Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday May 05 2017, @12:59PM   Printer-friendly
from the what-next? dept.

After years of warnings, mobile network hackers have exploited SS7 flaws to drain bank accounts. SS7 is a set of telephony signaling protocols developed in the 1980s, to handle the public switched telephone network (PSTN), SMS etc.

The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.

Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.

So any security that depend on PSTN-SS7 security is proven to be inadequate.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by kaszz on Friday May 05 2017, @03:13PM (8 children)

    by kaszz (4211) on Friday May 05 2017, @03:13PM (#504921) Journal

    I can see some flaws here:
    0) How do you know that the bank sent you that random number and it's not a authentication for some other transaction?
    1) When the Chip & PIN device is wired to the USB port, BadUSB can compromise the microcontroller of the device.

    Other than that, I think this is the way to do it.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by choose another one on Friday May 05 2017, @04:00PM (1 child)

    by choose another one (515) Subscriber Badge on Friday May 05 2017, @04:00PM (#504945)

    If it is like the one my bank uses the answers are:

    0) you don't, but the number only arrives when you initiate a transaction, if it arrives otherwise you know it's fake. It is also time sensitive, so a MITM attacker would need to wait for you to initiate a transaction, block it and initiate a different transaction an send you the challenge for that transaction - not impossible but a lot more work.

    1) What USB port? The card reader is completely self contained.

    • (Score: 2) by kaszz on Friday May 05 2017, @04:16PM

      by kaszz (4211) on Friday May 05 2017, @04:16PM (#504969) Journal

      On point (0) I have seen some banks use actual numbers involved in the transaction used as the input number to the customer device such that the customer can actually verify the correctness. And adding new transaction destinations is then a separate operation which again uses part of the account number as a input code. This will make MITM really hard.

      Regarding (1), some banks uses a USB wired card reader. Which of course then exposes the crypto hardware to badUSB [wikipedia.org] etc. You air gaped device eliminates this issue completely. Though perhaps it's possible to spy on it using emitted radio frequencies. There are some other methods that may still work but they require physical access.

  • (Score: 1) by epl on Friday May 05 2017, @04:27PM (3 children)

    by epl (1801) on Friday May 05 2017, @04:27PM (#504975)

    My bank has been trying to block route 0 better. They used to issue a simple chip & PIN terminal like pa, but since about a year now they have a chip & PIN & barcode device:
    It has a camera in it that you point at your screen after you have put in your card and PIN. It uses this to take a a picture of a 2d color barcode. If the barcode makes sense the handheld device will pop up the transaction details; amount of transaction, name and account number of other party. You can check if the amount is correct and if it will be going to whom you expect and have to confirm this on the device itself, only then will it generate and show the response codes you put into the website.

    This method has the advantage that you don't have to manually input the challenge from the bank and it contains a lot of meta information (not only account details, but also stuff like the reason of the transaction or if it's a service command like asking for a new bankcard). Some people complain they have to carry the device around or have to manually type, but so far my bank is telling them this is the only way and they will NOT include anything like this in their phone apps because those are WAY too connected.

    • (Score: 2) by kaszz on Friday May 05 2017, @05:03PM (2 children)

      by kaszz (4211) on Friday May 05 2017, @05:03PM (#505002) Journal

      Interesting. Which bank is doing this? and how much do you have to pay for the service?

      Two things comes to mind here. First that device is likely to cost some more than a plain keypad-lcd device. And secondly if there's a large data transfer, then the device could possible have a hostile payload delivered to it using that channel.

      • (Score: 1) by epl on Monday May 08 2017, @08:01AM (1 child)

        by epl (1801) on Monday May 08 2017, @08:01AM (#506240)

        It's Rabobank [wikipedia.org] and they have some details about the device at https://www.rabobank.nl/images/how_does_the_rabo_scanner_work_29686468.pdf [rabobank.nl] (PDF). It's a DIGIPASS device by VASCO [vasco.com], based on their 8xx series. The code scanned is based on what they call photoTAN, which is either identical or very heavily based on cardTAN [wikipedia.org].

        The previous device, also by Vasco, was just a single line and keypad and they gave those away like candy. They have become considerably more stingy with these new ones; presumably because they are more expensive.

        • (Score: 2) by kaszz on Monday May 08 2017, @08:51AM

          by kaszz (4211) on Monday May 08 2017, @08:51AM (#506253) Journal

          Obviously that bank knows how to do the security good. They can however as always made a blunder elsewhere.
          (I hope they have a non-American valid https CA certificate)

          Do you think they and others use hash chains to generate the codes?

  • (Score: 2) by Snospar on Friday May 05 2017, @06:10PM (1 child)

    by Snospar (5366) Subscriber Badge on Friday May 05 2017, @06:10PM (#505053)

    Well, I suppose there are assumptions here, like my browser/OS isn't compromised and under the control of the bad guys. But even more important:

    0) I instigated the transaction on the banks website after passing through their initial multi-password login (one full password + one selecting random digits from another PIN). As long as I'm sure it's me connected to my account I can't see how they inject another transaction - but just in case, part of the account number I want to pay money into is used in one of the response codes on screen. If it doesn't match you decline the transfer and contact the bank.

    1) The Chip & PIN device is not connected to the computer. No USB. It's a battery operated device with no Wi-Fi/Bluetooth/USB/Network connections at all.

    This level of security is one of the few things keeping me at this bank.

    --
    Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
    • (Score: 2) by kaszz on Friday May 05 2017, @07:08PM

      by kaszz (4211) on Friday May 05 2017, @07:08PM (#505088) Journal

      On point (0) one sets up a fake bank page. Let you give it login details which then makes the fake page use that to create it's own secure login. After that it can present that it will do one thing and then send another request to the bank.