Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Communications

Known Flaws in Mobile Data Backbone Allow Hackers To Trick 2FA (vice.com) 50

A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday. From the article: For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors. But on Wednesday, German newspaper The Suddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts. This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.
This discussion has been archived. No new comments can be posted.

Known Flaws in Mobile Data Backbone Allow Hackers To Trick 2FA

Comments Filter:
  • by oic0 ( 1864384 ) on Thursday May 04, 2017 @03:11PM (#54356705)
    Just saying lol. If they get rid of this feature they'll have to add a new door in for all of our jerkwad governments.
  • So someone would need to obtain:
    1. My login to my bank account
    2. My password to my bank account
    3. My phone number (this is the easy one).
    4. And work with a relatively sophisticated attack to spoof my device and obtain the 2FA token?

    How did these people get cleaned out? Were they the same kind of people who wrote their pin numbers on the back of their credit cards?

    • by Minupla ( 62455 )

      I have no knowledge of the actual attack, but likely it was malware on their device. Probably whomever go the malware sold the information on the phone sold the info to a data broker. The attacker who had access to the SS7 system bought data that would allow them to leverage their access to make money.

      These things have gotten fairly sophisticated in the last few years. Not everyone is going to fall for every scam, but when you have 10 million targets, the law of big numbers kicks in.

      Min

    • Hackers will never get my passwords. They're stored down in the cellar which has no lights and no stairs. At the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying "Beware of the leopard".

    • If I read it right, this flaw allows a person to route a SMS message intended for your phone to them. So if they have your login (which is your email normally), they can request a new password or authentication code to be sent via SMS to your (actually their) phone. They then reset your password and now have full access. Now if your bank uses an Authenticator type app then it is harder to compromise.
      • So if they have your login (which is your email normally)

        For a bank? Were the security people smoking weed at your local branch? I've never had a bank give me an email for a login. Hell I've only once been able to chose my login.

        they can request a new password or authentication code to be sent via SMS

        Ditto to the above. My bank will not let me reset my password via any automated method. I can change my password, but can't even do that without 2FA. I can call them and follow through a string of security question which I have on occasion even failed myself.

        Honestly if this attack is happening as you described it's time the bank was put

    • by tlhIngan ( 30335 )

      So someone would need to obtain:
      1. My login to my bank account
      2. My password to my bank account
      3. My phone number (this is the easy one).
      4. And work with a relatively sophisticated attack to spoof my device and obtain the 2FA token?

      How did these people get cleaned out? Were they the same kind of people who wrote their pin numbers on the back of their credit cards?

      Well, there are many ways to obtain banking information. The Phish is a popular one and you can probably get a few accounts that way. I suppose if

      • At work I face this - attackers trying to social their way to banking info, either to change it or disclose it. We have strict and annoying protocols to authenticate callers, and an appreciable number of calls are found to be fraudulent.

        We never send out email resets, but we do use links. All that gets you is a shot at answering security questions, and then if you reset your password that way, your banking change is sent to a human being for them to call out and confirm. Not very efficient, but more secure,

      • If you're phished the user there's no need to attack SS7. Just phish the challenge code from them too. This works just as well against RSA tokens.

  • Just wait until Google says this is the excuse to move the entire legacy SMS system to RCS without delay. Though that still would require changing the transport too, because RCS can use SS7.

  • In order to take advantage of this "flaw" they have to connect to what is for all intents and purposes an isolated network... You have get one of the Carriers or SS7 access providers to give you that access. It's not done casually.

    The "hack" is the equivalent of calling what Wells Fargo did (opening credit card accounts for people who hadn't signed up for them) a hack. The 2fa "hack" seems to have been carried out by someone with trusted access to the ss7 network.

    • by Aaden42 ( 198257 )

      From TFA: "But anyone with SS7 access, which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung, can send a routing request, and the network may not authenticate where the message is coming from."

      It would tend to suggest that SS7 access is not as closely guarded as one would hope. Likewise, IP routing packets are generally disallowed from consumer-level internet connections. Nonetheless, we've recently seen several times that bad actors in trusted positions still abuse that t

      • Altering advertised routing paths has nothing to do with access control lists at the perimeter... Which is how this is done.

        Every article I've been able to find on security testing of SS7 security has somewhere in it, thanks to a carrier or access provider for allowing them to perform testing INSIDE the network. I've done this work for 30 years and the perimeter policy has always "disallow unless specifically allowed from specific pre-specified location. period". In most instances I was involved in, IPSe

  • Known issue (Score:5, Informative)

    by fulldecent ( 598482 ) on Thursday May 04, 2017 @03:27PM (#54356805) Homepage

    This is already known, see DRAFT NIST Special Publication 800-63B Digital Identity Guidelines

    https://pages.nist.gov/800-63-... [nist.gov]

    > Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.

  • SS7 is going to KILL US ALL!

    Have a nice day.

    • by AmiMoJo ( 196126 )

      Three most stupid part is that I will never give eBay my phone number, so I'll simply stop using 2FA, and if my account gets hacked it will be eBay that pays the price.

      All anyone can do if they get into my account is buy stuff (refunded by credit card company, PayPal/seller eats the cost) or sell stuff (PayPal eats the cost).

      Their desire to get my phone number puts them at risk.

  • SMS has never been confidential. Is not encripted in any leg of the trip. Can be decoded from the airwaves with suitable hardware (I've seen said hardware operate first hand, 2 FPGAs, 4 DSPs, and two rugged laptops were needed in 2001, I guess nowadays a macbook with AMD laptop graphics and a SDR will be enough ;-) ), can be altered via SS7 (as described in TFA), and even read easily by the operators of the telecom equipmentt, with no wizard level 100++ knowledge , or special tools:

    An Example:
    In the SMSCs

  • Saying SS7 is vulnerable is like saying BGP is vulnerable. It's a fools errand to believe it is even possible to build a global, inclusive non-tyrannical network that is also globally trusted. The best you can hope for is a mostly functional network.

    On mobile it's effectively all plaintext all the time like it's 1993. Very disappointed POTS networks are still intact. We obviously don't have our shit together.

  • Nobody cares about 2FA.
  • Because the Bell System never thought they'd have to let EVERYONE use SS7., the child of CCISS. They thought hey, we're connected to other Bell/AT&T resources so we don't have to include any security.

Truly simple systems... require infinite testing. -- Norman Augustine

Working...