Scammers Work Around Two-Factor Authentication With Social Engineering

mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."

Re:Victim never knew a thing?

[Fjandr]

He received an SMS which he believed to be from Vodaphone, stating that they were having network difficulties and he would experience loss of cell service for the next 24 hours.

The Blame Game

[enoz]

So the banks say it's not their problem, it's the fault of mobile operators for making numbers portable. Yet the banks were offered access to the national mobile database so they could check if a number was recently ported, but declined to use the information. Meanwhile the fraudsters are getting away with their winnings...

Re:The Blame Game

[xous]

It wouldn't make a significant difference even if they did.

There are thousands of examples of carriers being tricked into forwarding numbers by 3rd parties. I do it all the time for customers that port into us if something goes wrong with the porting process.

Often all I do is:
1. Identify myself as $MYNAME from $MYCOMPANY. (NOT $THEIRCLIENT)
2. State that I'm calling on behalf of $THEIRCLIENT.
3. Tell them that $THEIRCLIENT is in the process of moving to our services and need to forward the number temporarily.
4. Carrier asks for the forwarding number and it's generally done in 1-2 hours.

The only shred of validation that might happen is them checking my caller id. I've never needed an account number, billing contact name, authorization code, or anything. Just the phone number.

I've even offered to pay for the forward but been declined because I'm not $THEIRCLIENT. They were happy enough to charge the $THEIRCLIENT on my behalf.

Phones/SMS/etc will never be a reliable way to verify an account holder because it really can be anyone on the other end.

Re:The Blame Game

[rtfa-troll]

So the banks say it's not their problem,

No they didn't. They paid up fully and automatically. First they blocked his account:

The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.

Then they sorted everything out and paid for everything automatically.

Craig is satisfied that CommBank has done everything it can to resolve his specific matter, and he applauded the work of the bank's fraud squad.

They had even been part of a group which had investigated the MNP security fixes available but decided not to implement them because of security problems.

“We explored the Mobile Number Portability Database and decided not to progress the solution at the time due to limitations which we believed may have exposed our customers to undue risk," the spokesman said.

I hate banks in general as much as the next man in the times of this crisis induced by some of them but lets at least blame them for the evil things that they really have done. This is not one of them.

Re:Not Thieves

[TheVelvetFlamebait]

Whoosh!

Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible. The GP is taking a dig at people who subscribe to this view.

Re:Account security

[LordLucless]

SMS is clearly not a good replacement for real Two-Factor authentication

Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

The fail at this point wasn't that the bank implemented security poorly - it's that the Telco did. They didn't even have one-factor authentication. They asked for two points of information - customer number and DOB - neither of which can reasonably be considered a secure secret. Even then, the Telco is following the process that it has been mandated to follow by the government - including the data that should be used to verify identity. If the government are going to mandate requirements for business processes, then they should either be damn sure what they're mandating is secure, or they should explicitly leave security implementation up to the business.

Re:What's the point of this story?

[bill_mcgonigle]

The point is that if you trust your cell phone to be a 2nd authentication factor for your banking, you've contracted out your security to [the dumbest customer service rep at] your mobile carrier.

Also, being broke is probably a pretty good strategy for avoiding these kinds of problems.

Re:What's the point of this story?

[rtfa-troll]

no form of security is absolutely 100% perfect in every way..

Right; but that's not something new. No bank vault has ever been 100% safe either. The difference is that the bank takes responsibility for that so they ensure that it's "good enough", whatever that means. If money gets stolen from the bank vault they don't say "oh that was money from your account; sorry". With electronic security, there's often a level where they blame the failure of their own security measures on "identity theft" and make it the customer's responsibility. Two factor authentication of this kind is fine for a transaction of a few thousand dollars; It's not enough for transactions of hundreds of thousands of dollars. For 45k AUD that's a judgement call. `

This case is not like most American and some European banks though; Commonwealth Bank discovered the problem its self, is paying off the cost of the transaction and, even so, warned their customer. When they take the responsibility for the losses then what systems to use or not use become their commercial judgement. They looked at an MNP security system and decided there was something wrong with it. Maybe they now change their mind, maybe not. That's exactly the right thing. Hopefully they can persuade Vodafone to at least send a text message warning customers that their number is being ported before they actually do it in future.

Re:Victim never knew a thing?

[srjh]

As someone on Vodafone in Australia, this should immediately have started ringing alarm bells.

No way they'd have the problems fixed in 24 hours.

Re:Not Thieves

[TheVelvetFlamebait]

Sorry to double post, but I wanted to add something extra (not that it contradicts your viewpoint in any way). All property is artificial. It's an abstraction of possession that's protected by law. Let's say that I have a banana, and you take the banana from me, with no previous arrangement made between us. I now no longer possess the banana, but you do. What is there in the natural world to say that I "own" the banana and not you? Clearly possession is not enough.

Our laws define ownership. Without them, natural law would basically be along the lines of "It's yours until someone stronger takes it". People tend to place far too much importance on possession, not realising that what really underpins property is a complicated series of laws, without which property would hold no weight. It is but another reason why picking on intellectual property purely because it refers to something intangible is not really a valid concern (not that you do that, of course).