SoylentNews is people
SoylentNews
After years of warnings, mobile network hackers have exploited SS7 flaws to drain bank accounts. SS7 is a set of telephony signaling protocols developed in the 1980s, to handle the public switched telephone network (PSTN), SMS etc.
The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.
Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.
So any security that depend on PSTN-SS7 security is proven to be inadequate.
(Score: 1) by epl on Friday May 05 2017, @04:27PM (3 children)
My bank has been trying to block route 0 better. They used to issue a simple chip & PIN terminal like pa, but since about a year now they have a chip & PIN & barcode device:
It has a camera in it that you point at your screen after you have put in your card and PIN. It uses this to take a a picture of a 2d color barcode. If the barcode makes sense the handheld device will pop up the transaction details; amount of transaction, name and account number of other party. You can check if the amount is correct and if it will be going to whom you expect and have to confirm this on the device itself, only then will it generate and show the response codes you put into the website.
This method has the advantage that you don't have to manually input the challenge from the bank and it contains a lot of meta information (not only account details, but also stuff like the reason of the transaction or if it's a service command like asking for a new bankcard). Some people complain they have to carry the device around or have to manually type, but so far my bank is telling them this is the only way and they will NOT include anything like this in their phone apps because those are WAY too connected.
(Score: 2) by kaszz on Friday May 05 2017, @05:03PM (2 children)
Interesting. Which bank is doing this? and how much do you have to pay for the service?
Two things comes to mind here. First that device is likely to cost some more than a plain keypad-lcd device. And secondly if there's a large data transfer, then the device could possible have a hostile payload delivered to it using that channel.
(Score: 1) by epl on Monday May 08 2017, @08:01AM (1 child)
It's Rabobank [wikipedia.org] and they have some details about the device at https://www.rabobank.nl/images/how_does_the_rabo_scanner_work_29686468.pdf [rabobank.nl] (PDF). It's a DIGIPASS device by VASCO [vasco.com], based on their 8xx series. The code scanned is based on what they call photoTAN, which is either identical or very heavily based on cardTAN [wikipedia.org].
The previous device, also by Vasco, was just a single line and keypad and they gave those away like candy. They have become considerably more stingy with these new ones; presumably because they are more expensive.
(Score: 2) by kaszz on Monday May 08 2017, @08:51AM
Obviously that bank knows how to do the security good. They can however as always made a blunder elsewhere.
(I hope they have a non-American valid https CA certificate)
Do you think they and others use hash chains to generate the codes?