A lot of companies, some quite big and prominent, fool people into thinking that a phone is a second authentication factor. Due to the transferability of the phone number associated with a random SIM card and the ease with which social engineering and even conspirators inside the carrier itself can be used to gain control of that number, it is not and can never be "something you have". That does not stop companies from pretending nor marks from playing along. Motherboard has an article about how the weaknesses around the SIM cards are becoming all the more frequently exploited to perpetrate massive fraud.
First, criminals call a cell phone carrier's tech support number pretending to be their target. They explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred, or ported, to a new SIM card that the hackers themselves already own. With a bit of social engineering—perhaps by providing the victim's Social Security Number or home address (which is often available from one of the many data breaches that have happened in the last few years)—the criminals convince the employee that they really are who they claim to be, at which point the employee ports the phone number to the new SIM card.
From Motherboard : The SIM Hijackers
Related Stories
Computer security journalist Brian Krebs has posted in his blog that Reddit, a well-known social news aggravation site, has announced that an attacker compromised a several employee accounts at its cloud and source code hosting providers. The way in turned out to be Reddit's reliance on mobile text messages (SMS) in an imitation of two-factor authentication (2FA). Mobile application-based keys are an option. Hardware tokens would have also been reasonably secure instead but few sites do more than partially support them.
Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
Specific details of how the SMS messages were intercepted have not yet been made public.
Earlier on SN:
Google Defeats Employee Phishing With Physical Security Keys (2018)
SIM Hijacking as a Second Factor (2018)
Authentication Today: Moving Beyond Passwords (2018)
(Score: 1, Insightful) by Anonymous Coward on Thursday July 19 2018, @01:42AM (1 child)
Infosec is frequently the equivalent of an unbreakable door with an unbreakable lock on a 1/16in plywood wall
(Score: 0) by Anonymous Coward on Friday July 20 2018, @04:27AM
This.
Find the weakest link
(Score: 2) by MostCynical on Thursday July 19 2018, @02:41AM (3 children)
it all comes down to risk vs cost.
RSA tokens cost money
The risk of a random customer being a victim of identity theft is small.
The reputation risk for this is also small, because most people think the victim was responsible (human nature blames the victim almost every time)
Therefore, even if the customer manages to prove they were NOT responsible for the loss, the bank loses a few thousand dollars at most.
Lawyers happy, insurers happy, customers with (supposed) 2FA (and no need to carry a dongle) happy, victim.. may or may not be happy, depending on how much they lost, and how much they got back.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Interesting) by jmorris on Thursday July 19 2018, @06:43AM (1 child)
Be more cynical. Why should any of these industries care as long as a) they don't suffer for being incompetent boobs, b) their customers are willing to PAY companies like LifeLock to clean up the messes these fuckers make. And as best as anyone knows, LifeLock doesn't even sue on your behalf to recover damages. So why should they care? No direct expense, no liability. If the breech is big enough to get splashed on the news for several news cycles they can suffer reputation damage, but that usually fades fairly quickly. Target comes to mind.
But phones COULD be a security token. Phone numbers are a problem but the SIM isn't. If it were exposed in a standardized way it could act like a chip & pin in a credit card, sealing secure transactions. It is basically the same chip as in a credit card. 2FA apps running on a phone are even an improvement over the current situation. Apparently there was interest at some point in using the SIM as a security token because the schematics for my phone show a trace directly connecting the SIM slot and the NFC chip. No explanation.
(Score: 1, Informative) by Anonymous Coward on Thursday July 19 2018, @09:24AM
It's called a secure element and it's been a thing for awhile. Back before ISIS was a synonym for terrorist group, it was the name of a payment company. They partnered with AMEX and issued SIMs with a secure domain that could be registered with any carrier. The phone would then double as a credit card at any NFC "tap n pay" terminal that accepted AMEX. There was no card cloning or storing of the card number on the phone. The SIM was the chip in a chip n pin transaction. You would pop open an app, enter your pin then tap your phone, hit accept and *poof* your purchase was paid for.
The first time I used it successfully was at a small grocery store in podunk Colorado. I saw the logo on the payment terminal. It was amazing to watch the cashier's face, she had no idea that could even be done.
Sadly, ISIS went away when the name got conflated with a terrorist group. The service is gone now and I've yet to find a similar replacement. There may be SIM payment systems, but this one offered a healthy cashback on each transaction that really made it worthwhile to use.
That trace between NFC and SIM is there to power secure element. The NFC gets a request, passes it to the SIM, the SIM communicates with the app to get your approval and then signs the request with a private key that is embedded in the SIM. Nothing other than destination and amount transits outside the NFC/SIM pathway, and the embedded private key means no card numbers change hands it is end to end encrypted with perfect forward secrecy.
https://www.gemalto.com/mobile/secure-elements [gemalto.com]
(Score: 2) by darkfeline on Friday July 20 2018, @07:21PM
A 2FA app costs nothing. A U2F key costs $8 to $20 USD. People pay more for insurance for far less likely and less damaging risks.
Join the SDF Public Access UNIX System today!
(Score: 3, Interesting) by edIII on Thursday July 19 2018, @04:55AM (2 children)
Laughingly, prominent security sites, and basically every crypto exchange views landlines and VoIP lines as easily compromised versus a smart phone with a wireless carrier. Which is, complete and utter backasswards bullshit.
The reason why my "landline" is damn secure from a porting attack is that the policies regarding a port mandate an email to the losing carrier asking them for permission. Smaller outfits can afford a deny-by-default rule requiring that the user (me) consent to the port out. AT&T? They don't give a fuck. Any well formed port request (correct billing info and a signed LOA) gets you an instant port out. Well, except for 14-21 illegal days they take on landlines. Wireless is 24 hours though.
I myself have a default-by-deny miltr rule that responds back instantly with a very firm and direct no, then emails me, txt messages me on my burner, and logs the request to file. The odds of anyone doing it without me knowing it is slim to none, let alone get around my instant denial with the insistence that the bill is not current, that money is owed, and therefore the port must be rejected out-of-hand.
That's not the real vulnerability anyways. It's the SS7 protocol in use by the PSTN that was never very secure to begin with. I think AT&T just recently announced they had rolled out SS7 security protections on their entire network. Crickets from Verizon, T-Mobile, and Sprint AFAIK.
But, yeah sure, a fucking txt message or phone call on a cellphone is a more secure two-factor.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Thursday July 19 2018, @06:04AM (1 child)
How do you obtain VoIP service? I would love to host my own number.
(Score: 4, Interesting) by edIII on Thursday July 19 2018, @08:02PM
This is fun :)
You become your own telephone company. I charge myself for the bill. That's why I can deny the port out, because I owe my own ass money for the phone all the time. Deadbeat motherfucker....
Now, if somebody attempted a porting attack, you will get an email as the account owner requesting acknowledgment within 24 hours. Twilio is kinda big, and so is Flowroute. Their policies are I think to allow it, if you say nothing. Hence the automatic reply rule you could construct in your email service I'm sure. Either that or Thunderbird can apply rules too. Actually running a miltr server for your email is a bit advanced and you would need to be a fairly good sysadmin with knowledge of different email platforms. Automatic responders are easier to manage in this case. Remember to ask the provider for an example of a port out request. They should email you with it, which helps configure the automatic responder.
In your response to the carrier, you claim that you are white labeling their service and that the client (you) owes you money. Hence, the denial based in the law regarding number porting.
This is why those people claiming cell phones are more secure are full of shit and should stop claiming they know anything about security in telecommunications. Twilio or Flowroute will not respond to social engineering to expedite or assist the port, and at the very least, nothing prevents you from getting the email. An attacker attempting a porting attack would necessarily need to compromise your VoIP account as well, rerouting the emails to them. Layered security FTW.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Interesting) by pkrasimirov on Thursday July 19 2018, @08:05AM
> explain to the company's employee that they "lost" their SIM card, requesting their phone number be transferred
In my country you will be immediately, passionately and repeatedly asked to come into office to sign your new two-year contract for a new SIM card. You can keep your number, sure, just come and sign! Nothing will be done over the phone, too lucrative opportunity to miss.
I guess corporate greed gets into the way of scammers greed.
(Score: 3, Interesting) by KritonK on Thursday July 19 2018, @08:18AM
In order to get a SIM card in Greece, you need to visit one of the phone carrier's stores in person and register yourself as the owner of that card, by displaying your ID card. Thus, if an identity thief tries to transfer someone else's phone number to his SIM card, the carrier will know that the owners of the two SIM cards are different, and refuse to make the change. Therefore, for this to work, an identity thief would have to steal your ID card and hope that nobody will look at the ID picture, and that the phone carrier's computer will not flag the stolen ID card as such.
In addition, to defeat two-factor authentication using your cell phone for, say, Internet banking, a thief would also have to somehow learn your Internet banking login name and password. While achieving all of the above is not completely impossible, it is quite unlikely, making Internet banking a lot safer using a cell phone for two-factor authentication than without it.
(Score: 0) by Anonymous Coward on Thursday July 19 2018, @01:07PM (1 child)
I still believe it is much more secure than having no two factor at all. Does this article provide evidence otherwise? (I dont want to click it after reading that summary).
(Score: 3, Informative) by EvilSS on Thursday July 19 2018, @01:28PM
(Score: 0) by Anonymous Coward on Thursday July 19 2018, @02:27PM
or can we just admit '2 factor' is dead and is only being used to collect yet another data point from people