Slashdot Mirror
Known Flaws in Mobile Data Backbone Allow Hackers To Trick 2FA (vice.com)
A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday. From the article: For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors. But on Wednesday, German newspaper The Suddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts. This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.
Just saying lol. If they get rid of this feature they'll have to add a new door in for all of our jerkwad governments.
No, there is a need to move away from SMS in general. A properly-implemented time-based key CANNOT be intercepted over the wire.
"Frequently wrong, never in doubt."
This is already known, see DRAFT NIST Special Publication 800-63B Digital Identity Guidelines
https://pages.nist.gov/800-63-...
> Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.
-- I was raised on the command line, bitch
SMS isn't even one system. This is a problem with one specific transport.
This article is about one specific transport, but there are other issues with using SMS that makes it unsuitable as a 2FA method. One big issue is that cellular providers are often all to happy to move service to a new device with weak (if any) authentication that the person moving the service is the legitimate owner of the account. This has been used to breach SMS 2FA in the past. This is not, obviously, an SMS flaw but a provider one, but it happens enough that it's creating an insecure situation.
I browse on +1 so AC's need not respond, I won't see it.
I have no knowledge of the actual attack, but likely it was malware on their device. Probably whomever go the malware sold the information on the phone sold the info to a data broker. The attacker who had access to the SS7 system bought data that would allow them to leverage their access to make money.
These things have gotten fairly sophisticated in the last few years. Not everyone is going to fall for every scam, but when you have 10 million targets, the law of big numbers kicks in.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
WTF....
Social engineering hacks can compromise about any second factor you can come up with. Email is a definite bad choice. Google Authenticator pretty much requires a phone on you at all times (as does SMS, of course). And something like SecurID gets ridiculous when you have 20-30 web sites requiring 2FA.
The problem with SMS is that once you compromise the phone, you get access to ALL of the SMS based 2FA accounts and password reset schemes. Most social engineering will get you one login, this gets you many. Plus it is usually harder to social engineer your way around a token based system as there usually isn't a 3rd party that can be compromised to get the required 2FA info. With a phone it's been done (numerous times) with just the person's name and basic public info, and what carrier they use, and some dumbass at a carrier store in BFE letting "you" switch devices.
I browse on +1 so AC's need not respond, I won't see it.