether it should be protected by law are two very different questions. For example, legally owning slaves is worth a lot, but I think we both agree that it should not only not be protected by law, but even forbidden.

I wasn't claiming that copyrights should be protected. I was pointing out that so many on /. have decided that a potential to gain money should not be protected by law, specifically because they consider it not to be "real". I think that distinction is probably better placed at the feet of the people whose view I was attacking.

Whether something should be protected, merely allowed or forbidden by law should not depend on whether you can potentially gain money from it. It should be dependent on whether allowing or forbidding it gives a net gain or net loss. For slavery, forbidding clearly gives a net gain. For bank accounts, protecting clearly gives a net gain.

I'm with you so far. You, of course, realise that this makes any quibbles over what constitutes property utterly moot, right?

For copyright and patents, the current system clearly gives a net loss. Completely removing copyright would probably not be a good idea, but limiting it to a much shorter duration (say, ten years from publication) I think would give a net gain.

Well, I don't think it's nearly so clear that it's a net loss, in that we would be better with no copyright than with copyright as it is now, but yeah I agree shorter terms would be appropriate.

must post before I even read the article :)

"George Craig .. was told that his .. mobile phone .. was used as a tool in the attack .. the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours" link
 

Social engineering is cheating

Magically hacking everything is so much more interesting.

Re:Social engineering is cheating

[thisnamestoolong]

Yes, but only if you have a gun to your head and are getting a blowjob while you do it...

The Blame Game

[enoz]

So the banks say it's not their problem, it's the fault of mobile operators for making numbers portable. Yet the banks were offered access to the national mobile database so they could check if a number was recently ported, but declined to use the information. Meanwhile the fraudsters are getting away with their winnings...

Re:The Blame Game

[xous]

It wouldn't make a significant difference even if they did.

There are thousands of examples of carriers being tricked into forwarding numbers by 3rd parties. I do it all the time for customers that port into us if something goes wrong with the porting process.

Often all I do is:
1. Identify myself as $MYNAME from $MYCOMPANY. (NOT $THEIRCLIENT)
2. State that I'm calling on behalf of $THEIRCLIENT.
3. Tell them that $THEIRCLIENT is in the process of moving to our services and need to forward the number temporarily.
4. Carrier asks for the forwarding number and it's generally done in 1-2 hours.

The only shred of validation that might happen is them checking my caller id. I've never needed an account number, billing contact name, authorization code, or anything. Just the phone number.

I've even offered to pay for the forward but been declined because I'm not $THEIRCLIENT. They were happy enough to charge the $THEIRCLIENT on my behalf.

Phones/SMS/etc will never be a reliable way to verify an account holder because it really can be anyone on the other end.

Re:The Blame Game

[rtfa-troll]

So the banks say it's not their problem,

No they didn't. They paid up fully and automatically. First they blocked his account:

The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.

Then they sorted everything out and paid for everything automatically.

Craig is satisfied that CommBank has done everything it can to resolve his specific matter, and he applauded the work of the bank's fraud squad.

They had even been part of a group which had investigated the MNP security fixes available but decided not to implement them because of security problems.

“We explored the Mobile Number Portability Database and decided not to progress the solution at the time due to limitations which we believed may have exposed our customers to undue risk," the spokesman said.

I hate banks in general as much as the next man in the times of this crisis induced by some of them but lets at least blame them for the evil things that they really have done. This is not one of them.

Re:The Blame Game

[LordLimecat]

Phones/SMS/etc will never be a reliable way to verify an account holder because it really can be anyone on the other end.

Thats true with ANY kind of authentication, except for some kind of mythical, perfect, no-side-channel-attacks biometrics.

Re:physical card; sms and l/p

[viperidaenz]

I don't believe those cards have their numbers generated by any algorithms, its a randomly generated grid of characters. You need physical access to the card - like stealing someones wallet, copying it and returning it before they notice its missing

CBA Security is ok.

[Whiteox]

To operate with that bank on-line, you need an Internet acc number (which is different to a normal account number), and at least a password. Additional secret question knowledge is required for 2 answers to set up a new transfer. Then, and only then is the SMS verification code needed. He must of been very slack to have made all that info available to the scammers.
Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.

Re:What's the point of this story?

[bill_mcgonigle]

The point is that if you trust your cell phone to be a 2nd authentication factor for your banking, you've contracted out your security to [the dumbest customer service rep at] your mobile carrier.

Also, being broke is probably a pretty good strategy for avoiding these kinds of problems.

Re:What's the point of this story?

[rtfa-troll]

no form of security is absolutely 100% perfect in every way..

Right; but that's not something new. No bank vault has ever been 100% safe either. The difference is that the bank takes responsibility for that so they ensure that it's "good enough", whatever that means. If money gets stolen from the bank vault they don't say "oh that was money from your account; sorry". With electronic security, there's often a level where they blame the failure of their own security measures on "identity theft" and make it the customer's responsibility. Two factor authentication of this kind is fine for a transaction of a few thousand dollars; It's not enough for transactions of hundreds of thousands of dollars. For 45k AUD that's a judgement call. `

This case is not like most American and some European banks though; Commonwealth Bank discovered the problem its self, is paying off the cost of the transaction and, even so, warned their customer. When they take the responsibility for the losses then what systems to use or not use become their commercial judgement. They looked at an MNP security system and decided there was something wrong with it. Maybe they now change their mind, maybe not. That's exactly the right thing. Hopefully they can persuade Vodafone to at least send a text message warning customers that their number is being ported before they actually do it in future.

Re:was this really two-factor?

[BradleyUffner]

No, the scammers convinced the victim's phone company to transfer the number to a different account. Meaning they then had control of the second factor.

I'd argue that an account doesn't satisfy the intent of the "something you have" part of 2 factor authentication. "Something you have" seems like it should be something physical, not a non-physical entity such as a phone account. If it could be tied to the physical cell phone via hardware ID it could work.

The first factor

[wvmarle]

Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.

The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.

Anyway it is the classic story of when something goes wrong, it's usually not a single issue that went wrong. It's almost always an array of factors that have to come together "just right" to make it work. While it may be a good idea to review the security of the SMS as second factor, one should also look at how the criminals got their hands on the first factor and the rest of the information.

Re:The first factor

[jareth-0205]

The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.

This isn't the same as number porting. Porting is rerouting a number to a different SIM card, effectively permanently changing the network operator for a paritcular number. Many customers will have this on their number ,so if you stop it then you won't be able to use SMS for possibly a majority of users.

Re:Victim never knew a thing?

[srjh]

As someone on Vodafone in Australia, this should immediately have started ringing alarm bells.

No way they'd have the problems fixed in 24 hours.

Re:Victim never knew a thing?

[tdelaney]

Considering it's the Vodafail network, a 24-hour outage would be considered normal service.

Re:What's the point of this story?

[Arancaytar]

Also, being broke is probably a pretty good strategy for avoiding these kinds of problems.

If you're not broke, you don't need to worry either, because the scammers can soon fix that.

After reading the comments...

[mwvdlee]

The 20-20 hindsight is strong in this one.

Wrong victim

[petes_PoV]

they intercepted a victim's two factor online banking codes

Surely the victim here was the bank. They are the ones who gave away money to people who weren't entitled to it. They were the ones who allowed a weak form of authentication to be accepted. They are the ones who will bear the eventual loss.

The person who's account was used did nothing wrong. He didn't disclose any confidential information and (from what I've read) complied with the terms of his account.

We need to get away from defining the victims of these crimes as being the person who's name is on the account that was used - the account that the bank wrongly withdrew money from and gave away to the scammers. Unless we start identifying the true victims as being the financial institutions who we entrust with our money, yet have weak and inappropriate security measures the time will come when they shift the expectation and liability, so that the customer will bear the loss for something that is neither their fault not within their control.

Re:Victim never knew a thing?

[93+Escort+Wagon]

Porting between carriers and devices, in most cases, requires so little authentication it's rather disturbing. It does not require any meaningful ID of the person before proceeding or at least I'm not aware of a carrier that does.

But the problem is - post Ma Bell, when the carriers used to make the customer jump through numerous hoops and bend over backwards before they'd allow you to port your number to a different company, people screamed bloody hell. This current state of affairs is the way it is because it's basically what the customers (and their politicians) demanded.

I'm not saying it's right - just that it's not completely the carriers' fault.

Re:What's the point of this story?

[GrpA]

Not True. The product is AFAIK, A Telstra product under which they use SMS to provide a "token" as an additional factor.

Given that there have been many confirmed examples of MNP ( Malicious Number Porting ) in Australia, this is known weak security. Under the circumstances, its entirely reasonable to assume that the Bank knew this was likely.

However I can't see them rushing out to address the issue in the near future. In fact, with some banks, it's impossible to turn off the ability to transfer out large sums of money. You can turn it off easy enough, but anyone who accesses the system can turn it back on by default by clicking a screen saying you agree to the risk. :(

All the major banks in Australia have this form of security. On the other hand, all the credit unions ( everyone except the "Big 4" Banks ) use VIP ( Verisign Identity Protection IIRC ) which can be downloaded to most smartphones and works as a soft-token.

Security in Australia, as with much of the world, is severely compromised by CEOs and CTOs who really don't understand it and as long as they can blame someone else, then due diligence is done.

GrpA

Re:What's the point of this story?

[Bert64]

1) no it's a hole in the auth, since they used a known weak method that relies on the security of the telco over which they have no control

2) the problem is how do they authenticate that it is the customer requesting the number porting?
Most likely they will ask some "security questions" over the phone which a good social engineer will know the answers to...
If doing it in person in a shop they just ask for a signature, which ofcourse is totally arbitrary and trivially easy to fake...

Even if the telco has strict policies, how is the actual number porting carried out? Usually it is based on carriers trusting each other not to submit rogue requests, so all it needs is one rogue or compromised carrier...

Re:Victim never knew a thing?

[deniable]

Or tell you about it.

Banks don't keep money in bank vaults.

[Colin+Smith]

I assume that's something you picked up from the movies. Any bank which stored a significant percentage of cash in a bank vault would be out of business pretty quick.

And the money in "your" bank account is the bank's money, not yours. You loaned it to them therefore it's their responsibility. If they happen to try to pass that responsibility back to you... Well, you'd have to be pretty dumb to sign that contract.

Your relationship with your bank is that of a creditor. The money is no longer yours, and the bank can pretty much do what it pleases with the money.

The responsibility for security lies with the bank.

HTH.

Re:Victim never knew a thing?

[FatLittleMonkey]

It's disturbing when the scammers have better customer service than the actual phone company.