Wednesday, May 10, 2017

A text message from your bank is not secure

I'm a big fan of "Two Factor Authentication" - where in addition to a password you use a second technique to add additional security.  Passwords have been attacked for years and years and Two Factor Authentication (called 2FA) makes a stolen password worthless.  This is a big security win.

Many organizations send an SMS text message to your phone with a short number for you to enter after your password.  It's a really convenient way to give you 2FA.  This has been something that is important for things like online banking.

The problem is that hackers are now sending fake SMS messages:

Financially-motivated hackers are using SS7 attacks to break into bank accounts.

It has finally happened. 
For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors.
But on Wednesday, German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts.
Oh, foo.  There's no authentication for the SS7 signaling, and so there's no authentication for the text message.  If someone has your phone number and can send SS7 into the telephone network, they can send a text message seeming to come from your bank.  More importantly (and this is what seems to have been used here) they can cause the victim's text to go to any old device they want - this is where they steal the codes.

Unfortunately, there's no solution yet.  Watch your bank account closely is about all you can do.


Unknown said...

Aside from the physical bother of carrying the hardware based authenticators, what is your take on that as a 2FA method? I seem to recall some sort of issue with them 4-6 years ago.

Borepatch said...

There are a set of hardware devices (and software versions you can install on your phone), but these are expensive. Because of the cost, they are niche products.

I don't know that there is a good mass market solution to replace SMS.

Matt W said...

Yikes! Turn off 2FA temporarily? I'm not even sure most banks offer regular consumers other 2FA options other than SMS.

Anonymous said...

Google, and some banks, offer the choice between a voice call and an SMS message. I'd think spoofing the voice call would be harder, but I doubt even it's foolproof.

LindaG said...

I do not bank on my phone, plain and simple.
FB does not get my phone number. There is some government or official website that uses my number, but I had no choice with that, and it is not related to my bank account.

It unnerves me that financial institutions think it is such a great idea to do all that stuff on your phone.
Aside from the hacking, it is just too easy to lose a phone.

Appreciate this information. Thank you.