Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday May 05 2017, @12:59PM   Printer-friendly
from the what-next? dept.

After years of warnings, mobile network hackers have exploited SS7 flaws to drain bank accounts. SS7 is a set of telephony signaling protocols developed in the 1980s, to handle the public switched telephone network (PSTN), SMS etc.

The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.

Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.

So any security that depend on PSTN-SS7 security is proven to be inadequate.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by choose another one on Friday May 05 2017, @04:00PM (1 child)

    by choose another one (515) Subscriber Badge on Friday May 05 2017, @04:00PM (#504945)

    If it is like the one my bank uses the answers are:

    0) you don't, but the number only arrives when you initiate a transaction, if it arrives otherwise you know it's fake. It is also time sensitive, so a MITM attacker would need to wait for you to initiate a transaction, block it and initiate a different transaction an send you the challenge for that transaction - not impossible but a lot more work.

    1) What USB port? The card reader is completely self contained.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by kaszz on Friday May 05 2017, @04:16PM

    by kaszz (4211) on Friday May 05 2017, @04:16PM (#504969) Journal

    On point (0) I have seen some banks use actual numbers involved in the transaction used as the input number to the customer device such that the customer can actually verify the correctness. And adding new transaction destinations is then a separate operation which again uses part of the account number as a input code. This will make MITM really hard.

    Regarding (1), some banks uses a USB wired card reader. Which of course then exposes the crypto hardware to badUSB [wikipedia.org] etc. You air gaped device eliminates this issue completely. Though perhaps it's possible to spy on it using emitted radio frequencies. There are some other methods that may still work but they require physical access.