Credit to Author: Marvin the Robot| Date: Fri, 01 Feb 2019 17:02:30 +0000
Two factor authentication (2FA) is a method widely used by the financial institutions worldwide to keep their customers’ money safe: you know, those short 4-6-digit codes you receive from your bank that you have to input to approve a transaction. Usually, banks send those one-time passwords in SMS text messages. Unfortunately, SMS is one of the weakest ways to implement 2FA, as text messages can be intercepted. And that is what has just happened in the UK.
How can the criminals get your text messages? Well, there are different ways, and one of the most extravagant is exploiting a security flaw in SS7, a protocol used by telecommunications companies to coordinate how they route texts and calls (you can read more about it in this post). SS7 network does not care who sent the request. So, if malefactors manage to access it, the network will follow their commands to route text messages or calls, as if those commands were legitimate.
The whole scheme looks as follows: the cyber criminals first obtain a target’s online banking username and password — possibly via phishing or keyloggers or Banking Trojans. Then, they log in to the online bank and request a money transfer. Nowadays, most banks would ask for additional confirmation of the transfer and send a code for verification to the account owner. If the bank does it in form of a text message, this is where malefactors exploit the SS7 vulnerability: they intercept the text and enter the code, as if they had your phone. Banks accept that transfer as totally legitimate, because the transaction had been authorized twice: once with your password, and then with the one-time code. So, the money goes to the criminals.
The UK’s Metro Bank has just confirmed to Motherboard that some of its customers had been impacted by this type of fraud. Back in 2017, Süddeutsche Zeitung reported that German banks had also faced the same problem.
But there is some good news too. As Metro Bank itself comments, an extremely small number of its clients had to deal with such an issue and “none have been left out of pocket as a result.”
The whole thing could’ve been avoided if the banks used some other form of 2FA that doesn’t rely on text messages (for example, an authenticator app or, say, a hardware-based authenticator such as Yubikey). Unfortunately, at the moment financial institutions (with rare exceptions) typically do not allow any other means of two-factor authentication other than SMSs. Let’s hope that in the nearest future more and more banks worldwide will be offering other choices to the clients in order to protect them better.
So, the takeaway from this story is the following:
- It’s good to use two-factor authentication wherever possible, but it’s even better to use secure versions of 2FA such as authenticator apps or Yubikeys. Try using these instead of SMS if such option is available.
- Use a reliable antivirus solution to keep Banking Trojans and keyloggers off your systems – so that they can’t steal your logins and passwords and situations like that won’t bother you too much.