
Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts - secfirstmd
https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
======
cenal
Someone stole 415-867-5309 from me by forging the port paperwork. My carrier
refused to do a port back.

I filed an FTC complaint and they couldn’t have cared less.

Phones are a broken system.

~~~
jackhack
Phone number hijacking is a real problem, especially with cell phones, and
thieves use it as part of an overall identity (and retirement fund) theft
approach.

For those who didn't catch it, that's a somewhat "famous" phone number.

In the 80s, there was a song by that name: "867-5309 (Jenny)" by the band
Tommy Tutone.
[https://en.wikipedia.org/wiki/867-5309/Jenny](https://en.wikipedia.org/wiki/867-5309/Jenny)

Neat tip: you can use your area code + this number in almost any system that
asks for a phone number (especially useful supermarket "loyalty" customer
tracking systems). If they ask for a name, just tell them "Jenny".

~~~
c22
> Neat tip: you can use your area code + this number in almost any system that
> asks for a phone number (especially useful supermarket "loyalty" customer
> tracking systems). If they ask for a name, just tell them "Jenny".

Do you actually do this? It hasn't worked for me most places I've tried it. In
a couple cases it froze/crashed their system. I always wondered what people
who legitimately have this number do.

~~~
jackhack
Yep, I use it all the time at the area supermarkets (works with no less than
four different chains).

I predict that someday soon, supermarkets will sell my food purchase history
to insurance companies, so when I buy loads of vegetables and such, I use my
real number. When I buy wine & bacon -- you guessed it: 867-5309.

Tip #2: They also link purchase records based on debit card account numbers.
So pay cash.

Tip #3: if the number doesn't work for your area code, try it with a different
area code. (the sysadmins sometime purge a number that is being used by loads
of people.) Also, if you need to provide a zip code, Beverly Hills 90210 works
just fine.

~~~
welder
> I predict that someday soon, supermarkets will sell my food purchase history
> to insurance companies, so when I buy loads of vegetables and such, I use my
> real number. When I buy wine & bacon -- you guessed it: 867-5309.

That won't help, your purchases can still be linked to yourself with your
credit card.

~~~
lucasverra
With Apple/Google Pay isn't this information NOT shared with merchant, but
only a transaction token ?

~~~
jackhack
so they say. but the data lives somewhere, and when it has enough value it
will be a commodity.

------
toothbrush
Slightly unrelated, but i'm fishing for suggestions.

I have a beef with my local Australian bank, the ING (of Dutch fame). Their
login system consists of your "customer number" (printed on the back of your
debit card) and a 4 digit numeric PIN. Yes, 4 digits. In 2019. To add a payee
to your address book the only auth that happens is over SMS; to actually
transfer money out of the account you can select any existing address book
contact with no further verification.

I like their product offering (cheapest / best in class locally) but this is
such a worry to me. I've repeatedly talked to their customer support about
this issue (and their Twitter is full of complaints about this) but they keep
giving canned responses and redirecting to their "Online Security Guarantee"
[https://www.ing.com.au/security.html](https://www.ing.com.au/security.html).
Any ideas how to get through to someone who understands what's going on,
before I grudgingly take my business elsewhere?

~~~
handzbagz
This seems pretty common with a lot of banks. I've got accounts with several
high street UK banks and almost all of them have some kind of reliance on SMS,
maximum password requirements (like 10 letters with no symbols) or 'secret
words' where you have to pick a few choice letters from an word which is
presumably kept in plain text.

I can only assume they are relying more on legal recourse and insurance than
data security experts and I assume that if a hack did happen I would be
reimbursed but it's a bit of a worry.

~~~
amaccuish
With Barclays you can rely soley on the card reader and disable login using
"memorable data". Lots of other banks in the UK offer card readers (of the top
of my head, Barclays, Nationwide, Natwest).

------
kevin_b_er
This is why we should all be paranoid over things like the Mobile
Authentication Taskforce and "Project Verify" where the US cell carriers are
colluding to form a new authentication/identification to replace passwords
with single-factor phone identification. We know our cell accounts are utterly
and woefully insecure, but expect this push to come in the near future.

~~~
zkms
> we should all be paranoid over things like the Mobile Authentication
> Taskforce and "Project Verify" where the US cell carriers are colluding to
> form a new authentication/identification to replace passwords with single-
> factor phone identification.

There's lots of infosec paranoia is ill-based in reality but I've got to
concur here. It's gotten so easy and uncomplicated to social-engineer a
fraudulent port / SIM swap that there's an entire cottage industry of bored
teenagers that do exactly that, in part to commandeer Instagram accounts with
coveted usernames.

Basing authentication/identification on an industry that's simultaneously
pathologically incompetent (fraudulent ports/SIM-swaps) and also grossly evil
(selling real-time locations of all their subscribers without their consent to
a phantasmagorically layered and non-auditable set of resellers and
intermediaries) when it comes to security is pure folly.

------
xfitm3
While I agree SMS based MFA is less than ideal the real issue is telephony
security. Weak security allows ANI spoofing, message interception (as seen
here), IMSI catching, and who knows what else.

I stopped picking up calls from unknown numbers since its practically all
spam. It'll probably never be secure but I can dream.

~~~
Scoundreller
That’s great and all, until you’re applying for jobs. Or in sales/support. Or
just new to an area. Or have a child at day-care.

When I’m on-call and they spoof a similar phone number (same area and exchange
code), I gotta answer it.

~~~
lsiebert
Per quora, area code 308 probably has the smallest population of any area
code, so getting a phone number based there and screening for 308 numbers
would probably work well.

Honestly if google voice had a captcha system I could implement for non
contact numbers, that would be sweet.

~~~
TheAceOfHearts
This is actually a feature on the Pixel 2 and Pixel 3: Screen your calls
before answering them [0]. When you activate it on an incoming call it'll play
a message for the caller, show you a transcript of their response, and allow
you to respond with a few canned messages of your own. The best part is that
it works entirely offline [1], so it doesn't require sacrificing your privacy.
It's incredibly convenient.

For a while I'd been receiving a ton of spam calls. Eventually I caved and
enabled "Filter spam calls" on my Phone app. Suddenly, all the calls stopped.
I ultimately decided that this was a worthwhile privacy tradeoff for me,
especially since I rarely use my phone. I only use it to occasionally interact
with businesses, and as a way for close family to reach me at a moment's
notice in case of an emergency.

[0]
[https://support.google.com/phoneapp/answer/9118387](https://support.google.com/phoneapp/answer/9118387)

[1]
[https://support.google.com/phoneapp/answer/9094888](https://support.google.com/phoneapp/answer/9094888)

~~~
golem14
Isn’t this a standard google voice feature for the last 12 years or so?

~~~
bestnameever
I don't think google voice showed you a transcript in real time or allowed you
to interact with the caller.

~~~
golem14
No transcript, but they play back the caller's introduction to you before you
decide to accept or ditch the call. Again, for the last 12 years or so. That
was one of the reasons Google acquired Grand Central and launched Google
Voice.

~~~
bestnameever
Yeah they had that but this is different, more interactive and something you
can decide to use while your phone is ringing. Google voice currently does not
have a call screening feature like the one on the pixel.

~~~
golem14
Well, GV is interactive by some definition, but awkward. You need to listen to
the headset to hear the callers introduction, then type 1 to accept the call
or hang out and send caller to voice mail.

Real time transcription would be much nicer, very true. GV is apparently on a
lifeline while Google is trying to push Fi. Just like Duo and Hangouts.

------
excalibur
Motherboard/Vice is trying to load another article at the bottom of this one,
but the one it wants to pull up is apparently MIA, and causes the article I
actually WANT to read to cut to a 404 before I can reach the end. If you must
shove additional content down our throats, can you at least make it a bit more
failsafe? #notagoodlook

~~~
pwg
With NoScript ([https://noscript.net/](https://noscript.net/)) blocking their
Javascript I get the whole article, no attempt to load any other article, and
no 404 anywhere on the page.

------
walrus01
SS7 is fundamentally broken and nobody is ever going to fix it. It's based on
telcos all trusting each other in the year 1985. The sheer mass of installed
equipment that nobody wants to spend hundreds of thousands of dollars to
upgrade means that implementing authentication and security on top of SS7 is
never going to happen. Any extensions on top of SS7 that implement something
resembling proper security will thoroughly break backwards compatibility with
all old PSTN equipment.

If you use SMS or anything phone network related for 2FA you're doing it
wrong.

My job title has "network engineer" in it. It's time to simply disregard the
existence of the PSTN and move on to modern communications methods. By modern,
I mean things that are based on packet-switched IP networks, with software
applications using battle tested public/private key crypto implemented at
layers 4-7 in the OSI model.

~~~
philprx
Crypto attempts have been made, but now we're starting to see both industry
associations (GSMA) and open source (P1 Security SigFW [1]) working on
filtering and encrypting SS7.

If placed in front of the legacy equipment, that could enable operators to
gradually move toward signed+encrypted signaling traffic.

Problem is that this industry can be slow to react and would probably need
government/regulatory pressure to move faster.

[1] [https://github.com/P1sec/SigFW/](https://github.com/P1sec/SigFW/)

~~~
spc476
I work at a company whose customer is the Phone Company. As I complained to my
manager, "We may have a two-week sprint, but the Phone Company has a two-year
sprint."

~~~
C1sc0cat
:-)

Well back when I worked for BT they had quarterly sprints but this was for
things like major changes to the entire system.

------
empath75
The entire security model of the PSTN is just broken. It's not just SS7, it's
stingrays, caller id, robocalls, porting numbers, etc, etc. It's time to
deprecate the entire system.

------
gruez
How are bad actors getting access to SS7? Is SS7 being transported over public
IP networks and subject to intercept? Are they bribing/hacking telecoms
themselves?

~~~
DanielDent
At one point, one of the attack vectors was said to be by spoofing or
otherwise manipulating traffic to/from a wireless femtocell. The same wireless
femtocells that many operators will gladly sell or give to you for free or
very little $.

I don't know how effectively that strategy still works today, but I think it
speaks to the significant degree to which the phone system is completely
insecure and untrustworthy by design.

------
dsfyu404ed
30yr ago on the big nations could do this. 15yr ago most nations could do
this. Today organized crime or well funded companies can do this. 10yr from
now small time criminals will be able to do this.

Technology trickles down really well.

This is just another instance.

~~~
gammateam
small time criminals have been doing this for years? I guess its so lucrative
that they aren't considered small time after executing it on a useful bank
account

its rampant on instagram, which introduced non-SMS OTP just a few months ago
after everyone figured out their negligence was just to data mine phone
numbers

------
joshe
Wow, I really thought we were still at the social engineering scale
(convincing the guy in the cell shop).

Does anyone know if Google Voice texts are also subject to this kind of
attack? In the sense that they have to honor SS7 rerouting commands or
anything like that.

~~~
techsupporter
Google Voice is, by and large, just* using Bandwidth.com's API to send and
receive SMS. The same attacks still work though it is marginally harder to
forcibly port or steal a number from a Google Voice account because Bandwidth
passes the port auth request onward to Google for approval.

Point being, Google Voice is not a telco on its own. They rent underlying
access, of sorts, and that access still relies on SS7.

* For suitably large values of "just."

~~~
rufugee
What about using a service like Twilio to receive texts?

~~~
rsync
This will not work. A Twilio Number cannot receive messages from a short code.
Almost every single two factor authentication code from a bank or other
institution comes from a short code. No number you receive or port into Twilio
is Classified as a mobile number – so they cannot receive messages from short
codes.

I spoke to engineers from Twilio at the 2018 Signal conference and they
confirmed - there is no technical limitation, but they would have to do a lot
of work and deal with a lot of spam issues if they allowed their numbers to be
classified as "mobile" and able to receive SMS from shortcodes - and they are
declining to do that for now.

So whether you source a new number from Twilio or port in an existing mobile
number, once it hits Twilio it is no longer a mobile number. Yes, you can
receive SMS/MMS from "normal" numbers just fine.

------
welder
When [https://n26.com](https://n26.com) launches in the US they could prevent
this attack, unless they fool customer support somehow. In the EU they have
non-SMS based 2fa and optionally send a push notification for all
transactions.

Also, I'm looking for a bank that blocks all debits/transactions/transfers
unless pre-authorized via app. Anyone know if that exists?

------
sonnyvan
Yikes! Banks need to start supporting other 2FA methods such as TOTP or U2F

~~~
LinuxBender
Some do, but their backend systems are still vulnerable. Most folks here on HN
would not believe me if I said that many of the back-end systems do not use
encryption. There are still many automation jobs that use clear-text FTP on
the WAN and for some jobs, even across the internet.

~~~
walrus01
You think that's bad, huge banks are still doing this shit:

[https://www.reddit.com/r/canada/comments/978l87/bmo_web_bank...](https://www.reddit.com/r/canada/comments/978l87/bmo_web_banking_is_still_incredibly_insecure/)

[https://en.wikipedia.org/wiki/Bank_of_Montreal](https://en.wikipedia.org/wiki/Bank_of_Montreal)

Here's the password requirements for Coast Capital Savings:

[https://www.reddit.com/r/VictoriaBC/comments/92e7cf/coast_ca...](https://www.reddit.com/r/VictoriaBC/comments/92e7cf/coast_capital_passwords/)

[https://en.wikipedia.org/wiki/Coast_Capital_Savings](https://en.wikipedia.org/wiki/Coast_Capital_Savings)

------
theseatoms
Meanwhile, Twilio is raking it in on the back of this broken system.

~~~
rsync
Can you elaborate? How does Twilio benefit specifically from these
vulnerabilities in ss7 ?

------
philjohn
And this is just another reason why SMS based 2FA is fundamentally broken.

I bank with Barclays in the UK and they give each of their account holders a
PinSentry device. This is a physical device that you have to insert your card
into, and then enter your pin code to unlock, you then use it to sign/verify
transactions that you are trying to make.

Don't have access to the pin sentry device? Guess who can't add a new transfer
recipient.

~~~
handzbagz
The chink in the chain for Barclays though is their mobile app on-boarding
that relies on bank account information and SMS authentication which turns
your phone into a PinSentry too.

Don't get me wrong, Barclays probably does it better than anyone else but I
was surprised when I set up a new phone recently.

~~~
philjohn
That's odd - when I installed the iOS app I either had to get a one-time-code
by using a Barclays ATM, or by identifying with my physical PinSentry device
...

------
foobiekr
Since it is tax time, when people normally discover their accounts have gotten
locked by people trying their account name and passwords from the endless
stream of credentials thefts, I would observe that there are several
brokerages which will issue a brand new password and read it to you over the
phone without a single challenge (even the useless public records questions)
if the ANI on the inbound call is correct.

------
manjana
People have lived happily alongside this vulnerability for decades.. There's
also a pretty cool CLI application called SS7MAP for pentesting which is not
quite that old (a year perhaps), I haven't gotten around to trying it yet.. I
had forgotten. Interesting stuff.. And this is extactly why you often hear the
phrase "you shouldnt rely on 2 Factor Auth."

------
tonyquart
I've heard about such scams since years ago at sites like
[http://whycall.me](http://whycall.me) and another similar sites. People
should be aware of these kind of scams by now. Keep spreading the word and
informing our family about them is the key.

------
baybal2
A popular attack these days is usage of fake roaming requests. They require
nothing except knowledge of your IMEI, and IMEIs can be bought bulk online
from android app devs.

That's how British MPs were, allegedly, pwned en masse in 2016

~~~
philprx
Are you sure you're not mixing up IMEI (identifiers of hardware handsets and
end devices, can be often reflashed), with IMSI (identifiers on the SIM, and
therefore the number and subscription associated with the SIM (simplified
description)) ?

You don't need to "buy", but you need to FIND, the IMSI of the target you're
going to do fake roaming (fake Location Update) request on. This is most of
the time doable.

~~~
baybal2
I did, thanks for correcting me.

------
StreamBright
I am glad my bank does not use phone numbers for anything. 2FA works with a
special device that is not on GSM networks, for identification they use other
means (not including the phone number).

------
samstave
off topic: how much defunct/dormant telco infra has been left laying around
which could be put to use? are old copper lines between cities still there?
Old mode fiber?

------
umanwizard
Other than hoarding gold (edit: or cryptos, or anything similar), what is the
best way to make sure my net worth doesn't just go to zero from one day to the
next?

~~~
solotronics
Cryptocurrencies. Its pub-priv key security for money.

Hardware wallets are really cool ex:
[https://wiki.trezor.io/FAQ:Overview](https://wiki.trezor.io/FAQ:Overview)

~~~
sgarman
Seems like a heavily volatile way to store your "net worth."

~~~
gammateam
I guess it is ironic that stablecoins are probably the most secure way to
store your money

crypto security, usually legacy underpinnings, no volatility

------
n2j3
text-version: [https://termbin.com/9w1q](https://termbin.com/9w1q)

------
purplezooey
I bet the 1A2 Key system was harder to hack

------
newnewpdro
Using sms or smartphones in any capacity for 2fa is dumb

