
Thieves drain 2FA-protected bank accounts by abusing SS7 routing protocol - Dowwie
https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/
======
kevin_b_er
SMS is not a secure 2nd factor. It is subject to not only technical attacks
such as the one in the article, but also a wide variety of social engineering
attacks. Getting cell phone reps to compromise an cell phone account is
apparently not hard, and has been used many times to take over online
accounts.

~~~
cbhl
SMS as a 2nd factor represents an engineering trade-off. Prior to its
introduction, the only people who had access to 2FA were people who got $60
tokens from RSA. It blocks against certain classes of attacks, but is
vulnerable to others (like malicious or insecure carriers).

Now, Apple users can use their fingerprint as a 2nd factor (e.g. for Apple
Pay), but fingerprints have the unfortunate property of not being rotatable if
compromised.

And there are FIDO U2F security keys, but you still need to issue $18-$50
tokens to each user, and you need host application support.

~~~
bostik
> _fingerprints have the unfortunate property of not being rotatable if
> compromised_

Coworker has a wonderful term for this. He calls fingertips "amputationware".
It really drives the point home.

But there is another very good reason to avoid fingerprints auth methods. The
scanners are by design doing some level of fuzzy matching, so if/when[0]
someone finds a way to generate an input that reproduces the signal pattern
from the reader well enough, it can be fooled. (Yep, done already.)

My personal take on fingerprint authentication is that they are not passwords.
They are usernames.

0: [http://engineering.nyu.edu/press-releases/2017/04/10/so-
you-...](http://engineering.nyu.edu/press-releases/2017/04/10/so-you-think-
you-can-secure-your-mobile-phone-fingerprint)

~~~
Eridrus
Fingerprints can certainly be "amputationware" if you refuse to give up your
passcode and your threat model has a credible threat of amputations.

For most people, having their unlocked phone snatched out of their hands on
the street[0] is a far more credible threat and somehow we don't have everyone
saying you shouldn't unlock your phone outside.

[0] [https://www.theverge.com/2016/12/2/13819288/uk-police-
encryp...](https://www.theverge.com/2016/12/2/13819288/uk-police-encryption-
mugging-seized-phone-scotland-yard)

------
Latty
Banks here in the UK use your chip & pin based card as a second factor (or
rather, as the two factors - the chip you have, the pin you know) - they give
you a little card reader that can use the card and pin to provide a 2FA token
for logging in or sign requests to send money.

It's a much better system. Of course, some banks don't use it to it's full
potential - many use it only for signing money transfers, but it's still
pretty good. The readers are also cheap and standardised, so you can use any
one of them for any account, which is useful.

~~~
inyorgroove
I have always been curious, do those devices work on linux?

~~~
blibble
they don't attach to the PC at all they are a simple standalone device you put
your card into

they look like this:
[http://l7.alamy.com/zooms/04452dfd35964790b44ee6514745de5c/n...](http://l7.alamy.com/zooms/04452dfd35964790b44ee6514745de5c/nationwide-
building-society-digital-banking-card-reader-with-visa-byep9y.jpg)

to transfer money you enter your PIN, then the target account number and
amount to transfer, and it gives you a code you type into the browser

------
danjoc
Last July, NIST called out SMS 2FA as insecure

[https://www.schneier.com/blog/archives/2016/08/nist_is_no_lo...](https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html)

Second comment: _SMS should have been removed long time ago considering the
SS7 problems. Better to use a secure token._

Is the bank taking responsibility and covering the loss for their customers?

~~~
runeks
> Is the bank taking responsibility and covering the loss for their customers?

I think they should be required to. Although, isn't it possible that the sum
of withdrawn amounts could be so large that the bank simply can't cover the
loss, thus making it insolvent?

~~~
jessaustin
Haha there should be a rule about double-checking transfers that could break
the bank.

------
ismail
The problem with SS7 is that trust is assumed. Mobile carriers that have
roaming agreements will have either a direct link or via a hub. So what
happened here was the network of the foreign roaming partner was used to
redirect the SMS traffic on the victims carriers. Would not be surprised if it
was an inside job.

With ss7 you can do fun things like query the last location update/logged in
base station for a mobile phone, due to roaming carrier x can query for
customers on carrier y in another country. If you link up to one of the
roaming hubs you can pretty much get the location of anyone with a mobile
phone. Feature phones included.

~~~
lawl
@baybal2 you are shadowbanned. Only people with "showdead" on csn see your
comments. You should probably make a new account.

~~~
baybal2
I am fully aware of that. My hope is to have HN people remove my ban.

------
kwhitefoot
The headline makes it sound as if abusing SS7 was all they needed to do but in
fact they had to have the other factor as well so it really is not quite as
scary as it at first appears. It also seems from the article that the thieves
were able to log in to the accounts with just a password and only needed the
SMS to sign transactions.

It's different here in Norway; the banks require two factor authentication to
log in as well as signing transactions.

I don't claim it's perfect but at least no one can log in unless they control
both factors.

~~~
runeks
> It also seems from the article that the thieves were able to log in to the
> accounts with just a password and only needed the SMS to sign transactions.

This "feature" was enabled by default for my Danish online bank as well. I've
since disabled it.

------
ryanmarsh
Phreaking, the cutting edge way to commit computer fraud in 2017.

Who would have guessed?

~~~
twothamendment
Now where did I put that whistle? I thought it was right next to my red box?

------
matt_wulfeck
I'm still a little irked that Google constantly reminds me to add a phone
number as a backup for my email account. I already have google push login,
OTP, as well as backup codes.

This proves that the phone can be more a liability in the face of much better
technology.

------
idlewords
Here's a guide for how to set up SMS-free two-factor authentication on your
Gmail account. It will cost you $18; if that's a hardship, contact me.

[https://techsolidarity.org/resources/security_key_gmail.htm](https://techsolidarity.org/resources/security_key_gmail.htm)

~~~
gruez
You dont even need to buy a $18 hardware token. You can use a software TOTP
token (ie. google authenticator)

~~~
cbhl
So long as you never switch or factory reset phones, because Google
Authenticator, by design, never reveals the private keys. (I've locked myself
out of accounts because I broke my phone and had to get a new one.)

Also, do you really trust your Android phone with your TOTP private key? How
do you know there isn't malware running on it as root?

~~~
otterley
Google Authenticator provides a list of backup codes that you can print and
put in your wallet, or store as a secure note (e.g. in 1Password):
[https://support.google.com/accounts/answer/1187538?hl=en](https://support.google.com/accounts/answer/1187538?hl=en)

~~~
ovao
Google provides backup codes, not Google Authenticator. Each service you add
to your Authenticator keychain will have its own backup codes, if any.

~~~
otterley
Yes, thanks for the clarification.

------
codewithcheese
Namecheap only supports SMS 2FA. The have been suggesting they will support
Authenticator for years now [https://blog.namecheap.com/two-factor-
authentication/](https://blog.namecheap.com/two-factor-authentication/)

Pretty unacceptable considering how important domain control is.

~~~
joering2
+1. You find horror stories even on HN in the past how reckless Namecheap is.

I personally had my domains on hold frozen without traffic being routed to my
servers when my ex-gf chat with them gave my username (no password) and
claimed it is her account because obviously she knew my full name and address
where I live. While they didn't give her access to my account they sure froze
my domain for about 5 days until everything got solved.

Not long after I moved to NameSilo.

~~~
Karunamon
Holy _crap_! I'll keep that in mind next time my registrations are up. This
combined with their unwillingness to make proper 2FA a priority (a tweet told
me they were 'setting up the infrastructure' 3 months ago) is a strong signal
to look elsewhere.

------
hinkley
Isn't this the old "SMS is not 2FA, stop calling it that" argument?

~~~
orclev
Yep. Everyone has been saying SMS is _not_ a secure channel for forever now,
and this is only one of _many_ possible attacks that can be used to trivially
bypass SMS based auth. It's sad but true that in general banks have some of
the weakest security on the internet, most online games do a better job
protecting user accounts from unauthorized access.

~~~
zxcvbn4038
The banks didn't get the memo from NIST and if anything they are getting worse
- they are actually ramping up their use of callback and SMS authentication.
Last month I had several apps force an SMS authentication because I hand't
logged in since paying bills the prior month. One app disabled Touch ID and
forced an SMS auth before I could log in again. One bank locked me out of my
account entirely because you can't log in or contact custom service without
receiving an SMS code (no voice option), but their system refuses to send SMS
to my number.

It would be great if the banks supported TOTP and U2F keys (or if they managed
passwords correctly and didn't limit the length or force absurd character
recipes).

I once applied for a job at a top 3 bank's IT security area and on the way to
the interview room I noticed that every single desk had a well worn copy of
Computer Security For Dummies. I think that may be the root cause of all
banking security problems right there.

~~~
techsupporter
> One bank locked me out of my account entirely because you can't log in or
> contact custom service without receiving an SMS code (no voice option), but
> their system refuses to send SMS to my number.

I have this problem with one of my credit card issuers (not the two I
mentioned elsewhere in this thread) and they're going to lose me as a customer
as a result. I can't log into any online banking without receiving a phone
call or SMS and I'm prompted to enter a number at which I can receive such a
thing. The problem is, I am entering the number that I _know_ the bank has but
entering that number--or any other number I own--is met with "hmm, it doesn't
look like that number belongs to you." Of course it doesn't considering my
mobile phone service is paid for through my LLC and this is a personal credit
card account.

When I tried calling them, I'm told that, again, I need to verify myself with
an SMS and, no, the number I have used for a decade is not sufficient.

At least they've now returned to mailing me paper statements. Once I've
verified that my last automatic payment has moved away from them as of next
month, the card gets canceled. If I can't cancel by phone, I'll cancel by
mail. If I can't cancel by mail, I'll just leave it in a drawer and watch my
mail for any new statements until the card is canceled for inactivity.

------
zyx321
The Sueddeutsche article claims that German customers were affected too. Most
German banks I know of support TAN-generators[1] which are completely
unhackable by any known methods. Insert your card, scan the barcode on your
screen, confirm the target IBAN and amount, and you get a unique TAN that is
calculated from your transaction parameters.

[1] [https://www.amazon.de/ReinerSCT-Tanjack-chipTAN-SmartTAN-
Tan...](https://www.amazon.de/ReinerSCT-Tanjack-chipTAN-SmartTAN-
Tangenerator/dp/B00QUVVA3O)

~~~
closeparen
Yeah, here in the US you just tell the company billing you your account number
and hope they don't abuse or leak it.

------
mdekkers
My bank's 2FA literally comes on a piece of paper. A set of numbered codes,
and the banking app/site tells me which code to use for any given transfer.

~~~
distances
Yea, I have the same from two different banks. For me this seems to be the
obvious 2FA solution, but comments here are mostly about elaborate technical
approaches. Is there something I'm missing?

~~~
mdekkers
I was really surprised, and the first time I came across this. I gave it some
thought, and concluded I am more comfortable with this solution over anything
technical.

------
finnn
When I asked (via Twitter) if my credit union would provide a secure 2FA
option, they told me:

> We're always on the lookout of how we can keep our members' accounts secure.
> Right now, the Mobile Texts are FFIEC compliant.

~~~
blacksmith_tb
As long as that means your funds are insured and will be replaced after
they're stolen via SMS phreaking, I suppose that's not the worst answer they
could have given you. Though I wonder how long it would take to get the
replacement funds...

~~~
finnn
I wonder how you would prove that that a given transaction was fraudulent, and
how much of a hassle that would be? And of course, that's assuming someone
notices the transaction. If it was small enough, it could probably go
unnoticed.

------
stcredzero
_In August, Lieu called on the FCC to fix the SS7 flaws that make such attacks
possible. It could take years to fully secure the system given the size of the
global network and the number of telecoms that use it._

One of the newly discovered great sins of the early 21st century, is to
disseminate insecure code. Before the public became widely aware of chemical
pollution, I'm sure many polluters thought themselves innocent and
environmentalists as pernicious busybodies.

------
cyberferret
Another feather in the cap for a dedicated 2FA solution such as Google
Authenticator etc. that doesn't use SMS?

Though having replaced two phones since using that solution - it can be a pain
to have to re-set it up with each provider every time. I can see that if
someone is prone to losing their phone, it will become a major issue.

I think the problem is that all the companies whom I use 2FA for have totally
different methodologies for re-setting it up on a new device. Whilst some have
an automated way of verifying my identity and resetting the new device almost
instantly, I have had a couple that needed talking to a human support rep
(inconvenient, but understandable) and one company that needed another
employee in the company to do a full 2FA verification themselves, and then
talk to a company support rep on my behalf to verify my request to reset my
2FA settings! (WTF).

Thus, each time I replace my phone, I find myself actually culling the number
of services where I use 2FA purely because it was too much of a pain to go
through the reset process, and it was actually easier to drop 2FA with them
altogether (or in one case actually drop the service altogether).

~~~
rbolkey
There are some more friendly options than Google Authenticator if it's a
hassle to keep setting up over and over.

I keep my 2FA in 1Password, and it works pretty well. I can access the codes
from the desktop app without getting out my phone, or from my phone or tablet
if I'm mobile.

The only scary issue is that all that information is encrypted in Dropbox. And
I use 2FA on Dropbox! Hello cyclic dependencies! As a result, Dropbox is the
only 2FA that I don't store in 1Password.

------
riobard
So SS7 is like BGP where you can just announce your number/IP block?

~~~
baybal2
You can announce "this IMEI roams through me," to the original carrier. Some
operators have some safeguards to prevent a locally active IMEI to be roamed,
sometimes it is possible to have traffic routed both ways if they don't.

------
DBNO
Edit: I had an idea for an improved sms 2fa, but comments gave persuasive
reasons why google authenticator was better. Thanks for the comments!

Idea basically is a 3FA system where bank sends you a one-time 6-digit number.
You then have to translate that number using a user-seeded cryptographic hash
function. This secret function is your third factor which translates the
received SMS code into the value you'll input at login.

Analysis: Security would increase; but ease-of-use would decrease, especially
in regards to how a user would reset their password if they lose both their
password and their program that calculates the cryptographic hash.

~~~
cwt137
2FA is already a hassle for users. Now you want to make them do math too? This
is not a solution. Just don't use SMS at all. Google Authenticator is a better
solution than yours.

~~~
DBNO
You make a good point about ease-of-use. I agree a phone app is much easier to
use with a smartphone. However, people with flip phones couldn't install such
an app. You might then argue the demographic with flip phones would either use
an RSA device or not have 2FA enabled at all - which seems like a valid point.

Security-wise, having a secret user math function seems more secure than the
Google app. I can give reasons why if needed.

------
partycoder
Phreaking in 2017, interesting. The golden age of phreaking ended with SS7.
SS5 was very insecure, people could just emit tones in certain frequencies and
pull off tricks like calling for free. Maybe this is the beginning of a new
era.

I think major websites should stop using SMS and ask for just an authenticator
app or secure keys. SMS should be regarded as a bad security practice.

------
pm90
This is really scary... can banks please start using something like Google
Authenticator? I was assuming that 2FA over SMS was the most secure thing
ever...apparently that's not the case.

~~~
imron
Nah, it's not the case [0] and hasn't really ever been. It's only now, due to
its ubiquity with banking and other high-value sites that the incentives are
there to abuse it.

As an aside, as someone who spends time between multiple different countries,
SMS 2fa is a real pain to deal with.

0: [https://www.wired.com/2016/06/hey-stop-using-texts-two-
facto...](https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-
authentication/)

------
jdmichal
This sounds a lot like attacks on the CAN buses within car systems. We can no
longer afford to have zero-authentication, zero-authorization networks
_anywhere_.

------
danellis
Where and how do these people get access to the PSTN?

~~~
abstractbeliefs
Well, the article explained that in this instance, it was via a foreign run
telco.

So, essentially, to get in you just need to find the weakest telco connected
to the main SS7 network and own them, and use their infra as a staging point.

------
Techbrunch
It would be nice to have a WhatsApp API that could be use for 2FA, banks
probably already have your number.

~~~
finnn
I would much prefer something with end to end crypto like Signal. Of course,
that creates problems with key rotation, but perhaps that could trigger
additional validation of some sort.

~~~
problems
There already exists a much better solution for 2FA - the OATH protocol's TOTP
and HOTP. It uses a local token to hash a counter or the current time with no
need for anyone else to have your current token or communicate it directly in
any means. These are already popularly implemented in Google Authenticator and
Authy.

------
EGreg
These days what is a good way to authenticate people AND prevent them from
making millions of accounts?

------
finnn
Is there a good technical explanation of how SS7 works, technical docs, etc?

~~~
a3n
The article links to the Wikipedia page, which is a good starting point.

> Signalling System No. 7 (SS7) is a set of telephony signaling protocols
> developed in 1975, which is used to set up and tear down most of the world's
> public switched telephone network (PSTN) telephone calls. It also performs
> number translation, local number portability, prepaid billing, Short Message
> Service (SMS), and other mass market services.

[https://en.wikipedia.org/wiki/Signalling_System_No._7](https://en.wikipedia.org/wiki/Signalling_System_No._7)

