Slashdot Mirror
Known Flaws in Mobile Data Backbone Allow Hackers To Trick 2FA (vice.com)
A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday. From the article: For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors. But on Wednesday, German newspaper The Suddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts. This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.
SMS isn't even one system. This is a problem with one specific transport.
And if anything, this is a need to move away from SS7 - not SMS.
That allows the attacker to direct a target's text messages to another device, and, in the case of the bank accounts, steal any codes needed to login or greenlight money transfers (after the hackers obtained victim passwords).
... "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw," Lieu said in a statement published Wednesday...
In the meantime, and maybe irrespective of whether SS7 problems are ever fixed, social media companies, banks, and other online services need to stop using SMS-based two-factor authentication. Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS.
Just saying lol. If they get rid of this feature they'll have to add a new door in for all of our jerkwad governments.
No, there is a need to move away from SMS in general. A properly-implemented time-based key CANNOT be intercepted over the wire.
"Frequently wrong, never in doubt."
So someone would need to obtain:
1. My login to my bank account
2. My password to my bank account
3. My phone number (this is the easy one).
4. And work with a relatively sophisticated attack to spoof my device and obtain the 2FA token?
How did these people get cleaned out? Were they the same kind of people who wrote their pin numbers on the back of their credit cards?
Just wait until Google says this is the excuse to move the entire legacy SMS system to RCS without delay. Though that still would require changing the transport too, because RCS can use SS7.
In order to take advantage of this "flaw" they have to connect to what is for all intents and purposes an isolated network... You have get one of the Carriers or SS7 access providers to give you that access. It's not done casually.
The "hack" is the equivalent of calling what Wells Fargo did (opening credit card accounts for people who hadn't signed up for them) a hack. The 2fa "hack" seems to have been carried out by someone with trusted access to the ss7 network.
This is already known, see DRAFT NIST Special Publication 800-63B Digital Identity Guidelines
https://pages.nist.gov/800-63-...
> Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.
-- I was raised on the command line, bitch
SS7 is going to KILL US ALL!
Have a nice day.
#DeleteChrome
SMS isn't even one system. This is a problem with one specific transport.
This article is about one specific transport, but there are other issues with using SMS that makes it unsuitable as a 2FA method. One big issue is that cellular providers are often all to happy to move service to a new device with weak (if any) authentication that the person moving the service is the legitimate owner of the account. This has been used to breach SMS 2FA in the past. This is not, obviously, an SMS flaw but a provider one, but it happens enough that it's creating an insecure situation.
I browse on +1 so AC's need not respond, I won't see it.
And what does the Massachusetts Institute of Technology Mormons have to do with it?
#DeleteFacebook
Social engineering hacks can compromise about any second factor you can come up with. Email is a definite bad choice. Google Authenticator pretty much requires a phone on you at all times (as does SMS, of course). And something like SecurID gets ridiculous when you have 20-30 web sites requiring 2FA.
WTF....
SMS has never been confidential. Is not encripted in any leg of the trip. Can be decoded from the airwaves with suitable hardware (I've seen said hardware operate first hand, 2 FPGAs, 4 DSPs, and two rugged laptops were needed in 2001, I guess nowadays a macbook with AMD laptop graphics and a SDR will be enough ;-) ), can be altered via SS7 (as described in TFA), and even read easily by the operators of the telecom equipmentt, with no wizard level 100++ knowledge , or special tools:
An Example:
In the SMSCs of Aldiscon/Logica/LogicaCMG/Acision (callled Telepath), one can configure how many of the characters of the SMS to reatin in the CDRs. Minimum/Default 6, max 160 characters. from there, just use grep in the CDR files to get the text of all the SMSs of any user. When I found out from the head of VAS planning, I said that was unacceptable (I was the head of operations of VAS). but, given the cavalier approach to privacy there, I decided to let sleeping dogs lie...
(the CDR also contains info like the CellID where the message was sent, but that is another story)
I am certain that other SMSCs have similar "provisions".
By the way, calling SS7/CS7 "Mobile Data BackBone", is a misnomer at best, and embarrasing dumbness at worse. Is just out of band signaling for telecom equipment coordination. Superseeded by SIGTAN/SCTP/SS7OverIP...
*** Suerte a todos y Feliz dia!
Saying SS7 is vulnerable is like saying BGP is vulnerable. It's a fools errand to believe it is even possible to build a global, inclusive non-tyrannical network that is also globally trusted. The best you can hope for is a mostly functional network.
On mobile it's effectively all plaintext all the time like it's 1993. Very disappointed POTS networks are still intact. We obviously don't have our shit together.
IIRC apple and amazon support code based in addition to sms based.
Minimum threshold fixed. Thanks!
SS7 is indeed intended for PSTN, and is possibly vulnerable to abuse where it is accessible via public networks. Better security in the gateways would help minimze these risks, but that inconveniences admin workers...
deleting the extra space after periods so i can stay relevant, yeah.
Social engineering hacks can compromise about any second factor you can come up with. Email is a definite bad choice. Google Authenticator pretty much requires a phone on you at all times (as does SMS, of course). And something like SecurID gets ridiculous when you have 20-30 web sites requiring 2FA.
The problem with SMS is that once you compromise the phone, you get access to ALL of the SMS based 2FA accounts and password reset schemes. Most social engineering will get you one login, this gets you many. Plus it is usually harder to social engineer your way around a token based system as there usually isn't a 3rd party that can be compromised to get the required 2FA info. With a phone it's been done (numerous times) with just the person's name and basic public info, and what carrier they use, and some dumbass at a carrier store in BFE letting "you" switch devices.
I browse on +1 so AC's need not respond, I won't see it.
Nobody cares about 2FA.
Three most stupid part is that I will never give eBay my phone number, so I'll simply stop using 2FA, and if my account gets hacked it will be eBay that pays the price.
All anyone can do if they get into my account is buy stuff (refunded by credit card company, PayPal/seller eats the cost) or sell stuff (PayPal eats the cost).
Their desire to get my phone number puts them at risk.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Do not use email or phone as authenticated endpoints.
Well technically, with using correct End-To-End encryption, you could use any channel as 2FA.
E-mail could be usable if correctly encrypted with a trusted openPGP key pair (or if you have a trusted S/MIME authority).
But people won't bother fumbling arround with PGP nor even getting Mailveloppe to use with their webmail.
SMS could also be used with a correctly authetified OTR layer.
But there are about 2 software in the whole universe using OTR-over-SMS (TextSecure. And there should be another one somewhere).
So no serious enterprise is ever going to consider it.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Because the Bell System never thought they'd have to let EVERYONE use SS7., the child of CCISS. They thought hey, we're connected to other Bell/AT&T resources so we don't have to include any security.
In South Africa, there have been a lot of cases of what is referred to here as 'SIM-swap fraud'. It seems that there are syndicates operating that have accomplices who have:
- sufficient access to bank customer information for social engineering to re-set or change internet banking passwords and get the customers cell-phone number
- access to perform a SIM-swap of the victim's number, so that they can approve actions such as adding beneficiaries, change transaction limits while also preventing customers from receiving notifications of activity on their account
So securing SS7 is not the only stwp required to fix SMS as a 2nd factor.
Here is a recent case of a customer losing about $20 000 this way: https://mybroadband.co.za/news...
Google searches for "SIM-swap fraud" turn up reports from the UK and other European countries.
Sure, but that can apply to any second factor that becomes popular. Even SecurID devices.
Yes, software-based TOTP implementations on smartphone platforms could be vulnerable to malware, but if using TOTP-based dongles, you would need to steal the dongle and possibly also know the PIN that must be used with the time-based code.
Or convince someone in customer service to issue a new one to a different address. It really does happen.