After years of warnings, mobile network hackers have exploited SS7 flaws to drain bank accounts. SS7 is a set of telephony signaling protocols developed in the 1980s, to handle the public switched telephone network (PSTN), SMS etc.
The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.
Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.
So any security that depend on PSTN-SS7 security is proven to be inadequate.
(Score: 2) by IndigoFreak on Friday May 05 2017, @01:09PM (20 children)
Probably not the correct attitude to take...
But these people's computers were infected with viruses, then the hackers also had to get control of the telephone system to some extent. It's a lot of extra work, although probably worth it overall. Nothing is going to be 100% secure.
That said it would be great of the banks moved to something better, but then eventually that will get cracked too. If there is something of high value, rest assured someone is working on taking it, and will probably succeed. All you can do is delay or make it so hard to take that the cost outweighs the benefit.
I will continue to use it. It's still better than not getting the code texted to you in the first place.
(Score: 3, Interesting) by Snospar on Friday May 05 2017, @01:35PM (9 children)
My bank issued me with a Chip & PIN device. When I want to setup a new outgoing payment on my account they generate a random number, I stick my bank card into the Chip & PIN device, authenticate with my PIN then enter the number I've been given. This generates a new number that I enter on the banks web page to authorise the new transaction.
Very hard to bypass 2FA when it's done properly - they would need my physical bank card and my PIN to rip me off using this SS7 exploit (or similar).
Banks that don't offer a decent level of security should be named and shamed and made to do better. It's not rocket science after all.
Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
(Score: 3, Insightful) by kaszz on Friday May 05 2017, @03:13PM (8 children)
I can see some flaws here:
0) How do you know that the bank sent you that random number and it's not a authentication for some other transaction?
1) When the Chip & PIN device is wired to the USB port, BadUSB can compromise the microcontroller of the device.
Other than that, I think this is the way to do it.
(Score: 2) by choose another one on Friday May 05 2017, @04:00PM (1 child)
If it is like the one my bank uses the answers are:
0) you don't, but the number only arrives when you initiate a transaction, if it arrives otherwise you know it's fake. It is also time sensitive, so a MITM attacker would need to wait for you to initiate a transaction, block it and initiate a different transaction an send you the challenge for that transaction - not impossible but a lot more work.
1) What USB port? The card reader is completely self contained.
(Score: 2) by kaszz on Friday May 05 2017, @04:16PM
On point (0) I have seen some banks use actual numbers involved in the transaction used as the input number to the customer device such that the customer can actually verify the correctness. And adding new transaction destinations is then a separate operation which again uses part of the account number as a input code. This will make MITM really hard.
Regarding (1), some banks uses a USB wired card reader. Which of course then exposes the crypto hardware to badUSB [wikipedia.org] etc. You air gaped device eliminates this issue completely. Though perhaps it's possible to spy on it using emitted radio frequencies. There are some other methods that may still work but they require physical access.
(Score: 1) by epl on Friday May 05 2017, @04:27PM (3 children)
My bank has been trying to block route 0 better. They used to issue a simple chip & PIN terminal like pa, but since about a year now they have a chip & PIN & barcode device:
It has a camera in it that you point at your screen after you have put in your card and PIN. It uses this to take a a picture of a 2d color barcode. If the barcode makes sense the handheld device will pop up the transaction details; amount of transaction, name and account number of other party. You can check if the amount is correct and if it will be going to whom you expect and have to confirm this on the device itself, only then will it generate and show the response codes you put into the website.
This method has the advantage that you don't have to manually input the challenge from the bank and it contains a lot of meta information (not only account details, but also stuff like the reason of the transaction or if it's a service command like asking for a new bankcard). Some people complain they have to carry the device around or have to manually type, but so far my bank is telling them this is the only way and they will NOT include anything like this in their phone apps because those are WAY too connected.
(Score: 2) by kaszz on Friday May 05 2017, @05:03PM (2 children)
Interesting. Which bank is doing this? and how much do you have to pay for the service?
Two things comes to mind here. First that device is likely to cost some more than a plain keypad-lcd device. And secondly if there's a large data transfer, then the device could possible have a hostile payload delivered to it using that channel.
(Score: 1) by epl on Monday May 08 2017, @08:01AM (1 child)
It's Rabobank [wikipedia.org] and they have some details about the device at https://www.rabobank.nl/images/how_does_the_rabo_scanner_work_29686468.pdf [rabobank.nl] (PDF). It's a DIGIPASS device by VASCO [vasco.com], based on their 8xx series. The code scanned is based on what they call photoTAN, which is either identical or very heavily based on cardTAN [wikipedia.org].
The previous device, also by Vasco, was just a single line and keypad and they gave those away like candy. They have become considerably more stingy with these new ones; presumably because they are more expensive.
(Score: 2) by kaszz on Monday May 08 2017, @08:51AM
Obviously that bank knows how to do the security good. They can however as always made a blunder elsewhere.
(I hope they have a non-American valid https CA certificate)
Do you think they and others use hash chains to generate the codes?
(Score: 2) by Snospar on Friday May 05 2017, @06:10PM (1 child)
Well, I suppose there are assumptions here, like my browser/OS isn't compromised and under the control of the bad guys. But even more important:
0) I instigated the transaction on the banks website after passing through their initial multi-password login (one full password + one selecting random digits from another PIN). As long as I'm sure it's me connected to my account I can't see how they inject another transaction - but just in case, part of the account number I want to pay money into is used in one of the response codes on screen. If it doesn't match you decline the transfer and contact the bank.
1) The Chip & PIN device is not connected to the computer. No USB. It's a battery operated device with no Wi-Fi/Bluetooth/USB/Network connections at all.
This level of security is one of the few things keeping me at this bank.
Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
(Score: 2) by kaszz on Friday May 05 2017, @07:08PM
On point (0) one sets up a fake bank page. Let you give it login details which then makes the fake page use that to create it's own secure login. After that it can present that it will do one thing and then send another request to the bank.
(Score: 0) by Anonymous Coward on Friday May 05 2017, @01:36PM (2 children)
I keep a small balance in accounts with online access or for which I share account numbers (for example, for wire transfers in). Less convenient, but seems like a sensible step. My bank branch is nearby, it's no big deal to go there and transfer funds in person.
(Score: 1) by Scruffy Beard 2 on Friday May 05 2017, @02:52PM (1 child)
Most banks will take money out of any of your accounts in order to cover an over-draft. About 4 out of 5 Canadian Banks say they will do in in the customer agreement. The 5th does it anyway (found out the hard way).
(Score: 1) by Scruffy Beard 2 on Friday May 05 2017, @02:54PM
Oh yeah, you can even get an over-draft on a closed account: Got charged again because the closed account did not have enough funds to cover the over-draft fees after I discovered the problem.
(Score: 4, Informative) by EvilSS on Friday May 05 2017, @02:00PM (2 children)
(Score: 2) by Nerdfest on Friday May 05 2017, @02:40PM
The Google Authenticator or other time based authentication schemes work very well. They do have a flaw as well, but it's not as exploitable as this is.
(Score: 2) by kaszz on Friday May 05 2017, @03:21PM
This is another weak point for sure. How secure is the hand over of security devices and codes? If those are very secure but the other party will hand those over based on the presentation of a flimsy made identity card. The security is not that great. Maybe it's time for challenge-response chipped identity cards and signatures too?
The strength of a chain is determined by the weakest link.
(Score: 2) by frojack on Friday May 05 2017, @06:03PM (3 children)
The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts,
They already had the whole account access credentials. They owned the account.
What actual part did SS7 play in this?
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Friday May 05 2017, @07:00PM
Ignorance can be cured, stupid is forever. Which one do you have?
Hint: it's in the paragraph right above the paragraph containing the sentence you quoted. If you can't find it, it means you're just another quote-quoting idiot and far beyond my help.
(Score: 2) by edIII on Friday May 05 2017, @08:08PM
The security credentials are often not enough. I started noticing a few years ago that the banks were fingerprinting the browsers and systems quite heavily, and tying it to IP addresses.
In order to use my bank, I needed to be using the same browser, same machine, same IP address. Anything else and the bank initiated additional verification like security questions and token verification (those images).
I would imagine that coming from a different IP address would engage SMS 2FA immediately if it were setup. That never happens with me because I've refused to use the SMS system on general principles. You're paying for something that happens regardless of whether you use it, and at a 10000000% markup at that. Fuck that noise :)
Falling back the PSTN and SMS is quite typical of businesses, and not just the banking sector. Both of them are incredibly insecure though. SMS is not all that secure to begin with, you can hijack accounts, and SS7 is NOT a secure protocol. You're just betting that nobody has the skills to do it, but the article proved that there are some that do.
Rogue telecommunications providers are not difficult to set up, nor is difficult to start using SS7 either once you have the infrastructure and connections in place. The catch is that you want to deal with the PSTN, and that is where you lose all security, privacy, and anonymity the instant you touch that network.
Think BGP and how the Russians channeled financial sector traffic through a Russian telecom for a few minutes.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by sjames on Friday May 05 2017, @08:26PM
The account had 2 factor authentication. You begin the login and get an authentication code texted to you. To complete the login, you must enter the code. The SS7 access allows the bad guy to re-direct the authentication code to his own phone to complete the login.