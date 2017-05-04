Known Flaws in Mobile Data Backbone Allow Hackers To Trick 2FA (vice.com) 16
A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday. From the article: For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors. But on Wednesday, German newspaper The Suddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts. This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.
SMS isn't even one system. This is a problem with one specific transport.
And if anything, this is a need to move away from SS7 - not SMS.
No, there is a need to move away from SMS in general. A properly-implemented time-based key CANNOT be intercepted over the wire.
SMS isn't even one system. This is a problem with one specific transport.
This article is about one specific transport, but there are other issues with using SMS that makes it unsuitable as a 2FA method. One big issue is that cellular providers are often all to happy to move service to a new device with weak (if any) authentication that the person moving the service is the legitimate owner of the account. This has been used to breach SMS 2FA in the past. This is not, obviously, an SMS flaw but a provider one, but it happens enough that it's creating an insecure situation.
problem with SMS based 2FA (Score:2)
That allows the attacker to direct a target's text messages to another device, and, in the case of the bank accounts, steal any codes needed to login or greenlight money transfers (after the hackers obtained victim passwords).
... "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw," Lieu said in a statement published Wednesday...
Bug or feature? (Score:2)
*yawn* (Score:2)
So someone would need to obtain:
1. My login to my bank account
2. My password to my bank account
3. My phone number (this is the easy one).
4. And work with a relatively sophisticated attack to spoof my device and obtain the 2FA token?
How did these people get cleaned out? Were they the same kind of people who wrote their pin numbers on the back of their credit cards?
I have no knowledge of the actual attack, but likely it was malware on their device. Probably whomever go the malware sold the information on the phone sold the info to a data broker. The attacker who had access to the SS7 system bought data that would allow them to leverage their access to make money.
These things have gotten fairly sophisticated in the last few years. Not everyone is going to fall for every scam, but when you have 10 million targets, the law of big numbers kicks in.
This is Google's Chance (Score:2)
Just wait until Google says this is the excuse to move the entire legacy SMS system to RCS without delay. Though that still would require changing the transport too, because RCS can use SS7.
Uhhh... Actually, no (Score:2)
In order to take advantage of this "flaw" they have to connect to what is for all intents and purposes an isolated network... You have get one of the Carriers or SS7 access providers to give you that access. It's not done casually.
The "hack" is the equivalent of calling what Wells Fargo did (opening credit card accounts for people who hadn't signed up for them) a hack. The 2fa "hack" seems to have been carried out by someone with trusted access to the ss7 network.
From TFA: "But anyone with SS7 access, which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung, can send a routing request, and the network may not authenticate where the message is coming from."
It would tend to suggest that SS7 access is not as closely guarded as one would hope. Likewise, IP routing packets are generally disallowed from consumer-level internet connections. Nonetheless, we've recently seen several times that bad actors in trusted positions still abuse that t
Known issue (Score:2)
This is already known, see DRAFT NIST Special Publication 800-63B Digital Identity Guidelines
https://pages.nist.gov/800-63-... [nist.gov]
> Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.
"[T]he SS7 network poses a threat to all of us" (Score:2)
SS7 is going to KILL US ALL!
