Cellular networks are just not secure. GSM encryption to start with is very weak, and you don’t need to be a government player to exploit it. Forging origin phone numbers is also trivial. SMS 2FA is also vulnerable to social engineering type exploits (both with the user and with the phone company).
When you consider that there are some very wealthy individuals that would be registered with a GAR system, then the motivation for criminals becomes clear. Even if the probability of an attack is fairly low (after all, there’s probably bigger targets out there) it’s no excuse to use a known weak form of 2FA when more secure types are available and cheaper (cheaper, as in free).
Out of interest, where is the insecurity of SMS? I don’t think there is any way to break that, short of having access to the GSM system, which is really doable only for a government (or major organised crime) player.
Well, it is doable for a telco also, e.g. abusing number portability. Which means that with social engineering, it is doable for small-scale petty fraudsters. An example: https://en.wikipedia.org/wiki/SIM_swap_scam
GSM encryption to start with is very weak, and you don’t need to be a government player to exploit it.
Yes, but for this kind of attack, you do need to be within radio range of the tower servicing the phone. Plus, you will probably not block reception by the legitimate phone, which means you’ll raise an alarm. That’s how I stopped an ongoing fraud, actually. I got a 2FA SMS and immediately contacted the supplier to raise an alarm and have things blocked, and access codes changed.
SMS 2FA is also vulnerable to social engineering type exploits
Precisely. Our messages crossed :)
Thanks, Lionel. Somebody tried this on me yesterday, apparently.
You would hope that the cellular provider would ask some personal info before accepting a phone as reported stolen, and then will send out the new SIM only to the address they have for you…
You would hope, but those hopes I’m afraid are high hopes. Telecom companies have been the worst (in fact, the famous hacker Kevin Mitnick did not use IT hacks – he used “wetware” hacks against phone company personnel for all the things he was prosecuted for). Have a read of “Other People’s Money: The Rise and Fall of Britain’s Boldest Credit Card Fraudster” – some of the things the credit card companies were doing for convenience were breathtakingly insecure (and the poor merchant always got the punishment for it, despite the name of the credit card matching the genuine photo id of the actual fraudster, so credit card companies and banks basically didn’t care as they didn’t pay the costs). Also read Richard Feynman’s “Surely you’re joking…” book for how he used social engineering to crack the safes full of top secret data for the Manhattan Project at Los Alamos.
I’ve been reading up on the above links.
It’s quite cunning
But the overriding thing is what the above stackexchange link says:
since most SMS authentication implementations use the SMS authenticator as a second factor, I’d really be more concerned about how the first authentication factor was compromised. If not done via bare social engineering, it was probably through some browser or OS exploit which resulted in a keylogger on your system.
So stealing the text messages is not going to let somebody in unless he already has the primary login to your bank account.
It then goes on to make the obvious point
most security is lost if you login and do business on the same phone that you used to receive the SMS. As a matter of fact, most German banks explicitly forbid the use of SMS authentication and online banking on a single phone – you’re supposed to use a computer (or different phone) for the actual banking, in case your phone is compromised
yet this is exactly what you are vulnerable to if you do any supposedly secure transactions wholly on the one device which also receives the SMS. So using your PC along with the phone is a lot better.
If somebody has planted a keylogger on your PC then you are well buggered
If not done via bare social engineering, it was probably through some browser or OS exploit which resulted in a keylogger on your system.
In a huge amount of cases, password re-use. It’s extremely common to use an easily-discoverable string as a username for a site login (almost always an email address, which means just getting the username is enough to figure out precisely and without doubt who the account belongs to) and huge numbers of websites store passwords insecurely (e.g. in plaintext, or an unsalted MD5 hash which may as well be plaintext, it’s so easy to crack). It doesn’t take much searching to find one of these troves of username/password pairs stolen from various insecure websites – there is a file out there you can download that contains 1.4 billion username/password pairs harvested from insecure sites (it’s 41GB of data uncompressed. Just usernames and passwords). Chances are, nearly everyone on EuroGA has a username/password pair in this file (and chances are you’ve already had the extortion attempt with the subject line containing a username you’ve used at some point and a password you’ve used, telling you they’ve been watching you watch porn and want you to send them $6k in bitcoins to keep quiet – using a username and password you’ve used somewhere in the subject line to convince you they really did hack you).
If you are still using the password you used on LinkedIn in 2016 anywhere else for instance, then your username and password are currently known to the bad guys.
People are lazy and will re-use passwords. I wouldn’t be surprised if 50% of everyone’s banking passwords are in that 41GB file, and if your banking username is your email address, you’ve probably already been defrauded (fortunately most banks don’t do that – in that case you’re merely one step away from being defrauded without 2FA).
This site – https://haveibeenpwned.com/ – will tell you if your email address has been involved in a data breach. If it has, and you’ve not changed your passwords recently, then change them pronto (and make sure you use a different password for each website – a password manager that generates long complex random passwords such as Keepass2 is recommended to keep track of them).
Much as I find PCI-DSS a bit of a pain in the arse at times, I’m grateful that it’s forced many of our customers and suppliers to take security more seriously and actually stop using long deprecated and insecure hash methods and cipher suites and painfully old and unsupported software (which often forced us to remain back level). Except for one customer, who will remain nameless, and should really know better (who we have to employ a painful workaround for since they are still using a version of ssh that has had a known security issue discovered over 10 years ago, and which was actually fixed in OpenSSH back in 2004!)
If you are still using the password you used on LinkedIn in 2016
Not just Linkedin but Yahoo and a load of other sites…
I knew that email was a fake because I always had a sticker over the webcam on my laptop
This is pretty clever and very simple, and possibly scary
This is why I don’t link my phone number to online services unless it’s impossible to avoid (and even then I try to use a different number, not the one I always have with me). Another potential phone-related trouble is having your phone stolen and used to recover your passwords.