Investigators Replicate Nokia 1100 Banking Hack 181
Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."
Re:Interesting (Score:1, Insightful)
Outlawing the phones might not do much. As far as I can gather from the article, these 1100's work because their firmware is easily modifiable because it's stored on a reflashable ROM chip.
It really wouldn't be too complicated to manufacture phones somewhere outside the EU that happen to have that feature. Whatever software steps are necessary for spoofing SIM cards clearly already exist---the only obstacle is appropriate hardware.
When people are paying thousands of Euros for the vulnerable 1100's, I really don't see them balking at paying two hundred Euros for a phone specifically manufactured to allow SIM card spoofing---no matter how illegal it might be.
Hell, manufacture them in a country where goods counterfeiting is already endemic, like China. It'd be a real trick to enforce a law banning phones capable of this kind of trick when they look externally like half a dozen various garden variety phones.
I suspect this particular fun little loophole will require a technical solution---or a shift away from using SMS for sensitive data.
the real security defect (Score:5, Insightful)
So who will be fired (Score:3, Insightful)
Don't bother replying, I know the answer is no-one.
Re:It may be illegal.. (Score:3, Insightful)
Re:Interesting (Score:5, Insightful)
I'm guessing it won't take long for these phones to be outlawed in the EU though.
Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.
Re:So who will be fired (Score:5, Insightful)
A number of people in IT seem to believe that the only acceptable form of security - particularly as it relates to anything remotely important - is one which is not susceptible to any sort of attack, real or theoretical, until some time after the heat death of the universe.
Banks don't. They know full well that there will always be a certain amount of fraud no matter what you do.
Every change you want to make to the bank's system costs - in man hours to develop, test and deploy the fix and also in terms of the risk of something going wrong when you come to deploy, Most of these costs can be boiled down to cold hard cash. If making the necessary changes will cost more than the amount of fraud it's expected to prevent, don't be surprised to see nothing change.
Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.
Re:It may be illegal.. (Score:4, Insightful)
It's not the phone.
A phone is nothing but a transceiver.
It's the system we have for identifying phones, and the practice of letting people bank over it (or sending authentication pins for pc banking to phones).
Using a phone number as a method of authentication is inherently flawed. The practice will continue, however, because the plebes want easy more than they want secure. After all, it'll never happen to them.
Re:It may be illegal.. (Score:3, Insightful)
Just one question: (Score:3, Insightful)
What crazy bank sends *TANs to mobile phones in the first place?? Even this possibility would be a reason for me to terminate the contract.
I really recommend chipcard based systems. I use a class 2 terminal, and HBCI. It's not only much more comfortable, it's also on a completely different level in terms of security.
(In case you do not know how it works: Everything between the chipcard controller and the bank system basically only forwards encrypted packets. And if anything meddles with them, it detects this. You need the card, and a code of six numbers, and the server associates a user with that login. Every transaction that follows this, has to be accepted by the chipcard/terminal. The ones with keypads *and* displays are the most secure, because they show the details of the transaction *on* the terminal, and you have to say ok *with* that terminal. So the only open hole that I know of, is physical tinkering with the card and the terminal. Which still would be pretty hard, but not impossible. But if anyone can do this, I'm fucked anyway. ^^ [Oh, and of course, if you know of any problems with this system, I'm happy to hear them.])
Re:Interesting (Score:4, Insightful)
If all the carriers discontinued service to these models they would render them useless.
I wasn't aware that the model of the phone was part of the GSM protocol. Even if it was, if you can program the phone to lie about the IEMI or IMSI, then you can program the phone to lie about the phone model to the provider.
Re:It may be illegal.. (Score:3, Insightful)
Cell phones don't use the phone number as a method of authentication. Cell phone users use the phone number as a method of identification (when they place a call or send a message to the number).
The network "looks for" the identified phone so it can deliver the message. Rather, the network looks for a phone that has authenticated as a match for the phone number.
The process by which the phone authenticates may well be flawed, but this has nothing to do with the end-user simplicity of "phone numbers"; the process is already decoupled from that simplicity as the phone # is not the information used to authenticate the phone on the network.
Re:i doubt it (Score:3, Insightful)
Re:i doubt it (Score:4, Insightful)
A reasonable person, in the eyes of the law, would not believe if I came up to them at an outdoor cafe and said "Want a 55" LED TV for $300? Meet me in the parking lot in 5 minutes" that they were buying anything other than illegally obtained or acquired property.
A reasonable person selling his Nokia 1100 (currently settling in the market for around $70) would assume that if they got, say an offer of $150, that the buyer might be an aficionado of old school cellular technology.
A reasonable person selling his Nokia 1100 would not "ask no questions" about a bidding war on their phone which saw it run into the five digit territory. A reasonable person would also have doubts about such money, and the motivations of a buyer. Whilst under no obligation to investigate either, a reasonable person, in the eyes of the law, would have "concerns" about whether the payment they were about to receive was the proceeds of a crime, or similar.
Re:what is needed for this to work...??? (Score:1, Insightful)
That encryption problem was with sims more than 5 years old now. All poviders in Holland have been giving their users new sims since the old ones also weren't able to roam on UMTS and since the dutch market is very competitive and most users change povider at least once every 4 years. The chance that someone is still using a compromised sim is very small. With the new ones you do need physical access to bruteforce the key which is going to take a lot of time. Why not use the sim allready and just do the transactions?