Two factor authentication is only as good as the methods used to provide the credentials, and a breakdown in both factors caused losses to consumers banking in Europe. On May 3rd, a story broke that a group of unknown hackers successfully exploited long-standing vulnerabilities in cell phone networks to intercept one-time passwords sent via text message. Armed with the intercepted password and previously exploited user banking passwords, these criminals were quickly able to drain the victim’s accounts.
How did this happen?
The attackers already had the victim’s online banking user names, passwords, and cell phone numbers. Getting this information was relatively simple for the hackers: the criminals used malware in phishing emails, which even in 2017 is a very effective method of attack. This malware installed keyboard logging software, with victims unaware everything typed on an infected machine is sent back to the attacker.
However, in two factor authentication stealing user names and passwords is not enough. As the next step, these thieves set their sights on leveraging weakness in cell phone network signaling called SS7 (“Signaling System No. 7”). SS7 was developed in the 1970s and designed to allow different cell phone companies to communicate with each other. SS7 ensures any call can be successfully routed anywhere on earth from any cell phone.
Unfortunately, SS7 has several significant security vulnerabilities which can expose just about anything sent over public cell phone networks anywhere in the world. In 2016, researchers demonstrated how to intercept one-time passwords sent via SMS for WhatsApp, Facebook, and Telegram users. The criminals here moved beyond just demonstrating the vulnerability to creating real financial losses to consumers and financial institutions.
The attackers bought access to a fake carrier, set up redirects for the victim’s phone number using the weaknesses in SS7, and intercepted the one-time passwords. Already armed with the victim’s passwords from the phishing attack, the one-time password allowed them to log into the victim’s online banking accounts and send money out. While it’s not known exactly how the money was sent, P2P is a likely source given the speed with which monies can be transferred out of the financial institution.
So what does this mean? Is two factor dead?
Not at all. Two factor authentication raises the barrier of entry for criminals. Having two factor authentication can also help defend an institution against negligence. However, two factor authentication is not, and never was a perfect panacea fix for authentication worries. The SS7 attack shows that two factor is not impossible to breach, and may not even be a significant technical problem for a determined group.
Breaching two-factor isn’t new, and it’s not limited to just intercepting text messages. In 2011, RSA’s SecurID cryptographic tokens were breached and Lockheed Martin, Northrop Grumman, and L-3 were all targeted. Anything typed on a keyboard can be intercepted. And biometric readers like the ones on your phone have been breached, too.
Where do we go from here?
Two factor authentication still has value in making a breach more costly to the attacker. Many attackers are organized crime rings who have costs and employees that work normal business hours. Anything you can do to raise the costs of hacking reduces the likelihood that you will be targeted or the attack will be successful.
Some Thoughts and Next Steps:
- Two factor authentication has value in raising the cost to conduct a breach. But it never has, and never will, eliminate breaches.
- Realize controls can be breached through unrelated systems. This hack was successful not because of a problem with the bank offering or requiring it, but due to a vulnerability with the carrier of the one time password (the cell phone company).
- Doing business online is risky. Understand the ways money can be removed from accounts, add speed bumps (like 2 factor) along the way to slow down breaches, and work to actively monitor unusual or unexpected activity. Document these controls in your risk assessments.
- Be careful with biometrics. Biometric authentication has significant liability risks for the user – if their fingerprints are compromised they can’t get new ones.
- Be careful when making new connections between systems/software. Two previously secure systems can be made insecure by simply putting a communication bridge between them. Example: don’t connect systems like thermostats to your internal network.
- Anticipate the unexpected. Systems will be used in ways you never intended them to be used. Think like an attacker.
- Get good at breach management. Do you have a plan? Have you tested your plan? Do you know how to communicate with your team, your regulators, and the market when the breach happens?
Categorised in: News
This post was written by David Wordhouse