
SS7 cellular network flaw being exploited to drain bank accounts - natcombs
https://www.techdirt.com/articles/20190131/10492341502/ss7-cellular-network-flaw-nobody-wants-to-fix-now-being-exploited-to-drain-bank-accounts.shtml
======
otterley
(2019)

------
_salmon
Should probably add a (2019) tag. This isn't exactly recent

------
goihoiholi
Much of the 5G progress happens in the core network and network interconnects.

As far as I remember, there will be some sort of "layered" encryption. The
innermost layer is the user's payload, end-to-end encrypted between operators.
Each service provider (responsible for transporting the data) adds patches
with modifications and a signature by the service provider.

Not sure if that actually made it into the standard yet. I think the
motivation is that roaming requires cost-effective routing, fraud detection,..
so there's a whole business ecosystem around that.

Long story short: I think people _are_ working on this

~~~
microcolonel
> _Much of the 5G progress happens in the core network and network
> interconnects._

It's a bit silly to wait for a completely different radio transport before
thinking of carrier and backhaul improvements, which are almost completely
orthogonal.

> _Long story short: I think people are working on this_

Given the specifics of the sorts of flaws in these network standards, it's
hard to come away feeling that they were anything short of intentional. I get
the impression that “working on it” more or less amounts to _improving
plausible deniability_ by making the backdoors less obvious.

~~~
goihoiholi
> It's a bit silly to wait for a completely different radio transport before
> thinking of carrier and backhaul improvements, which are almost completely
> orthogonal.

Development on radio access and core network does indeed happen in parallel,
and as far as I know, the core network overhaul was not delayed to wait for
the radio-layer.

But marketing-wise, the radio-layer is what makes the phone show a 5G icon.

------
exabrial
Telecoms are not hardened against phishing attacks and are some of the
dinosaur centric industries. Please, and I ask very nicely, if you work for a
tech company, do everything you can to fight implementing SMS as an
authentication factor. It not private, nor authenticated, has no delivery
guarantees, easily spoofed, easily intercepted, and easily forged.

One only has to look at Jack Dorsey getting jacked to prove this is an
inevitability for every single one of your users.

~~~
bcrl
SS7's security model is basically the same as BGP. Peers assume they can trust
one another. The cost for entry here in Canada is about $50,000. Pay that to
the incumbent telco and you can basically have an SS7 connection of your very
own, and announce cell phone numbers to the rest of the world.

Electronic Funds Transfer is similarly based on trust. I can withdraw funds
from any bank account just by knowing the account number. The only incentive
is that you don't want to lose your account, but once you've been through the
process of setting things up, it's quite easy to see how the system could be
gamed.

Maybe someday we'll be able to trust the underlying protocols our lives are
built on top of.

------
rootsudo
There's so many fun things you can do w/ telecom networks that it's a bit sad
to see the phreaking community dead nowadays or relegated to just "modifying"
roms.

You could enable any phone to be a receiver for SMS and literally see the
network traffic around you on the SMS paging channel. The phone real time
operating system actually discards messages that do not match your number (to
put it very very high level.)

[https://silo.tips/download/exploiting-open-functionality-
in-...](https://silo.tips/download/exploiting-open-functionality-in-sms-
capable-cellular-networks)

Also, great reads if you can find them: Qualcomm standard PDF's.

~~~
doctorshady
Dead!? I know not of what you speak sir :D .

[https://pastebin.com/QhTPLGfg](https://pastebin.com/QhTPLGfg)

[https://shadytel.su/files/necsploits.htm](https://shadytel.su/files/necsploits.htm)

~~~
solstice
... that .su TLD

~~~
doctorshady
You jelly, comrade?

------
RcouF1uZ4gsC
> "In the case of stealing money from bank accounts, a hacker would typically
> first need a target’s online banking username and password. Perhaps they
> could obtain this by phishing the target. Then, once logged in, the bank may
> ask for confirmation of the transfer by sending the account owner a
> verification code in a text message. With SS7, the hackers can intercept
> this text and enter it themselves. Exploiting SS7 in this way is a way to
> circumvent the protections of two-factor authentication, where a system not
> only requires a password, but something else too, such as an extra code."

While SS7 does seem like a problem, I think the bigger issue is using SMS for
2FA.

Banks with local branch offices are especially well placed to do better. They
can offer Yubikey to their customers, and also since they can see customers in
person, they have a way to provision new ones if an old one gets lost
(customer comes in and shows government ID, etc).

~~~
delfinom
>While SS7 does seem like a problem, I think the bigger issue is using SMS for
2FA.

These are banks. It took them over a decade to only finally implement SMS 2FA.
It'll be another 2 before they implement U2F or TOTP.

Actually, shockingly, Vanguard offers U2F support which is quite the minority
for financial firms :D

Meanwhile american express still makes passwords case insensitive AND trims
the fucking lengths behind the scenes.

~~~
the-dude
These are US Banks.

In the meantime, I have been banking with a 'calculator' for over 15 years
which accepts my bank card, I enter the PIN and it spits out a code.

~~~
TheRealPomax
Same, except rather than "typing in the challenge number" it has an image
sensor that I point at my bank's login page after typing in my account and
card number, because it generates a 50x50 RGB challenge image.

~~~
the-dude
I have one of those too ( different bank ) and it sucks because it does not
play well with F.lux.

~~~
ericbarrett
If you've got a keyboard, I believe you can use Alt+End to temporarily disable
f.lux, rather than having to clicky-click-click through the taskbar menus.
Doesn't work on a laptop, though. (Might only work on Windows as well.)

