Criminals Are Tapping Into the Phone Network Backbone to Empty Bank Accounts

Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself. From a report: This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank -- the UK's Metro Bank -- that fell victim to such an attack. The news highlights the gaping holes in the world's telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK's signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking.

"We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," The NCSC told Motherboard in a statement. "Some of our clients in the banking industry or other financial services; they see more and more SS7- based [requests],â Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. "All of a sudden you have someone's text messages."

iMessage is not vulnerable to this

This has been known for a long time, even NIST has deprecated SMS as a second factor. iMessage, though, is safe.

Re:iMessage is not vulnerable to this

Are you the same idiot who posted on the previous article that "apple was right to wait on 5g" without knowing what the fuck you're talking about in either case?

You're eating Kendall's lunch again. The product is the same bullshit. Keep it inside kiddo. iMessage is in no way "safe" you fuckwit nor is it even possibly related to this article's topic. You're a moron. STFU.

Re: iMessage is not vulnerable to this

U mad bro? Have a 3 year old article about this, and note that iMessage does not use SS7 signaling unlike the other 3rd party ones mentioned in the article.

https://www.theregister.co.uk/2016/05/10/ss7_mobile_chat_hack/

Who the idiot now, BITCH!!!!!!

Re: iMessage is not vulnerable to this

You claimed iMessage was "safe" lol. Fucking moron. https://appleosophy.com/2019/01/30/iphone-spying-tool-uses-imessage-vulnerability-to-hack-users-devices/

You have no idea what you're blathering about.

Re: iMessage is not vulnerable to this

The problem is there is no detail about how the hack works... Not sure how credible the news is but the issue is a concern.

Why would telcos care?

[Stormy+Dragon]

They're not personally being held responsible for the losses and they're not going to lose business to the other phone company for providing crappy service.

Re:Why would telcos care?

They really can't fight the standards. I don't think SMS has ever been encrypted at any point anyway. Banks should be able to circumvent this issue by requiring their clients to use authentication smart phone applications with end-to-end encryption, if separate authentication devices or one-time code pads don't make economic sense anymore.

Re:Why would telcos care?

[dgatwood]

A cell phone is not a good second factor, period. All it takes is one security bug in the operating system, and boom, your authenticator app just got its private keys stolen, and now someone can impersonate you. Worse, with a little luck, the attackers get the passwords for all of your accounts at the same time.

What we need is for all the banks to standardize on an NFC-based wallet card that lets you add new keys for additional bank accounts, but that is otherwise isolated from the public Internet except while you are adding accounts. It would have two buttons, one of which cycles between functions (NFC programming, Show code for Bank A, Show code for Bank B, etc.), and the other of which is a "Go" button. The codes would be used just like an authenticator app, but more secure because of the impracticality of stealing the keys and the complete physical isolation between the keys and their associated usernames and passwords.

And this is why..

[steveb3210]

The fucking president of the United States shouldn't be using a fucking iPhone.

Re:And this is why..

[CrimsonAvenger]

The fucking president of the United States shouldn't be using a fucking iPhone.

I take it you're one of the people who think that The Donald is using an off-the-shelf i{hone, instead of one that's been brought up to NSA standards? If so, I suspect you are...mistaken....

Re:And this is why..

[steveb3210]

https://www.nytimes.com/2018/1...

The last I checked, yes... Whats your source?

Re:And this is why..

Um, POTUS using an iPhone isn't going to risk the US Treasury being emptied. At most, the only bank account in danger of being emptied is his. So why exactly is this a reason that he shouldn't use an iPhone?

Re:And this is why..

Are you seriously asking why the President of the US should not use an unsecured consumer phone for highly sensitive private business? Do you not understand that directly emptying a bank account is not the only use of this flaw?

Fucking moron. Is today illiterate Republican faggot day on slashdot or is that everyday?

Re:And this is why..

[gtall]

C'mon, Trump use a NSA standard device? He'd think they were trying listen in or poison him. He's using a bog standard iPhone and no one the federal intelligence agencies are stupid enough to trust him with anything valuable.

Re:And this is why..

he shouldn't be fucking

Stormy

Re:And this is why..

What is with the homophobia from the left? I seriously don't get it.

Another backdoor accessible only to the good guys?

So, was this supposed to be a backdoor accessible only to "the good guys"? And now the bad guys are using it?

I'm shocked! Shocked, I tell you!

Hey Crimson faggot, maybe learn to read

Read before you pontificate, eh moron? https://www.washingtontimes.com/news/2018/oct/25/trumps-cellphone-misplaced-golf-cart-presidents-cl/

NY Times?

Really, you find the NY Times credible? They're the index case for Trump Derangement Syndrome.

Re:NY Times?

Heh, except you're forced to say that about anything that isn't Faux News or retarded Breitbart lies, propaganda faggot traitor. Your head is so far up your ass you're eating yesterday's lunch backwards.

* * *
1. "In July 2010 the government said small businesses -- 60 percent -- will lose their health care, 45 percent of big business and a large percentage of individual health." Sean Hannity, Nov. 11, 2013 False
* * *
2. "And President Obama has offered to pay out of his own pocket for the museum of Muslim culture out of his own pocket, yet it's the Republican National Committee who's paying for this." Anna Kooiman, Oct. 5, 2013 https://bit.ly/2W1wHzv
* * *
3. Labor union president Andy Stern is "the most frequent visitor" at the White House. Glenn Beck, Dec. 3, 2009 False
* * *
4. "Far more children died last year drowning in their bathtubs than were killed accidentally by guns." Tucker Carlson, Aug. 9, 2014 Pants on Fire
* * *
5. White House Political Director Patrick Gaspard once served as the "right-hand man" for Bertha Lewis, who heads up ACORN. Steve Doocy, Sept. 29, 2009 False
* * *
6. "Look at the debt that has been accumulated in the last two years. It's more debt under this president than all those other presidents combined."
Sarah Palin, May 31, 2011 False
* * *
7. "There is no good data showing secondhand smoke kills people." John Stossel, Dec. 4, 2014 False
* * *
8. "Democrats are poised now to cause this largest tax increase in U.S. history." Sarah Palin, Aug. 1, 2010 Pants on Fire
* * *
9. "The insurance industry is actually run by mostly Democrats." Dana Perino, Oct. 31, 2013 False
* * *
10. The Obama administration "manipulated deportation data to make it appear that the Border Patrol was deporting more illegal immigrants than the Bush administration." Lou Dobbs, July 1, 2014 False
* * *
11. Some doctors say Ebola can be transmitted through the air by "a sneeze or some cough." George Will, Oct. 19, 2014 False
* * *
12. Says the Texas State Board of Education is considering eliminating references to Christmas and the Constitution in textbooks. Gretchen Carlson, March 10, 2010 Pants on Fire
* * *
13. Because of President Barack Obama’s failure to "push job creation," the black unemployment rate in Ferguson, Mo., is three times higher than the white unemployment rate. Lou Dobbs, Aug. 19, 2014 False
* * *
14. When White House communications director Anita Dunn said that Mao Tse-tung was "one of her favorite philosophers, only Fox News picked that up."
Bill O’Reilly, Oct. 23, 2009 False
* * *
15. "The president of the United States will be taking a trip over to India that is expected to cost the taxpayers $200 million a day." Michele Bachmann, Nov. 3, 2010 False (Note: Bachmann’s claim was made on CNN, not Fox News but Glenn Beck made a similar claim on Fox)
* * *
16. "We researched to find out if anybody on Fox News had ever said you're going to jail if you don't buy health insurance. Nobody's ever said it." Bill O’Reilly, Oct. 27, 2010 Pants on Fire
* * *
17. "If you make more than $250,000 a year you only really take home about $125,000." Steve Doocy, July 11, 2012 False
* * *
18. A Census Bureau worker says he was told to skew information to bring the unemployment rate down "as we headed into an election season." Elisabeth Hasselbeck, Nov. 19, 2013 False
* * *
19. "Health care mandate will require imprisonment and fines for Americans who can’t afford to purchase insurance or pay hefty government penalties." Patients First, Sept. 21, 2009 Mostly False (Note: Fox hosts have said closely similar statements because of our research into Bill O’Reilly’s Pants on Fire claim -- No. 16 -- that no one on Fox News ever said it.)
* * *
20. "And finally tonight, although it pains me to say this, Jon Stewart? Comedy Central? He was right. Now on his program last night, he mentioned that we had played some incorrect video on this program last we

Re:NY Times?

Really, you find the NY Times credible? They're the index case for Trump Derangement Syndrome.

I concur.
Although they corporatist shills, even the New York Times can't avoid occasionally inadvertently documenting some of Trump's plethora of conflicts with reality.
The man is clearly deranged.

Re:NY Times?

[gtall]

Trump Derangement Syndrome: the ability to justify whatever idiot thing Trump did last as part of some greater "3-D chess" scheme when in fact it was merely the meanderings of flaccid, over-the-hill mind.

Re:NY Times?

[steveb3210]

I find the NY Times credible, yes.

For example, I often watch alot of primary source material (watch the actual press briefing live) and when I read the account in the times, it matches what I observed - this leads me to believe that they are engaging in real journalism.

Re:Another backdoor accessible only to the good gu

Well, it's easy enough to solve this problem... Force the phone companies to have to log every "active" device registration under the accounts' IDs on the SS7 and make it available to the customer to solve this problem.

So, in real time and logged you can see every active monitoring/duplication/hacked mirror of the signals/events... Make it straightforward and *maybe* even require that the account is authenticated using the Identity of the location cellphone towers that the current phone is one, so in order to add a phone to a phone's SS7 event stream you'd have to actually be in the same tower ranges as the current phone...

It's not like this isn't possible... Security is only as smart as those who implement it and work through the use cases.

This is the problem:

[QuietLagoon]

... intercepting SMS text messages used as 2-Factor Authentication (2FA), ...

.

SMS should not be used for 2FA. Full stop.

Re:This is the problem:

[Obfuscant]

SMS should not be used for 2FA. Full stop.

SMS should not be both factors in 2FA. That's what the '2' means -- two DIFFERENT factors. The whole reason for 2FA is so that someone cannot spoof or intercept one of the two and get access to the resource.

Re:This is the problem:

[lgw]

No. It's so weak that it doesn't count as 1 factor. This has been true for years. The first exploits in the wild of MitB + SMS hack happened years ago. Any organized crime group that can hack your browser can be assumed to also be hacking SMS.

Plenty of other 2FA approaches actually work. Especially those that (gasp!) don't use a phone (a mobile sack of vulnerabilities).

Re:This is the problem:

It's so weak that it doesn't count as 1 factor.

The reason it doesn't count as a factor is not because it is weak.
In multi-factor authentication acceptable factors are:
* something you have
* something you are
* something you know

Text messaging is neither of those. It's just a different authentication channel.

Re:This is the problem:

[sjames]

That's the problem. Phishing gets the password, then SS7 shenanigans get the 2nd factor. It's happened often enough that it's time to find something better.

Re:This is the problem:

[Tony+Isaac]

SMS counts as "something you know."

When your bank sends you a security code via SMS, you "know" the security code. This, combined with your password, constitutes two factors.

OR if the bank sends you an email with a link to reset your password, and they then send you a SMS with a code, you also have two factors: the emailed link containing a token, and the SMS code.

Both of these methods are more secure than a user name and password alone.

I feel like this question was preparing us...

[aitikin]

...for the stories today: https://ask.slashdot.org/story...

that's what happens when

That's what happens when you're not using end-to-end encryption.

Ex-NSA Employees

Rueters has extensive content detailing the immorality of American security contractors in supressing democracy and journalists in UAE.

Chickens will come home to roost.

Apple's Really Having a Bad Week

First the FaceTime bug, now this. Is there *anything* they can't ruin?

SMS is fucking stupid

Do NOT fucking use SMS for 2FA. Institutions using SMS for 2FA are part of the problem and deserve what they get.

That's not 2FA ...

"We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)"

Dammit, why do people still keep calling this stupid shit 2-factor authentication? It most assuredly isn't 2FA.

All it really happens is you send a virtual "OK" button to another source, and all the user has to do is just say yes. That is at best a slight layer of security by obscurity, but at worst a complete farce.

We've seen articles about how the telcos can be talked into handing over control of SIMs to attackers, who can then pretty much control all of the things you naively believe are 2FA.

An Entrust token where you need to physically have the token, and enter the code (hopefully in addition to your own secret PIN) is 2FA. Because it involves a challenge of something only you should know.

This shit gives banks the ability to say "well, you authorized it", and it gives companies like Facebook another number to correlate with you ... but it is not, and never has been 2-factor authentication.

I've refused to use any of these terrible schemes, because usually I don't trust the asking party with my cell #, and because it doesn't add any security whatsoever.

An SMS confirmation is meaningless in terms of real security. Companies act like it is, and people believe it, but it's simply not true.

Re:That's not 2FA ...

Initially acceptable factors in multi-factor authentication were something you have, something you are, something you know. But these idiots want to be creative and start adding shit to that and still call it multi-factor authentication.

Shit like passcodes via secondary data channel (SMS), biometric properties or geo location. All of these can be easily exploited or faked.

You can't make this shit up. Check the wikipedia article on multi factor authentication.

Heh - co$t of living in N.Y. $tate beat 'em

Heh - co$t of living in N.Y. $tate beat 'em between highest taxes (supporting welfare largely) & utilities (national grid) both being afaik highest there are (Perhaps California & their PGE may rival it).

* Correct me IF I'm off/wrong OR you can show me charted data from a reputable source (it'd be appreciated)...

APK

P.S.=> Winter's KICKING MY ASS (no joke) & holding onto money? Might as well try hold onto air in your hand alone (can't wait for Spring - 9++ weeks tops - co$t$ go WAY down).. apk

No significant $s in "Online Accounts"

[BoRegardless]

That is the only logical conclusion.

The bastards who set up the online systems have only partially thought out security.

Re:No significant $s in "Online Accounts"

[Tony+Isaac]

And where exactly on earth can you put money, that is not accessible online? Under your mattress?

Security will always be an arms race. No one has "thought out" every last possible security loophole. Many haven't even been invented yet.

Like safeguarding your house, you don't have to have an impenetrable fortress. You can't afford it. But you can make your house "just a little" more secure than the neighbors, encouraging a thief to go somewhere else.

Online security is no different, and never will be.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Losses to fraud are small in practice

[aberglas]

For a bank to implement any system costs $100s millions. Let alone the annoyance to their customers.

If they lose $1million to fraud then that is just a cost of doing business. And most money lost to fraud is eventually recovered.

What we need is phones with more features. Like every time they visit a web site they execute code on that website that can potentially take over the phone. Wait...

By design

This is how it's supposed to work.

Phones are not secure. Do not expect your phone to be private or secure.

DO NOT BANK ON YOUR PHONE EVER!!!

Incompetence

Why all that effort just to break into empty bank accounts?

bitcoin user not affected [nt]

[themusicgod1]

nt

My bank security sucks

[hoggoth]

Why does my twitter account have better security than my BANK?! Bank of America only supports SMS authentication, and that is only to a long list of every phone number associated with my account. I cannot restrict it to just one phone number such as a Google Voice phone set up just for security. I asked a rep about Two-Factor-Authentication and she said "I never heard of that, what is it?"

It is mind boggling. My money has less protection that my throw away forum accounts.

Also, shout out to Vanguard, who has a "I FORGOT MY AUTHENTICATION DEVICE" link on the login page that allows me to skip using Google Authenticator if it's 'inconvenient'.

Re:Another backdoor accessible only to the good gu

[bickerdyke]

No. This went like SMTP. "Only other telephone companies who are allowed to tweak settings and know what they are doing can connect to the signaling network anyway, so we don't need any security here" (Signaling protocols are around since the firts phone call wasn't routed by an operator on a switchboard but routed digitally)

But then at one point every country was switching to digital call routing and now every small Lampukistanian telco is allowed to send routing commands that have world wide effects.

But even that wasn't THAT bad....

The shit really hit the fan when said Lampukistatian phone operator connected their internal (office) network to the Internet.