Scammers Work Around Two-Factor Authentication With Social Engineering 186
mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."
Victim never knew a thing? (Score:1, Interesting)
Including that his phone didn't work any more?
Was he traveling out of country or what? That must have been one fast shopping spree.
Re:The Blame Game (Score:5, Interesting)
It wouldn't make a significant difference even if they did.
There are thousands of examples of carriers being tricked into forwarding numbers by 3rd parties. I do it all the time for customers that port into us if something goes wrong with the porting process.
Often all I do is:
1. Identify myself as $MYNAME from $MYCOMPANY. (NOT $THEIRCLIENT)
2. State that I'm calling on behalf of $THEIRCLIENT.
3. Tell them that $THEIRCLIENT is in the process of moving to our services and need to forward the number temporarily.
4. Carrier asks for the forwarding number and it's generally done in 1-2 hours.
The only shred of validation that might happen is them checking my caller id. I've never needed an account number, billing contact name, authorization code, or anything. Just the phone number.
I've even offered to pay for the forward but been declined because I'm not $THEIRCLIENT. They were happy enough to charge the $THEIRCLIENT on my behalf.
Phones/SMS/etc will never be a reliable way to verify an account holder because it really can be anyone on the other end.
Re:What's the point of this story? (Score:5, Interesting)
The point is that if you trust your cell phone to be a 2nd authentication factor for your banking, you've contracted out your security to [the dumbest customer service rep at] your mobile carrier.
Also, being broke is probably a pretty good strategy for avoiding these kinds of problems.
Re:What's the point of this story? (Score:5, Interesting)
no form of security is absolutely 100% perfect in every way..
Right; but that's not something new. No bank vault has ever been 100% safe either. The difference is that the bank takes responsibility for that so they ensure that it's "good enough", whatever that means. If money gets stolen from the bank vault they don't say "oh that was money from your account; sorry". With electronic security, there's often a level where they blame the failure of their own security measures on "identity theft" and make it the customer's responsibility. Two factor authentication of this kind is fine for a transaction of a few thousand dollars; It's not enough for transactions of hundreds of thousands of dollars. For 45k AUD that's a judgement call. `
This case is not like most American and some European banks though; Commonwealth Bank discovered the problem its self, is paying off the cost of the transaction and, even so, warned their customer. When they take the responsibility for the losses then what systems to use or not use become their commercial judgement. They looked at an MNP security system and decided there was something wrong with it. Maybe they now change their mind, maybe not. That's exactly the right thing. Hopefully they can persuade Vodafone to at least send a text message warning customers that their number is being ported before they actually do it in future.
Re:Account security (Score:5, Interesting)
Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.
It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.
You are confused. SMS to your mobile IS TWO FACTOR AUTH. just because it sucks doesn't make it not two factor auth. Besides when directly targetted there are very few good two factor auths that are practical that can't be defeated by a well targetted scam such as this. RSA/Vasco tokens can be stolen as can Smartcards or USB keys and when you are talking about scams in the amount of this article then the theft of a token isn't that much of a reach either. It isn't like it takes long to empty a bank account.
Re:The Blame Game (Score:2, Interesting)
Only because they are forced by the law to do what they did.
Banks can make things incredibly painful for people if they get hurt by fraud if they want to. One of my former bosses with a $20K AUD platinum card from an unnamed 3 letter Aussie bank had almost 19K swiped from it by card copiers a few years back. A lot of crap sent to Thailand, Russia, China and other places we couldn't prosecute. Basically he reported that he didn't make any of these transactions but the bank said they had to investigate. After a few days of being jerked around by the bank he called the Banking and Financial Services Ombudsman (BFSO) who could do little else but force the bank to give him a deadline for the investigation, they did, no more then six weeks.
So for six weeks, my former boss was $19K in debt with a 17% interest rate on that. 5 weeks and 6 days after the BFSO got involved the bank said they will refund the $19K, however they still sent him a bill for the interest as they had passed the 30 day interest free period on that card. Of course my boss fought this, and the bank dragged it out to over 2 months before finally reversing the debt.
So banks will help you if you're a victim of fraud, they'll even do it quickly if you're lucky or the case generates a lot of PR. But dont pretend banks are doing it out of the kindness of their heart. They _have_ to give your money back by law, but they dont have to do it kindly.
Re:What's the point of this story? (Score:5, Interesting)
Not True. The product is AFAIK, A Telstra product under which they use SMS to provide a "token" as an additional factor.
Given that there have been many confirmed examples of MNP ( Malicious Number Porting ) in Australia, this is known weak security. Under the circumstances, its entirely reasonable to assume that the Bank knew this was likely.
However I can't see them rushing out to address the issue in the near future. In fact, with some banks, it's impossible to turn off the ability to transfer out large sums of money. You can turn it off easy enough, but anyone who accesses the system can turn it back on by default by clicking a screen saying you agree to the risk. :(
All the major banks in Australia have this form of security. On the other hand, all the credit unions ( everyone except the "Big 4" Banks ) use VIP ( Verisign Identity Protection IIRC ) which can be downloaded to most smartphones and works as a soft-token.
Security in Australia, as with much of the world, is severely compromised by CEOs and CTOs who really don't understand it and as long as they can blame someone else, then due diligence is done.
GrpA
Re:What's the point of this story? (Score:4, Interesting)
1) no it's a hole in the auth, since they used a known weak method that relies on the security of the telco over which they have no control
2) the problem is how do they authenticate that it is the customer requesting the number porting?
Most likely they will ask some "security questions" over the phone which a good social engineer will know the answers to...
If doing it in person in a shop they just ask for a signature, which ofcourse is totally arbitrary and trivially easy to fake...
Even if the telco has strict policies, how is the actual number porting carried out? Usually it is based on carriers trusting each other not to submit rogue requests, so all it needs is one rogue or compromised carrier...
Banks don't keep money in bank vaults. (Score:5, Interesting)
I assume that's something you picked up from the movies. Any bank which stored a significant percentage of cash in a bank vault would be out of business pretty quick.
And the money in "your" bank account is the bank's money, not yours. You loaned it to them therefore it's their responsibility. If they happen to try to pass that responsibility back to you... Well, you'd have to be pretty dumb to sign that contract.
Your relationship with your bank is that of a creditor. The money is no longer yours, and the bank can pretty much do what it pleases with the money.
The responsibility for security lies with the bank.
HTH.
Re:Not Thieves (Score:4, Interesting)
That sounds consistent with larger numbers having larger values, but not so consistent with it being worthless either way. You're not being very convincing here.
OK, let's start being clear here. What I'm claiming you own is not the number itself (it's a number that probably occurs in many places), nor the physical bits that it's stored upon (they're owned by the bank), but you own being the subject of the bank's duty to pay a person money when you decide to lower that number. You claim that this is not ownership, merely some mechanics tied to a contract.
First of all, this duty is not worthless. The proof of this is to simply ask anybody on the planet to relinquish this duty to you, and ask them what they'll pay for it. For the vast majority of people, they won't accept any amount less than what is stored in there. This tells us that, to them, the duty of the banks to pay them money in exchange for lowering their balance is worth to them at least what the balance reads. This is literally the definition of subjective monetary value: how much a given person will trade for the object in question. So, we have at least proven that, while completely intangible, this duty is not worthless.
If you decide to define property in a way that excludes this duty, you may. Do not expect the courts, or anyone else, to agree with you on that point. You must remember that property, even of tangible objects, is an abstract, artificial concept that is enforced only by law. It is up to us to decide what to treat as property, and what not to treat as property, as well as what to call property and what not to call property. In this case, we have this duty, which has worth like property, is forbidden to be taken or otherwise abused like property, that can be bought, sold, and otherwise transferred like property. To me, to many others, and to the courts, this is sufficient to consider it property, as it shares all the core properties that make up the concept of property. Like I said, you're free to make exceptions, or impose further arbitrary restrictions to your personal concept of property, but if you want others to share your view, you need to be more convincing.
I wasn't claiming that copyrights should be protected. I was pointing out that so many on /. have decided that a potential to gain money should not be protected by law, specifically because they consider it not to be "real". I think that distinction is probably better placed at the feet of the people whose view I was attacking.
I'm with you so far. You, of course, realise that this makes any quibbles over what constitutes property utterly moot, right?
Well, I don't think it's nearly so clear that it's a net loss, in that we would be better with no copyright than with copyright as it is now, but yeah I agree shorter terms would be appropriate.