Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Security Technology

Criminals Are Tapping Into the Phone Network Backbone to Empty Bank Accounts (vice.com) 52

Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself. From a report: This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank -- the UK's Metro Bank -- that fell victim to such an attack. The news highlights the gaping holes in the world's telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK's signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking.

"We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," The NCSC told Motherboard in a statement. "Some of our clients in the banking industry or other financial services; they see more and more SS7- based [requests],â Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. "All of a sudden you have someone's text messages."

This discussion has been archived. No new comments can be posted.

Criminals Are Tapping Into the Phone Network Backbone to Empty Bank Accounts

Comments Filter:
  • by Stormy Dragon ( 800799 ) on Thursday January 31, 2019 @02:34PM (#58051642)

    They're not personally being held responsible for the losses and they're not going to lose business to the other phone company for providing crappy service.

    • by Anonymous Coward

      They really can't fight the standards. I don't think SMS has ever been encrypted at any point anyway. Banks should be able to circumvent this issue by requiring their clients to use authentication smart phone applications with end-to-end encryption, if separate authentication devices or one-time code pads don't make economic sense anymore.

      • by dgatwood ( 11270 )

        A cell phone is not a good second factor, period. All it takes is one security bug in the operating system, and boom, your authenticator app just got its private keys stolen, and now someone can impersonate you. Worse, with a little luck, the attackers get the passwords for all of your accounts at the same time.

        What we need is for all the banks to standardize on an NFC-based wallet card that lets you add new keys for additional bank accounts, but that is otherwise isolated from the public Internet except

  • And this is why.. (Score:3, Insightful)

    by steveb3210 ( 962811 ) on Thursday January 31, 2019 @02:35PM (#58051650)

    The fucking president of the United States shouldn't be using a fucking iPhone.

    • The fucking president of the United States shouldn't be using a fucking iPhone.

      I take it you're one of the people who think that The Donald is using an off-the-shelf i{hone, instead of one that's been brought up to NSA standards? If so, I suspect you are...mistaken....

      • by steveb3210 ( 962811 ) on Thursday January 31, 2019 @02:41PM (#58051682)

        https://www.nytimes.com/2018/1... [nytimes.com]

        The last I checked, yes... Whats your source?

      • by gtall ( 79522 )

        C'mon, Trump use a NSA standard device? He'd think they were trying listen in or poison him. He's using a bog standard iPhone and no one the federal intelligence agencies are stupid enough to trust him with anything valuable.

  • by Anonymous Coward on Thursday January 31, 2019 @02:39PM (#58051672)

    So, was this supposed to be a backdoor accessible only to "the good guys"? And now the bad guys are using it?

    I'm shocked! Shocked, I tell you!

    • No. This went like SMTP. "Only other telephone companies who are allowed to tweak settings and know what they are doing can connect to the signaling network anyway, so we don't need any security here" (Signaling protocols are around since the firts phone call wasn't routed by an operator on a switchboard but routed digitally)

      But then at one point every country was switching to digital call routing and now every small Lampukistanian telco is allowed to send routing commands that have world wide effects.

      But e

  • This is the problem: (Score:5, Informative)

    by QuietLagoon ( 813062 ) on Thursday January 31, 2019 @02:56PM (#58051738)
    ... intercepting SMS text messages used as 2-Factor Authentication (2FA), ...

    .

    SMS should not be used for 2FA. Full stop.

    • SMS should not be used for 2FA. Full stop.

      SMS should not be both factors in 2FA. That's what the '2' means -- two DIFFERENT factors. The whole reason for 2FA is so that someone cannot spoof or intercept one of the two and get access to the resource.

      • by lgw ( 121541 ) on Thursday January 31, 2019 @04:06PM (#58052050) Journal

        No. It's so weak that it doesn't count as 1 factor. This has been true for years. The first exploits in the wild of MitB + SMS hack happened years ago. Any organized crime group that can hack your browser can be assumed to also be hacking SMS.

        Plenty of other 2FA approaches actually work. Especially those that (gasp!) don't use a phone (a mobile sack of vulnerabilities).

        • by Anonymous Coward on Thursday January 31, 2019 @04:19PM (#58052128)

          It's so weak that it doesn't count as 1 factor.

          The reason it doesn't count as a factor is not because it is weak.
          In multi-factor authentication acceptable factors are:
          * something you have
          * something you are
          * something you know

          Text messaging is neither of those. It's just a different authentication channel.

          • SMS counts as "something you know."

            When your bank sends you a security code via SMS, you "know" the security code. This, combined with your password, constitutes two factors.

            OR if the bank sends you an email with a link to reset your password, and they then send you a SMS with a code, you also have two factors: the emailed link containing a token, and the SMS code.

            Both of these methods are more secure than a user name and password alone.

      • by sjames ( 1099 )

        That's the problem. Phishing gets the password, then SS7 shenanigans get the 2nd factor. It's happened often enough that it's time to find something better.

  • That is the only logical conclusion.

    The bastards who set up the online systems have only partially thought out security.

    • And where exactly on earth can you put money, that is not accessible online? Under your mattress?

      Security will always be an arms race. No one has "thought out" every last possible security loophole. Many haven't even been invented yet.

      Like safeguarding your house, you don't have to have an impenetrable fortress. You can't afford it. But you can make your house "just a little" more secure than the neighbors, encouraging a thief to go somewhere else.

      Online security is no different, and never will be.

  • Why does my twitter account have better security than my BANK?! Bank of America only supports SMS authentication, and that is only to a long list of every phone number associated with my account. I cannot restrict it to just one phone number such as a Google Voice phone set up just for security. I asked a rep about Two-Factor-Authentication and she said "I never heard of that, what is it?"

    It is mind boggling. My money has less protection that my throw away forum accounts.

    Also, shout out to Vanguard, who has

Wherever you go...There you are. - Buckaroo Banzai

Working...