Stories
Slash Boxes
Comments

SoylentNews is people

SS7 Exploited to Circumvent Two-Factor Authentication

posted by martyb on Friday May 05 2017, @12:59PM   Printer-friendly
from the what-next? dept.

kaszz writes:

After years of warnings, mobile network hackers have exploited SS7 flaws to drain bank accounts. SS7 is a set of telephony signaling protocols developed in the 1980s, to handle the public switched telephone network (PSTN), SMS etc.

The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.

Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.

So any security that depend on PSTN-SS7 security is proven to be inadequate.

Original Submission

 
This discussion has been archived. No new comments can be posted.
SS7 Exploited to Circumvent Two-Factor Authentication | Log In/Create an Account | Top | 24 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by EvilSS on Friday May 05 2017, @02:00PM (2 children)

    by EvilSS (1456) Subscriber Badge on Friday May 05 2017, @02:00PM (#504844)
    They need to move to something else. While this specific case is a hell of a hack, it's not the most common way SMS 2FA can be exploited. Unfortunately most telcos are more than happy to help a "customer" swap to a new device after they "lose" their old one. This has been used numerous times already against a number of celebs and youtubers. The attacker gets service swapped over to their sim/device and once that happens they have just broken every SMS 2FA and SMS based password reset scheme the account owner has. This is the reason NIST published warnings about SMS 2FA last year. It is just too damn easy to pull off and it's a lot of eggs in one basket. At least with a token if you break the 2FA somehow, you only get access to that one account. And it's a lot easier to talk a sales guy in a carrier store in rural Nebraska into swapping your account over to a new device than it is to socially engineer your way around a 2FA token system in most cases.
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 2) by Nerdfest on Friday May 05 2017, @02:40PM

    by Nerdfest (80) on Friday May 05 2017, @02:40PM (#504880)

    The Google Authenticator or other time based authentication schemes work very well. They do have a flaw as well, but it's not as exploitable as this is.

  • (Score: 2) by kaszz on Friday May 05 2017, @03:21PM

    by kaszz (4211) on Friday May 05 2017, @03:21PM (#504926) Journal

    This is another weak point for sure. How secure is the hand over of security devices and codes? If those are very secure but the other party will hand those over based on the presentation of a flimsy made identity card. The security is not that great. Maybe it's time for challenge-response chipped identity cards and signatures too?

    The strength of a chain is determined by the weakest link.