
SMS Phishing and Cardless ATM = Profit - bostik
https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/
======
dddddaviddddd
Interesting how the MasterCard promotional picture suggests that TouchID on
iOS is required to withdraw cash when a weaker factor send sufficient (an SMS
to a trusted number?). Removing/weakening 'something that you have' from ATM
authentication only makes remote attacks easier.

------
jonathanlydall
This reinforces my opinion that we're way overdue for teaching the general
public enough knowledge about safe computing to be able to spot and avoid
these and other kinds of fraud. It's a really important life skill that should
probably be addressed in school as it's easily costing the global economy
billions and billions.

When I was working Customer Service for Blizzard Europe, I anecdotally figure
that by around 2010, about half of CS cases were in regards to customers
having been victims of their account being compromised and cleaned out by gold
sellers.

In all cases it was the "fault" of the customer. While Blizzard did have a
credential DB compromise at some point (which they disclosed), the passwords
were hashed such that it was practically impossible that any passwords were
determined before they did a force password reset on the affected accounts.

Customer accounts were most commonly compromised due to one of the following
reasons: fell for phishing scams (probably most common); had credentials
shared with an unrelated but compromised web site; had some sort of credential
stealing trojan on their computer; shared credentials with a friend/relative
who fell for any of the earlier mentioned causes.

Back in 2010, Blizzard easily spent EUR 1M _monthly_ (in Europe alone) on
Customer Service and if half of that was dealing with compromised accounts
(for a non-financial institution), we can only imagine how much money gets
lost globally due to what is essentially a poor public education problem in
regards to safe computing.

Blizzard has offered 2FA since before 2010, but most people wouldn't consider
it unless they or someone they know had been compromised, it's pretty much the
same as people only seeing the value of using things like seat belts/car
seats/condoms after they personally witness an incident. I think the average
person has this attitude that bad things only happen to _other_ people, until
it happens to them personally.

There was also often enough this attitude of "I don't understand why they
decided to hack _me_" which also shows general misunderstanding of the very
non-personal nature of this "industry" in that bad actors are merely throwing
out the biggest nets they can, hoping to catch as much as possible. It's like
a fish naively wondering why a commercial fishing boat decided to catch them
in particular.

I acknowledge that saying this is the "fault" of the customer seems unfair,
but I left school close to 20 years ago and I have never fallen for a phishing
scam or managed to land up with malware on my computer. While the fault does
ultimately lie with the bad actors, the fact is that while material things
(such as money, or food) are important, there will always be bad actors. So as
a society we need to strive to keep their success rate as low as possible to
prevent their "industries" from flourishing at the expense of the rest of
society.

~~~
Fnoord
Blizzard's Battle.net is an interesting example [had to edit my post a few
times with additional thoughts]. They use 8 digital characters instead of 6,
and they're using an implementation by the company Vasco. Contrast that to
Steam who only use 5 characters, but these being letters instead.

If you enable 2FA on Battle.net you get a unique companion pet in WoW (usable
in a pokemon-esque metagame). Collectors are after these.

Blizzard also didn't do enough about gold _buyers_ until they added the WoW
token (legalised buying/selling gold with Blizzard as trusted third party) and
added a way to easily create gold (garrisons, crafting, both for the masses).

The issue with SMS is that it is very cheap to catch these, if you have
physical (vicinity) access. A Stingray device gets cheaper every year.

Once Blizzard invests more in mobile gaming (beyond Hearthstone, such as
Diablo Immortal) the 2FA and the game will be once again more often (but not
always) on the same device. FIDO2 using NFC/USB would solve the issue though.

> I have never fallen for a phishing scam or managed to land up with malware
> on my computer

How do you know this for sure?

~~~
jonathanlydall
> Blizzard's Battle.net is an interesting example [had to edit my post a few
> times with additional thoughts]. They use 8 digital characters instead of 6,
> and they're using an implementation by the company Vasco. Contrast that to
> Steam who only use 5 characters, but these being letters instead. If you
> enable 2FA on Battle.net you get a unique companion pet in WoW (usable in a
> pokemon-esque metagame). Collectors are after these.

I'm not exactly sure what point(s) you're trying to make here, I assume it's
about incentive to use authenticators and/or strength of the security they
provide.

In terms of incentive to use them. Over time Blizzard found good ways to
incentivize, such as WoW pets and giving guild leaders the ability to be able
to limit access to their bank to those members with authenticators. Since I
left, smartphones became more ubiquitous allowing more people to freely get a
"virtual" authenticator App and it also eventually offered a push and approve
method which improves convenience too. I don't know how much the latter helped
as it happened after I left, but the WoW pet and guild bank features did not
noticeably reduce the number of incidents because the gold sellers merely
stuck to accounts which weren't secured with an authenticator.

In regards to the strength of security offered by the authenticator, I feel
the only thing that matters is that the scheme isn't able to be worked around
by the gold sellers through some algorithmic weakness or leaked private key.
The codes are only valid for a couple of minutes at most, and a million
combinations to try is far more than needed if you restrict logon attempts per
account to no more than 1 per second. The other thing to keep in mind is that
they aren't protecting state or even corporate level assets, the gold sellers
were low income earners from overseas operating in a competitive market with
low profit margins.

Did you know Battle.net account passwords also aren't (or at least weren't)
case-sensitive? My feeling is that Blizzard weighed the value of the added
security vs the increased support incidents and opted to have to deal with
less support. Before anyone tries to claim it's a reckless cost saving
measure, consider that all account compromises by gold sellers happen through
phishing or malware, meaning that password complexity makes 0% difference.

> Blizzard also didn't do enough about gold buyers until they added the WoW
> token (legalised buying/selling gold with Blizzard as trusted third party)
> and added a way to easily create gold (garrisons, crafting, both for the
> masses).

Yes, providing a legitimate gold buying option was probably the right call,
especially as it helped a lot with EVE Online. It was probably done with great
trepidation though as Blizzard has always cared deeply about the gameplay
experience, and being able to buy gold for money had the potential to diminish
the gameplay experience for many players. I suspect the only reason they did
it is because the gameplay experience would be worse now if they didn't.

I don't think garrisons helped at all, because having more gold available
leads to higher inflation on the player driven auction house market which
leads to needing more gold to buy the same stuff. I had to save for a mount in
Vanilla WoW and that was hard, once daily quests arrived in the first
expansion though, making gold became easy enough. Gold is also a very minor
part of the game, all the significant progression is not helped by gold.
Buying gold and gathering bots were probably the two biggest contributors to
inflation on the auction house. Gathering bots would cause mats such as
leather, ore and herbs to be sold for far lower prices by botters than players
who invested real time into doing it themselves. And on the other side, gold
buyers would pay insane prices for items because they didn't appreciate the
time value of gold by legitimate players.

> The issue with SMS is that it is very cheap to catch these, if you have
> physical (vicinity) access. A Stingray device gets cheaper every year.

While I agree that SMS is not a good 2FA scheme and it really should go as
soon as possible, the truth of the matter here is that SMS vs secure mobile
application would not have made any difference for these cardless transactions
as the weakness was that the account holders fell for phishing scams. People
have more chance at this time of dying in a commercial plane crash than being
a victim of a non-law enforcement official using a stingray. If they become
more common, then banks should absolutely move to more secure communication
channels, such as encrypted channels on mobile apps, or otherwise accept they
will suffer lots of fraud costs.

> Once Blizzard invests more in mobile gaming (beyond Hearthstone, such as
> Diablo Immortal) the 2FA and the game will be once again more often (but not
> always) on the same device. FIDO2 using NFC/USB would solve the issue
> though.

A valid concern on platforms like Android, but it's not dependent on there
being games for the same platform, it's a general problem that malware is
increasing on mobile devices and could be used to steal private authenticator
keys on the same device. Interestingly, people who proclaim that Apple's
walled garden approach on iOS is an anti-feature, are failing to acknowledge
that for this this kind of application, it's absolutely a great feature.

> > I have never fallen for a phishing scam or managed to land up with malware
> on my computer

> How do you know this for sure?

Really? You may as well be asking a qualified doctor if they know for sure
that they don't have an STD.

In regards to phishing scams, I know for absolutely sure because I know how to
review TLS certificates and hostnames in URLS that I enter my credentials
into. Meaning the service itself would have had to suffer some sort of hijack
of their domain and cert for me to be handing them my credentials through a
web page. I am also cynical about giving information to say people who call
me, and I instead call them back using a number that I know to be theirs.

In regards to malware, I keep my software upto date, I don't engage in bad
practices like downloading and running random crap, I don't trust AV to be
adequate (another problem is that to many people think AV that can protect
them against even the most reckless practices) and I am tech savvy enough to
be able review suspicious processes on computers, of which I had seen plenty
back in the day when I was an IT techie. I suppose it's _possible_ that I have
a rootkit and not know about it, but it's about as likely as a virgin getting
an STD. About the only thing I need to realistically worry about is a trusted
publisher getting compromised and malware coming along with their download.

If in the future find that I would likely be worth being a target of a spear
head phishing or social engineering attack, then there are some more measures
I could apply, at the cost of convenience.

------
newnewpdro
One day the public will better appreciate physical isolation of separate
concerns. Until then, expect more of this kind of thing with your single
devices used for everything.

------
saagarjha
Chase seems to be allowing "cardless" withdrawals through Apple Pay. Perhaps
MasterCard can do the same?

