Forgot your password?
typodupeerror
Australia Crime Security IT

Scammers Work Around Two-Factor Authentication With Social Engineering 186

Posted by Unknown Lamer
from the duh-you-need-three-factors dept.
mask.of.sanity writes "Thieves have made off with $45k after they intercepted a victim's two factor online banking codes used to verify large transactions. The scammers got the Australian executive's mobile number from his daughter, and work place details from his willing secretary. Armed with this data, they bluffed Vodafone which ported his phone number, meaning the criminals could verify the bank's two factor verification codes generated during their spending spree and the victim never knew a thing."
This discussion has been archived. No new comments can be posted.

Scammers Work Around Two-Factor Authentication With Social Engineering

Comments Filter:
  • Account security (Score:5, Insightful)

    by Fjandr (66656) on Tuesday December 06, 2011 @12:21AM (#38276566) Homepage Journal

    This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.

    • by enoz (1181117) on Tuesday December 06, 2011 @12:55AM (#38276722)

      A Hardware Token (such as RSA Securid) would have prevented TFA's fraud. SMS is clearly not a good replacement for real Two-Factor authentication, though it is cheap for the banks to implement compared to other options.

      • by LordLucless (582312) on Tuesday December 06, 2011 @01:13AM (#38276788)

        SMS is clearly not a good replacement for real Two-Factor authentication

        Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

        The fail at this point wasn't that the bank implemented security poorly - it's that the Telco did. They didn't even have one-factor authentication. They asked for two points of information - customer number and DOB - neither of which can reasonably be considered a secure secret. Even then, the Telco is following the process that it has been mandated to follow by the government - including the data that should be used to verify identity. If the government are going to mandate requirements for business processes, then they should either be damn sure what they're mandating is secure, or they should explicitly leave security implementation up to the business.

        • by jamesh (87723) on Tuesday December 06, 2011 @01:42AM (#38276932)

          Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

          It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

          • Re:Account security (Score:5, Interesting)

            by bloodhawk (813939) on Tuesday December 06, 2011 @02:38AM (#38277160)

            Two-factor auth isn't a panacea. SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two. Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.

            It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

            You are confused. SMS to your mobile IS TWO FACTOR AUTH. just because it sucks doesn't make it not two factor auth. Besides when directly targetted there are very few good two factor auths that are practical that can't be defeated by a well targetted scam such as this. RSA/Vasco tokens can be stolen as can Smartcards or USB keys and when you are talking about scams in the amount of this article then the theft of a token isn't that much of a reach either. It isn't like it takes long to empty a bank account.

            • by jamesh (87723)

              You are confused. SMS to your mobile IS TWO FACTOR AUTH

              you said "Password and mobile number is a reasonable choice. The fact that your mobile number is (apparently) so easily stolen doesn't negate this.". I said "It sure does". I wasn't disputing that password+mobile number was two factor auth, I was disputing that it was a reasonable choice.

              I may be a bit out of date here but I thought that sniffing an SMS wasn't really that difficult for a sufficiently motivated criminal... but maybe it's sufficiently difficult with today's 3G networks? Last time i checked mo

          • It sure does. You might say it's the Telco's fault for allowing the service churn to happen, but this lack of security is widely known which makes the SMS as a second factor all but useless, and the banks are stupid for allowing it.

            Google promotes it as well - is it okay to call them stupid in this case, or do we still give them a pass?

        • SMS (or rather, mobile numbers) are real two-factor authentication - or, more accurately, they are a valid second factor. Something you know, something you have, something you are - pick any two.

          The phone number isn't something you have. It's something that anybody could have.

          • The same could be said about anything. The seed for your token generator isn't something you have - it's something anybody could have.

            • by Jeremi (14640)

              The seed for your token generator isn't something you have - it's something anybody could have.

              Err, how? (Besides physically stealing your token generator, I mean)

              • It all depends on the security of the authority that issued you your generator - much the same as your mobile number. If they hand out your generator seed willy-nilly - the way telcos appear to do for mobile number porting requests - you're just as vulnerable.

                The issue here isn't that the technology wasn't good enough, it's that the trusted authority shouldn't have been trusted.

              • by Sparr0 (451780)

                They could get the serial number off your token generator and compromise the token provider's database. I've replaced token generators with software token generators in the past to streamline helpdesk operations, we had a database full of the token keys. If that got compromised, it would be bad.

                • by ebyrob (165903)

                  I'm confused, are you saying the whole token system is poorly designed? The database should only contain the public key equivalents for the physical token generators. The private key equivalent data shouldn't exist anywhere outside the key-fob.

                  (It's like you're saying stealing the password file would give you remote access to a UNIX system, without further decryption/password guessing)

        • Something you know, something you have, something you are - pick any two.

          I thought it was something you forgot long ago, something you just had stolen, something you were before they beat the shit out of you and started cutting body parts off.

      • by iluvcapra (782887)

        Unfortunately zero banks in the US (or Australia) offers SecurID. PayPal does, but they don't really offer modern bank features, like bill pay or check/"cheque" writing, and the average bank wouldn't want to support such a thing, because there's no demand and it would intimidate customers -- irrationally, but so what? You'd need a bank reg.

        Stories like this make me want to put all my money in Bitcoins. I HATE the whole Bitcoin concept and think its a crock, but with a Bitcoin at least I'm in charge of the s

        • by jamesh (87723)

          Unfortunately zero banks in the US (or Australia) offers SecurID

          I've had a token (not RSA but equivalent) for years for my bank account in Australia.

        • Re:Account security (Score:5, Informative)

          by tsotha (720379) on Tuesday December 06, 2011 @02:29AM (#38277124)
          Bank of America offers [bankofamerica.com] something they're calling a "Safepass Card", which looks suspiciously like SecurID to me.
          • by jjo (62046)
            I have a Safepass card. It's been some time since I got it, but I think it cost me about $20. Whenever I want to make an online payment to a previously-unknown payee, I need to enter the code from the hardware token. While it's true that the token could be stolen, thieves would have to intercept my username/password, then steal the token without my discovering the theft in time to notify the bank. Not impossible by any means, but probably difficult enough to induce the thieves to look for easier prey. I
        • by jonwil (467024)

          Both HSBC Australia and the Bendigo Bank offer hardware tokens.

        • by thegarbz (1787294)

          Erm there's many banks that offer SecurID in Australia:
          Suncorp
          Westpac
          NAB
          ANZ
          Commonwealth Bank offer them to limited customers only.

          As for the US I think Citigroup uses them too.

          • by deniable (76198)
            My brother has one from Commonwealth. He spends a lot of time outside mobile coverage but with 'net access. (At least when the generator is running.)
      • by Bert64 (520050)

        Well, not RSA, some other form of token where the customer (in this case the bank) keys it themselves.
        The idea of buying a token that's already loaded with key material is an epic fail, as proven by RSA when they got owned a few months ago.

    • by mjwx (966435)

      This just goes to show that you should always have additional protections in place for protecting accounts (in this case, a mobile number) that can be used to control, secure, or otherwise materially modify other important accounts.

      I agree, but the average person does not unfortunately.

      The average person will view this as the bank trying to get in the way of them and their money. In Australia there will be huge sensationalised reports about the EVIL BANKS stealing from hard working Aussie battlers and keeping all that dastardly profit for themselves where as in reality, the new security measures cost more to implement but the real problem is Bazza from Frankston is too dumb and lazy to learn how to keep his cash secure.

      So the sy

      • by Fjandr (66656)

        Given how much is being linked to a cellular number, I actually would support making number portability more difficult (in that securing a process almost always makes that process more difficult/complex).

        Unfortunately, politicians seem to swing from one extreme to another with little in between, so any regulations mandating increased security are likely to either be completely ineffective or much more inconvenient than necessary.

        Something like SIM registration seems like it would go a long way toward combat

        • by mjwx (966435)

          Given how much is being linked to a cellular number, I actually would support making number portability more difficult (in that securing a process almost always makes that process more difficult/complex).

          Something like SIM registration seems like it would go a long way toward combating this sort of hijacking, and should be relatively easy to implement.

          We've go the same problem as with the banks. After banks and speed cameras, telco's are the favourite targets of the sensationalist bollocks brigade.

          Any move to make it more secure will be met with scorn and venom from anyone who doesn't want to understand why it's happening. Right between signing up for the Vodafail page and complaining about how bad their teclo is.

      • by jonwil (467024)

        Considering my mobile number was previously registered with Vodafone in my mums name (at the time I signed up, I didn't have enough credit history to get a postpaid plain in my own name) and I was recently able to switch it from Vodafone to TPG Mobile without either entity seeing any kind of actual ID (and I dont remember providing ID when I first signed up to TPG for ADSL either) I doubt that there are as many requirements on getting a SIM card as there should be.

  • Not Thieves (Score:4, Funny)

    by Anonymous Coward on Tuesday December 06, 2011 @12:25AM (#38276584)

    They didn't steal anything real.

    I don't believe in imaginary property.

    • by CohibaVancouver (864662) on Tuesday December 06, 2011 @12:27AM (#38276596)

      I don't believe in imaginary property.

      Please send me all your money, via wire transfer. Thank you.

      • Re:Not Thieves (Score:5, Insightful)

        by TheVelvetFlamebait (986083) on Tuesday December 06, 2011 @12:45AM (#38276666) Journal

        Whoosh!

        Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible. The GP is taking a dig at people who subscribe to this view.

        • Money stored electronically at the bank is one of the classic counterexamples to the belief that all property is (or should be) tangible

          You mean the kind that gets inflated away to worthlessness?

          • by Calos (2281322)

            Yeah, the same as the little slips of paper-cotton blend and the hunks of worthless metal that represent their physical counterparts.

          • Yes indeed, the kind that has never once inflated away to worthlessness.

            But, if you disagree, I'd be happy to trade my 12 year old car for, oh let's say, 100,000 of those worthless, electronically-stored dollars? Think about it; you give me some worthless, replicable data, and I give you something that will give you at least a year's worth of transport. It's a positive bargain!

  • by Anonymous Coward on Tuesday December 06, 2011 @12:34AM (#38276630)

    Magically hacking everything is so much more interesting.

  • The Blame Game (Score:5, Informative)

    by enoz (1181117) on Tuesday December 06, 2011 @12:38AM (#38276642)

    So the banks say it's not their problem, it's the fault of mobile operators for making numbers portable. Yet the banks were offered access to the national mobile database so they could check if a number was recently ported, but declined to use the information. Meanwhile the fraudsters are getting away with their winnings...

    • Re:The Blame Game (Score:5, Interesting)

      by xous (1009057) on Tuesday December 06, 2011 @12:52AM (#38276708) Homepage

      It wouldn't make a significant difference even if they did.

      There are thousands of examples of carriers being tricked into forwarding numbers by 3rd parties. I do it all the time for customers that port into us if something goes wrong with the porting process.

      Often all I do is:
      1. Identify myself as $MYNAME from $MYCOMPANY. (NOT $THEIRCLIENT)
      2. State that I'm calling on behalf of $THEIRCLIENT.
      3. Tell them that $THEIRCLIENT is in the process of moving to our services and need to forward the number temporarily.
      4. Carrier asks for the forwarding number and it's generally done in 1-2 hours.

      The only shred of validation that might happen is them checking my caller id. I've never needed an account number, billing contact name, authorization code, or anything. Just the phone number.

      I've even offered to pay for the forward but been declined because I'm not $THEIRCLIENT. They were happy enough to charge the $THEIRCLIENT on my behalf.

      Phones/SMS/etc will never be a reliable way to verify an account holder because it really can be anyone on the other end.

      • by enoz (1181117)

        But the point is banks could have access to see if a number was recently ported. If they detected a number was ported they could take further action or require additional authentication. The banks choose not to use this information, and customers are defrauded.

        • by deniable (76198)
          Most likely because there are more legitimate ports than not. You port your number and the bank shuts you out. Happy customers then storm the local branch.
      • Phones/SMS/etc will never be a reliable way to verify an account holder because it really can be anyone on the other end.

        Thats true with ANY kind of authentication, except for some kind of mythical, perfect, no-side-channel-attacks biometrics.

      • by Bert64 (520050)

        You bring up an interesting point, a lot of companies including banks will call you up to discuss various things...
        They often block their caller id, so the call comes up as anonymous...

        When you answer, the company expects *you* to authenticate yourself to them and will often refuse to authenticate themselves to you... I even had someone use the line "well we're a big company" on me this week... How do i know that? Anyone could call up and say the same thing...

      • by deniable (76198)
        Does that forward SMS? I've only ever seen calls forwarded.
    • by Z00L00K (682162)

      This is one reason for me to not trust security solutions using mobile phones.

      And if the target has a smartphone it's theoretically possible to intercept text messages and forward them to the perpetrator keeping the victim completely unaware of the attack.

      One thing that perpetrators also can use is Over-the-air programming [wikipedia.org] to reconfigure the phone, and as an end user you can't tell if it is your legitimate operator that wants to reconfigure your phone or someone else.

    • Re:The Blame Game (Score:5, Informative)

      by rtfa-troll (1340807) on Tuesday December 06, 2011 @01:45AM (#38276946)

      So the banks say it's not their problem,

      No they didn't. They paid up fully and automatically. First they blocked his account:

      The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.

      Then they sorted everything out and paid for everything automatically.

      Craig is satisfied that CommBank has done everything it can to resolve his specific matter, and he applauded the work of the bank's fraud squad.

      They had even been part of a group which had investigated the MNP security fixes available but decided not to implement them because of security problems.

      “We explored the Mobile Number Portability Database and decided not to progress the solution at the time due to limitations which we believed may have exposed our customers to undue risk," the spokesman said.

      I hate banks in general as much as the next man in the times of this crisis induced by some of them but lets at least blame them for the evil things that they really have done. This is not one of them.

      • Re: (Score:2, Interesting)

        by mjwx (966435)

        I hate banks in general as much as the next man in the times of this crisis induced by some of them but lets at least blame them for the evil things that they really have done. This is not one of them.

        Only because they are forced by the law to do what they did.

        Banks can make things incredibly painful for people if they get hurt by fraud if they want to. One of my former bosses with a $20K AUD platinum card from an unnamed 3 letter Aussie bank had almost 19K swiped from it by card copiers a few years ba

        • by Bert64 (520050)

          In the UK, a card issuer is required to immediately credit the money back to you and then carry out their investigation... I imagine this is specifically so interest charges don't rack up in the interim. That way the customer doesn't have to care how long it takes.

    • by drinkypoo (153816)

      Regardless, you sue everyone, because EVERYONE is at fault. And then we all lose in the long run, since they pass the costs on to their other customers.

  • CBA Security is ok. (Score:4, Informative)

    by Whiteox (919863) <htcstech@gmai l . c om> on Tuesday December 06, 2011 @01:19AM (#38276816) Journal

    To operate with that bank on-line, you need an Internet acc number (which is different to a normal account number), and at least a password. Additional secret question knowledge is required for 2 answers to set up a new transfer. Then, and only then is the SMS verification code needed. He must of been very slack to have made all that info available to the scammers.
    Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.

    • by mjwx (966435)

      To operate with that bank on-line, you need an Internet acc number (which is different to a normal account number), and at least a password. Additional secret question knowledge is required for 2 answers to set up a new transfer. Then, and only then is the SMS verification code needed. He must of been very slack to have made all that info available to the scammers.
      Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.

      I've had United Community shut down my card because it was used in a Thai ATM. Thailand is not an unusual destination for Australians (for those in other nations playing along). I rang them at my expense (OK, about A$0.5 a minute, but still) and they said they would not unlock the card even though I could verify I was in Thailand and still in possession of the card. For the rest of that trip I had to go into bank branches to withdraw money, with passport and all.

      As a side effect, I learned there is a ni

    • by xaxa (988988)

      Congrats to the bank to have picked it up. It's not the $45000 'raising a red flag' either. Once they rang me for confirmation because I sent a donation to a German software foundation - it was only $20.

      They have lots of ways the red flag is raised.

      I forgot to get cash one weekend, and there isn't a convenient cash point between home and work. I bought lunch at work, for about £1.80, on a credit card, three days in a row. Then I paid the local council over the phone for some evening classes for a year in advance -- £240. That was blocked.

      I've told them I travel frequently within Europe. These transactions aren't blocked, but apparently it helps if I pay for the transport with the same card.

  • This wasn't a failure of "two-factor authentication" this was a failure of the bank to have actually require two factors. It seems that the bank was relying on one of the two factors to be a "something you have" factor, which was the client's mobile phone, when in reality it was just another "something you know" factor. The "something you know" being just the phone number itself.

    • by blacklint (985235)

      No, the scammers convinced the victim's phone company to transfer the number to a different account. Meaning they then had control of the second factor.

      • No, the scammers convinced the victim's phone company to transfer the number to a different account. Meaning they then had control of the second factor.

        I'd argue that an account doesn't satisfy the intent of the "something you have" part of 2 factor authentication. "Something you have" seems like it should be something physical, not a non-physical entity such as a phone account. If it could be tied to the physical cell phone via hardware ID it could work.

      • by MikeyO (99577)

        what was the second factor then? Something you know and... ____ what?

  • The first factor (Score:5, Insightful)

    by wvmarle (1070040) on Tuesday December 06, 2011 @02:07AM (#38277042)

    Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.

    The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.

    Anyway it is the classic story of when something goes wrong, it's usually not a single issue that went wrong. It's almost always an array of factors that have to come together "just right" to make it work. While it may be a good idea to review the security of the SMS as second factor, one should also look at how the criminals got their hands on the first factor and the rest of the information.

    • The solution for SMS as my bank implements it, is that SMS is never sent to a forwarded number. That's arranged between the bank and the carriers or so, I don't know the technical details, but SMS is sent only to the original number. That's already a safeguard against arranging numbers to be forwarded, which other commenters note is quite easy to accomplish.

      This isn't the same as number porting. Porting is rerouting a number to a different SIM card, effectively permanently changing the network operator for a paritcular number. Many customers will have this on their number ,so if you stop it then you won't be able to use SMS for possibly a majority of users.

      • by wvmarle (1070040)

        Indeed. Later I read the article, and found out the number had actually been ported to a completely different network.

        How that is possible without putting down a signature and showing an ID document (if only at the receiving network!) I really can not understand. And I would think that this is a problem that goes much further than just allowing attackers to intercept banking details.

        And besides, if they get the old network to give up the number, it has to go somewhere: attacker must have registered an accou

        • by Bert64 (520050)

          This is exactly what they do...

          When i ported my number a few years ago, i had to:

          Show proof of address in the form of a utility bill (anyone can print a fake one of these)
          Make a random mark on a piece of paper with a pen, a "signature", anyone can fake this even easier

          and that was that, porting process started.

    • Everyone is focusing on just the (in)security of the second factor, the telephone number, but what's missing from this story is that the scammers obviously also got their hands on much more information from this person first: they knew his bank login details (account name, password), and they knew his daughter's identity and managed to contact her.

      Commonwealth Bank for first time external transfers not only requires the traditional two factor authentication but also requires you to answer two secret questions. These are normally stock questions like the name of your pet, your mothers maiden name, etc.

      To pull this off they likely knew quite a damn lot about him.

      The downside to the bank in question is that all you need to raise your daily transfer limit is the SMS code, no additional questions.

    • I can't wait for everyone to use apps like Google Authenticator to set up two-factor authentication. SMS is a hack, and it is better than not having two-factor authentication at all. However, an app that resides on the phone would require access to the actual phone itself and can't be stolen using remote means (that I can think of). LastPass is the only third-party app I can think of that uses GA for added protection, but hopefully banks will work with Google to set this up for their websites as well.

      • by wvmarle (1070040)

        If this "authenticator" is an app running on your phone, then it is limited to people with a phone capable of running that. So that must be a smartphone for starters. And running a supported OS. I don't know the numbers but I wouldn't be surprised if in most countries that's still a minority. Otoh virtually everyone has a mobile phone, and all of them can receive SMS.

  • by mwvdlee (775178) on Tuesday December 06, 2011 @02:59AM (#38277288) Homepage

    The 20-20 hindsight is strong in this one.

  • Number portability should be for moving between providers while retaining the same number (to save having to give the new number to all contacts).

    When I have moved a number to a new (PAYG) handset (keeping the same provider), the process required me to quote the IMEI of both handsets as well as answering security questions. For a contract phone (which one would assume is what a business owner would have), surely the only time the number should need moving a new handset is when the handset is changed as part

    • by Bert64 (520050)

      Thats down to the network...
      For any GSM based network with sim cards, moving to a new handset is as simple as swapping the sim.

      Moving the number is completely separate, they ported the number to a completely different provider.

  • by petes_PoV (912422) on Tuesday December 06, 2011 @03:53AM (#38277486)

    they intercepted a victim's two factor online banking codes

    Surely the victim here was the bank. They are the ones who gave away money to people who weren't entitled to it. They were the ones who allowed a weak form of authentication to be accepted. They are the ones who will bear the eventual loss.

    The person who's account was used did nothing wrong. He didn't disclose any confidential information and (from what I've read) complied with the terms of his account.

    We need to get away from defining the victims of these crimes as being the person who's name is on the account that was used - the account that the bank wrongly withdrew money from and gave away to the scammers. Unless we start identifying the true victims as being the financial institutions who we entrust with our money, yet have weak and inappropriate security measures the time will come when they shift the expectation and liability, so that the customer will bear the loss for something that is neither their fault not within their control.

  • People are quite outraged since this turns out to be default, even for not customers of the bank in question, but this is how a Dutch bank solved this: If you change provider, SIM card or phone number, you can't use your phone for tokens for at least 48 hours. All telco companies send *all* their changes to that bank, so they can compare it against their records of customers phone numbers. It's a gross invasion of privacy, but it does work against this form of weakness in this form of 2 factor authenticatio

Facts are stubborn, but statistics are more pliable.

Working...