Slashdot Mirror

← Back to Stories (view on slashdot.org)

Known Flaws in Mobile Data Backbone Allow Hackers To Trick 2FA (vice.com)

Posted by msmash on from the everything-is-broken dept.

A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday. From the article: For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors. But on Wednesday, German newspaper The Suddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts. This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.

50 comments

  1. It's not a problem with 2FA by Anonymous Coward · · Score: 0

    It's a problem with SMS as one of the factors.

    1. Re:It's not a problem with 2FA by omnichad · · Score: 1

      SMS isn't even one system. This is a problem with one specific transport.

    2. Re:It's not a problem with 2FA by omnichad · · Score: 1

      And if anything, this is a need to move away from SS7 - not SMS.

    3. Re:It's not a problem with 2FA by StayFrosty · · Score: 3, Interesting

      No, there is a need to move away from SMS in general. A properly-implemented time-based key CANNOT be intercepted over the wire.

      --
      "Frequently wrong, never in doubt."
    4. Re:It's not a problem with 2FA by Anonymous Coward · · Score: 0

      Good thing the latest in security, 2FA, is clean itself.

      Just like it's good that it's only hackers that can do all those evil things. Only hackers, those bogeymen of the cyberwebs.

    5. Re:It's not a problem with 2FA by EvilSS · · Score: 2

      SMS isn't even one system. This is a problem with one specific transport.

      This article is about one specific transport, but there are other issues with using SMS that makes it unsuitable as a 2FA method. One big issue is that cellular providers are often all to happy to move service to a new device with weak (if any) authentication that the person moving the service is the legitimate owner of the account. This has been used to breach SMS 2FA in the past. This is not, obviously, an SMS flaw but a provider one, but it happens enough that it's creating an insecure situation.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    6. Re:It's not a problem with 2FA by omnichad · · Score: 1

      Social engineering hacks can compromise about any second factor you can come up with. Email is a definite bad choice. Google Authenticator pretty much requires a phone on you at all times (as does SMS, of course). And something like SecurID gets ridiculous when you have 20-30 web sites requiring 2FA.

    7. Re:It's not a problem with 2FA by Anonymous Coward · · Score: 0

      No, there's a need to move away from 2FA. It's too time consuming for me to look at my phone to enter a number. The only reason I do it anyway is to let whoever know exactly where I am when I do something. I have nothing to hide after all. /sarcasm

      I agree about the time based key. But we can't even get a small majority of places to use the various offline authenticator apps out there. Steam is a good one. They've known people want to use an offline method for 2FA but the only option given is to use SMS. Then they penalize you for not using it. (Can't sell on the community market without waiting a week per item unless you use 2FA SMS. I used to sell the extra cards I got during their sales on the community market, but ever since they mandated SMS, I've been forced out of it. The cards go bad after the sale ends, and without the SMS I'm prohibited from selling before that time.)

      About the only place I use that does support offline 2FA is Github. I just wish more people would allow using it.

    8. Re:It's not a problem with 2FA by sims+2 · · Score: 1

      IIRC apple and amazon support code based in addition to sms based.

      --
      Minimum threshold fixed. Thanks!
    9. Re:It's not a problem with 2FA by EvilSS · · Score: 2

      Social engineering hacks can compromise about any second factor you can come up with. Email is a definite bad choice. Google Authenticator pretty much requires a phone on you at all times (as does SMS, of course). And something like SecurID gets ridiculous when you have 20-30 web sites requiring 2FA.

      The problem with SMS is that once you compromise the phone, you get access to ALL of the SMS based 2FA accounts and password reset schemes. Most social engineering will get you one login, this gets you many. Plus it is usually harder to social engineer your way around a token based system as there usually isn't a 3rd party that can be compromised to get the required 2FA info. With a phone it's been done (numerous times) with just the person's name and basic public info, and what carrier they use, and some dumbass at a carrier store in BFE letting "you" switch devices.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    10. Re: It's not a problem with 2FA by buchanmilne · · Score: 1

      In South Africa, there have been a lot of cases of what is referred to here as 'SIM-swap fraud'. It seems that there are syndicates operating that have accomplices who have:
      - sufficient access to bank customer information for social engineering to re-set or change internet banking passwords and get the customers cell-phone number
      - access to perform a SIM-swap of the victim's number, so that they can approve actions such as adding beneficiaries, change transaction limits while also preventing customers from receiving notifications of activity on their account

      So securing SS7 is not the only stwp required to fix SMS as a 2nd factor.

      Here is a recent case of a customer losing about $20 000 this way: https://mybroadband.co.za/news...

      Google searches for "SIM-swap fraud" turn up reports from the UK and other European countries.

    11. Re: It's not a problem with 2FA by omnichad · · Score: 1

      Sure, but that can apply to any second factor that becomes popular. Even SecurID devices.

    12. Re: It's not a problem with 2FA by buchanmilne · · Score: 1

      Yes, software-based TOTP implementations on smartphone platforms could be vulnerable to malware, but if using TOTP-based dongles, you would need to steal the dongle and possibly also know the PIN that must be used with the time-based code.

    13. Re: It's not a problem with 2FA by omnichad · · Score: 1

      Or convince someone in customer service to issue a new one to a different address. It really does happen.

  2. problem with SMS based 2FA by XXongo · · Score: 1
    From the linked article:

    That allows the attacker to direct a target's text messages to another device, and, in the case of the bank accounts, steal any codes needed to login or greenlight money transfers (after the hackers obtained victim passwords).
    ... "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw," Lieu said in a statement published Wednesday...
    In the meantime, and maybe irrespective of whether SS7 problems are ever fixed, social media companies, banks, and other online services need to stop using SMS-based two-factor authentication. Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS.

  3. Bug or feature? by oic0 · · Score: 2

    Just saying lol. If they get rid of this feature they'll have to add a new door in for all of our jerkwad governments.

  4. *yawn* by thegarbz · · Score: 1

    So someone would need to obtain:
    1. My login to my bank account
    2. My password to my bank account
    3. My phone number (this is the easy one).
    4. And work with a relatively sophisticated attack to spoof my device and obtain the 2FA token?

    How did these people get cleaned out? Were they the same kind of people who wrote their pin numbers on the back of their credit cards?

    1. Re:*yawn* by Minupla · · Score: 2

      I have no knowledge of the actual attack, but likely it was malware on their device. Probably whomever go the malware sold the information on the phone sold the info to a data broker. The attacker who had access to the SS7 system bought data that would allow them to leverage their access to make money.

      These things have gotten fairly sophisticated in the last few years. Not everyone is going to fall for every scam, but when you have 10 million targets, the law of big numbers kicks in.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    2. Re:*yawn* by DontBeAMoran · · Score: 1

      Hackers will never get my passwords. They're stored down in the cellar which has no lights and no stairs. At the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying "Beware of the leopard".

      --
      #DeleteFacebook
    3. Re: *yawn* by UnknowingFool · · Score: 1

      If I read it right, this flaw allows a person to route a SMS message intended for your phone to them. So if they have your login (which is your email normally), they can request a new password or authentication code to be sent via SMS to your (actually their) phone. They then reset your password and now have full access. Now if your bank uses an Authenticator type app then it is harder to compromise.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    4. Re:*yawn* by thegarbz · · Score: 1

      but likely it was malware on their device.

      Then they didn't need to break SS7.

    5. Re:*yawn* by tlhIngan · · Score: 1

      So someone would need to obtain:
      1. My login to my bank account
      2. My password to my bank account
      3. My phone number (this is the easy one).
      4. And work with a relatively sophisticated attack to spoof my device and obtain the 2FA token?

      How did these people get cleaned out? Were they the same kind of people who wrote their pin numbers on the back of their credit cards?

      Well, there are many ways to obtain banking information. The Phish is a popular one and you can probably get a few accounts that way. I suppose if you had a list of phone numbers, you could hack SS7 and examine the texts for what a bank might send, which tells you what bank they use and the phone number, making for a really good phish.

      Then there's always the compromised device attack...

    6. Re: *yawn* by thegarbz · · Score: 1

      So if they have your login (which is your email normally)

      For a bank? Were the security people smoking weed at your local branch? I've never had a bank give me an email for a login. Hell I've only once been able to chose my login.

      they can request a new password or authentication code to be sent via SMS

      Ditto to the above. My bank will not let me reset my password via any automated method. I can change my password, but can't even do that without 2FA. I can call them and follow through a string of security question which I have on occasion even failed myself.

      Honestly if this attack is happening as you described it's time the bank was put out of business.

    7. Re:*yawn* by rickb928 · · Score: 1

      At work I face this - attackers trying to social their way to banking info, either to change it or disclose it. We have strict and annoying protocols to authenticate callers, and an appreciable number of calls are found to be fraudulent.

      We never send out email resets, but we do use links. All that gets you is a shot at answering security questions, and then if you reset your password that way, your banking change is sent to a human being for them to call out and confirm. Not very efficient, but more secure, and after a successful change you can then do it online. Unless you forget your signon info again...

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    8. Re:*yawn* by Anonymous Coward · · Score: 0

      Well played sir!

    9. Re: *yawn* by Anonymous Coward · · Score: 0

      what weird bank do you have...? the login username isn't considered secret for the purposes of authentication, so what purpose is there to have the bank assign a username?

    10. Re:*yawn* by thegarbz · · Score: 1

      If you're phished the user there's no need to attack SS7. Just phish the challenge code from them too. This works just as well against RSA tokens.

  5. This is Google's Chance by omnichad · · Score: 1

    Just wait until Google says this is the excuse to move the entire legacy SMS system to RCS without delay. Though that still would require changing the transport too, because RCS can use SS7.

  6. Phone numebrs are not 2 factor! by Anonymous Coward · · Score: 0

    Your phone is not a valid 2 factor endpoint. It is easy to MITM. There are many examples. Do not use email or phone as authenticated endpoints. They are not.

    1. Re:Phone numebrs are not 2 factor! by DontBeAMoran · · Score: 1

      And what does the Massachusetts Institute of Technology Mormons have to do with it?

      --
      #DeleteFacebook
  7. Uhhh... Actually, no by bferrell · · Score: 1

    In order to take advantage of this "flaw" they have to connect to what is for all intents and purposes an isolated network... You have get one of the Carriers or SS7 access providers to give you that access. It's not done casually.

    The "hack" is the equivalent of calling what Wells Fargo did (opening credit card accounts for people who hadn't signed up for them) a hack. The 2fa "hack" seems to have been carried out by someone with trusted access to the ss7 network.

    1. Re:Uhhh... Actually, no by Aaden42 · · Score: 1

      From TFA: "But anyone with SS7 access, which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung, can send a routing request, and the network may not authenticate where the message is coming from."

      It would tend to suggest that SS7 access is not as closely guarded as one would hope. Likewise, IP routing packets are generally disallowed from consumer-level internet connections. Nonetheless, we've recently seen several times that bad actors in trusted positions still abuse that trust to advertise inappropriate routing.

    2. Re:Uhhh... Actually, no by bferrell · · Score: 1

      Altering advertised routing paths has nothing to do with access control lists at the perimeter... Which is how this is done.

      Every article I've been able to find on security testing of SS7 security has somewhere in it, thanks to a carrier or access provider for allowing them to perform testing INSIDE the network. I've done this work for 30 years and the perimeter policy has always "disallow unless specifically allowed from specific pre-specified location. period". In most instances I was involved in, IPSec tunnels were required as well.

      That 1000 Euros AND serious vetting WILL get you in... But they'll know who you are and where you are.

      This "flaw" is akin to Wells Fargo employees opening a credit card account in your name and saying you requested it. Yes, it is possible but improbable (I know Wells Fargo actually did do it).

  8. Known issue by fulldecent · · Score: 4, Informative

    This is already known, see DRAFT NIST Special Publication 800-63B Digital Identity Guidelines

    https://pages.nist.gov/800-63-...

    > Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.

    --

    -- I was raised on the command line, bitch

  9. "[T]he SS7 network poses a threat to all of us" by 93+Escort+Wagon · · Score: 1

    SS7 is going to KILL US ALL!

    Have a nice day.

    --
    #DeleteChrome
  10. And EBay is forcing users off token 2FA to SMS.... by grnbrg · · Score: 2

    WTF....

  11. Broken chain of trust by Anonymous Coward · · Score: 0

    The bank's security design assumes the phone network does what they ask.
    But these hackers seem to have no trouble getting it to do what they ask instead.

    Which says the bank does not actually have 2 factor authentication.

  12. Authenticate, Citizen! by Anonymous Coward · · Score: 0

    do you even know what many-tentacled horror SS7 is?

    What do you mean by "need to move away from" it, you one hundred percent managed piece of garbage? Why would those with access to it not use it to further their own interests? Are you going to stop them?

  13. Same old bullshit by Anonymous Coward · · Score: 0

    This is the same old bullshit that has been going on for months.
    SS7 is a signalling protocol not a carrier (voice) run accoss a private network between telecoms.
    Every proof of concept has been done with a providers access to their network. It cannot be accessed from outside a telcom and you cannot get to the data path from the internet.

    And that it had anything to do with any banking attacks is bullshit, bullshit, and more bullshit.

    1. Re:Same old bullshit by rickb928 · · Score: 1

      SS7 is indeed intended for PSTN, and is possibly vulnerable to abuse where it is accessible via public networks. Better security in the gateways would help minimze these risks, but that inconveniences admin workers...

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  14. SMS is even worse from a Privacy POV by williamyf · · Score: 1

    SMS has never been confidential. Is not encripted in any leg of the trip. Can be decoded from the airwaves with suitable hardware (I've seen said hardware operate first hand, 2 FPGAs, 4 DSPs, and two rugged laptops were needed in 2001, I guess nowadays a macbook with AMD laptop graphics and a SDR will be enough ;-) ), can be altered via SS7 (as described in TFA), and even read easily by the operators of the telecom equipmentt, with no wizard level 100++ knowledge , or special tools:

    An Example:
    In the SMSCs of Aldiscon/Logica/LogicaCMG/Acision (callled Telepath), one can configure how many of the characters of the SMS to reatin in the CDRs. Minimum/Default 6, max 160 characters. from there, just use grep in the CDR files to get the text of all the SMSs of any user. When I found out from the head of VAS planning, I said that was unacceptable (I was the head of operations of VAS). but, given the cavalier approach to privacy there, I decided to let sleeping dogs lie...

    (the CDR also contains info like the CellID where the message was sent, but that is another story)

    I am certain that other SMSCs have similar "provisions".

    By the way, calling SS7/CS7 "Mobile Data BackBone", is a misnomer at best, and embarrasing dumbness at worse. Is just out of band signaling for telecom equipment coordination. Superseeded by SIGTAN/SCTP/SS7OverIP...

    --
    *** Suerte a todos y Feliz dia!
  15. do you even TOTP by Anonymous Coward · · Score: 0

    TOTP is simple, easy to implement, and effective. There are plenty of FOSS implementations.

  16. Lack of end to end encryption by WaffleMonster · · Score: 1

    Saying SS7 is vulnerable is like saying BGP is vulnerable. It's a fools errand to believe it is even possible to build a global, inclusive non-tyrannical network that is also globally trusted. The best you can hope for is a mostly functional network.

    On mobile it's effectively all plaintext all the time like it's 1993. Very disappointed POTS networks are still intact. We obviously don't have our shit together.

    1. Re:Lack of end to end encryption by sims+2 · · Score: 1

      I'm still impressed that it works at all.

      --
      Minimum threshold fixed. Thanks!
  17. Good security by Anonymous Coward · · Score: 0

    Good security requires every tel-co in the world to update their transport protocols at the same time, or at least, install protocol upgrade/downgrade translators as packets enter/exit their secured line. This collective laziness creates a "too big to jail" behemoth that citizens can't touch.

  18. wtf is a cell phone????? by Anonymous Coward · · Score: 0

    its MOBILE PHONE

    http://www.differencebetween.com/difference-between-cell-phone-and-vs-mobile/

    "It is true that the network is cellular but the phone is not, so the word cell phone is really a misnomer."

    typical americans have no idea....

    now to listen to them mispronounce Aluminium and Solder, and talk about a "World Series" whereby only they complete and no one in the actual world actually cares.

  19. This is Slashdot... by nuckfuts · · Score: 1

    Nobody cares about 2FA.

  20. Re:And EBay is forcing users off token 2FA to SMS. by AmiMoJo · · Score: 1

    Three most stupid part is that I will never give eBay my phone number, so I'll simply stop using 2FA, and if my account gets hacked it will be eBay that pays the price.

    All anyone can do if they get into my account is buy stuff (refunded by credit card company, PayPal/seller eats the cost) or sell stuff (PayPal eats the cost).

    Their desire to get my phone number puts them at risk.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  21. email by DrYak · · Score: 1

    Do not use email or phone as authenticated endpoints.

    Well technically, with using correct End-To-End encryption, you could use any channel as 2FA.

    E-mail could be usable if correctly encrypted with a trusted openPGP key pair (or if you have a trusted S/MIME authority).
    But people won't bother fumbling arround with PGP nor even getting Mailveloppe to use with their webmail.

    SMS could also be used with a correctly authetified OTR layer.
    But there are about 2 software in the whole universe using OTR-over-SMS (TextSecure. And there should be another one somewhere).
    So no serious enterprise is ever going to consider it.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  22. Well it was built with inherent trust by kilodelta · · Score: 1

    Because the Bell System never thought they'd have to let EVERYONE use SS7., the child of CCISS. They thought hey, we're connected to other Bell/AT&T resources so we don't have to include any security.