21

When I attempt to log in to my bank, an SMS code is sent to my phone. I then type this nine-character code into the bank's Web site, to login to my account.

Is this vulnerable to attack, without hacking the bank's software or server, or without access to my telephone/SMS communications?

How could it be exploited? So far, the only way I can imagine would be for someone to install an app on my phone which intercepts SMS traffic, and resends the code to an attacker. How could I prevent this from happening to me?

Forest Monsen
  • 70
  • 6
  • The [wikipedia article on TAN](http://en.wikipedia.org/wiki/Transaction_authentication_number) also contains a section about security of SMS confirmation codes (section "Mobile TAN"). – sleske May 29 '13 at 16:16
  • Yes they can 'cause of gsm. http://ftp.ccc.de/congress/2012/mp4-h264-HQ/29c3-5216-en-attacking_mobile_terminated_service_in_gsm_h264.mp4 Start at minute 30. – noob Jun 04 '13 at 19:33
  • Related: http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication?rq=1 –  Jun 18 '13 at 21:01
  • "the only way I can imagine would be for someone to install an app on my phone which intercepts SMS traffic" Doesn't that count as "access to [your] telephone/SMS communications"? – Ajedi32 Jul 29 '15 at 14:12

4 Answers4

23

You are right in that one of the ways an attacker could intercept the code is to hack your phone. An attacker could also:

  • Clone your phone's sim, and request a banking code to be sent to your phone's number. they could also possibly clone a non-sim phone as well
  • Steal your phone. Once they have your phone they could perform transactions
  • Perform a man in the middle attack when you use your banking site. This has been done already, an attacker uses malware installed on your computer (a man in the browser attack) to direct your banking traffic to a site set up to mimic your bank's page. Or an attacker may subvert a system to act as a proxy. Either way When you type in the code the attacker gets it, then uses the code to perform a transaction
  • Social engineer your bank to change your mobile phone details to a phone they control. If an attacker knows enough about you, and your bank's procedures aren't tight enough, then the attacker could call your bank pretending to be you and get them to change the mobile number

So what can you do?

  • Keep control of your mobile phone.
  • Make sure your computer is kept up to date with patches and anti-malware software
  • Do all your banking on a virtual machine, and never save its state. If your virtual machine gets hacked and you save the state then the malware will remain in the virtual machine, however if you never save its state the malware won't be able to remain on the virtual machine
  • Many banks use some sort of authentication code to verify the identity of people calling. Write these down but do not put them onto your computer or phone, that way there's still something an attacker does not know, even if they have full access to your computer and your online identity.

It's not all doom and gloom, most of the time banks can reverse transactions if caught quickly, if you suspect that a fraudulent transaction has taken place get onto your bank ASAP and get their investigators on it. How well this may go depends on what the local laws are and how good your bank is.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • just curious to know what do you mean by work off a copy of VM every time. – Ali Ahmad May 29 '13 at 09:48
  • When you create a VM for security purposes make a copy of it and use the copy. That way if you accidentally save its state you can make another copy from the master. I didn't mean make a fresh copy every time you bank. You're right, it was confusing, I'll edit. – GdD May 29 '13 at 09:54
  • Thanks for the info and ideas. It's definitely a good idea to use Virtual machine with some Debian or something just for accesing bank accounts ;). –  May 29 '13 at 10:03
  • 1
    Using a VM from an infected computer is not very secure is it? I guess having a clean base system that you don't use for anything (except updating) and then on top a different VM for every task you perform would be perfect (but cumbersome). – Omar Kohl May 29 '13 at 14:47
  • @OmarKohl, I'd say that's a given, it's still more secure than using the base machine for your transactions though. The point in using a VM would be to help keep your system from getting compromised in the first place. – GdD May 29 '13 at 15:33
  • Note that the man-in-the-middle attack is defeated by good systems: There the SMS will contain the confirmation code *and* the transaction details. If the MitM attack modifies the transaction behind the user's back, this will still show in the SMS. Of course, hijacking the phone or SIM card is still possible. – sleske May 29 '13 at 16:15
  • I understand that not all people use/like to use Linux, but another good alternative is live CD's/ live USB's. The con is that you need to restart your computer – py_script Jun 12 '13 at 19:34
  • I think the "man-in-the-middle" attack you mention is better described by the term "man-in-the-browser". There is also a nice article about it on wikipedia (don't know if this worth an edit) – buherator Jun 17 '13 at 12:19
  • Optionally encrypt your mobile phones – VarunAgw Jun 06 '16 at 19:06
  • Mobile phone encryption won't work in this case @VarunAgw, it only protects your phone if it is lost or stolen. Malware which successfully compromises a phone (or any other computer) will have access to the underlying data as the keys are held in memory. – GdD Jun 07 '16 at 07:54
  • @GdD Yes! I am referring about those cases only – VarunAgw Jun 07 '16 at 10:45
11

The whole idea about a second factor/step for authentication is to provide two independent layers of security. Vulnerabilities in one layer should not affect the security of the other.

Second factor authentication was designed and used properly in the past but lately it has been weakened by companies who care more about profit than security. SMS messages cannot recreate the security level of carefully designed RSA tokens and smart cards.

Attacks on SMS as second factor are no longer theoretical but multi-million dollar crimes. Compromising the phone is the most strait forward approach and was used at least in this 47 million dollar heist.

Cloning the SIM card can be much easier when social engineering enters the picture. Cloning is still hard and cannot scale like SMS interception can. And you don't need to build your own cracking system, you can buy it in big or small packs.

And just when you think the second factor is secure and you can rely on it, consider the man-in-the-browser type of attack.

An old method is called SIM card partitioning and is a side-channel attack method that pulls key data from SIM cards by monitoring side channels such as power consumption and electromagnetic emanations. The technique requires some physical proximity and can extract secret cryptographic keys in minutes. Previously an attacker would need access to a SIM card for at least eight hours to carry out a successful attack.

In the past, attackers used information from phone company insiders to clone SIMs and then commit banking fraud. Currently, there is a wave of SIM swap fraud in South Africa where attackers trick the phone company into giving them a new SIM card.

Protect against these by first educating yourself about threats and good security practices. A checklist of things to do can protect against common pitfalls, but having a security mindset will get you further.

Forest Monsen
  • 70
  • 6
Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
  • thanks, but what do you mean by cloning a SIM card? Could it be done without having the physical copy of my SIM card in the hacker hands? I guess not. Or am I wrong? –  May 29 '13 at 10:01
  • An old method is called SIM card partitioning and is a side-channel attack methodology that pulls key data from SIM cards by monitoring side channels such as power consumption and electromagnetic emanations. The technique can extract secret cryptographic keys in minutes. Previously an attacker would need access to a SIM card for at least eight hours to carry out a successful attack. http://www.cs.washington.edu/research/projects/poirot3/Oakland/sp/PAPERS/02_01_03.PDF – Cristian Dobre May 29 '13 at 13:22
  • Thanks, so he needs to physically examine the sim card? We are talking about crackers not some cia/nasa "ufo" experimental technologies. Basically I want to know if somebody can clone my sim card without actually having it in their hands, e.g. by downloading something from my phone via some malware or something like that. Or this way it cannot be done. –  May 29 '13 at 13:30
  • In the past, attackers used information from a phone company insider to clone SIMs and commit banking fraud. There is a very recent wave of SIM swap fraud in South Africa where attackers trick the phone company into giving them a new SIM card. – Cristian Dobre May 29 '13 at 15:23
  • Thanks, so downloading some info from my cell phone via a virus or some malware is not enough t oclone a SIM card? –  May 29 '13 at 15:57
  • I don't know of any attack like that but the malware in your phone doesn't need to clone the SIM, it has access to all of your data. – Cristian Dobre May 29 '13 at 16:09
  • Sim card copiers... who knew? https://www.google.com/search?q=sim+card+copier – AbsoluteƵERØ May 30 '13 at 08:56
  • @Derfder - It might be possible. So just don't download malware to your phone. – Ramhound May 30 '13 at 19:11
  • Frankly, you should be worried about man-in-the-browser attack far more than about someone cloning your SIM card: it's easier to perform and scales much better from the attacker's point of view. – Stephane Jun 18 '13 at 09:15
5

It's been done when using two factor entered into computers (and directly at ATMs; see link at very bottom for the ATM 2-factor SMS problems).

KrebsOnSecurity.com blog lists many banking eheists, including this one:

https://krebsonsecurity.com/category/smallbizvictims/page/4/

"The year before the cyber theft, Comerica had switched from using digital certificates to requiring commercial customers to enter a one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied. Within the span of a few hours, the attackers made 97 wire transfers from EMI’s account to bank accounts in China, Estonia, Finland, Russia and Scotland."

Krebs keeps up on this and has a special category for banking eheists:

https://krebsonsecurity.com/category/smallbizvictims/

Brutal!!

The most important points I've gleaned from his blog:

  • banks do NOT reimburse for cyber fraud against business accounts! (unlike consumer accounts).

  • two factor or any number of computer-only verification is risky if the accounting departments' PCs have been taken over by hackers. (One Krebs story described another eheist from a company that required an employee and manager to separately confirm in their browsers transfers over X; but the hackers had "owned" both PCs and stole both sets of credentials.)

  • Some "out of band" verification is best, e.g., a phone call to one or two employees/managers for transfers would have thwarted nearly all or all of the eheists Kreb's reported.

  • Windows PCs are a gargantuan risk for commercial online banking.

  • For commercial online banking on a Windows PC, temporarily boot from a free LiveCD Ubuntu Linus DVD, which loads Firefox and allows clean online banking because viruses can't write to the DVD and any viruses on the Windows PC will be dormant until the PC reboots into Windows.

(Several of my business clients boot from LiveCD on their Windows PCs when they need to use commercial online banking.)

For the full horror, read through a few years worth of Krebs small business banking heist stories. They sent shivers through my IT small business clients.

=========

Regarding thieves beating 2-factor at ATM machines, it's been done in Europe. Viruses infected PCs AND phones and victims suffered account withdrawals that the banks didn't believe were fraudulent until they mounted:

http://dkmatai.tumblr.com/post/37277877990/sophisticated-smartphone-hacking-36-million-euros

0

Well, one of the best real-world bank security incidents is Operation Emmental which is an excellent example of finding serious security holes in Banking 2FA systems.

The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users’ mobile devices via Short Message Service (SMS). Users are expected to enter a session token to activate banking sessions so they can authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure.

I would recommend reading the analysis of this cyberattack in this white paper. There are also many published analysis that explains the incident.

What I really like about the attack is how elegant and classy it was :)

Ubaidah
  • 1,054
  • 6
  • 11