All is relatively well here at Woesnotgone Meadow, where
everyone has above average bandwidth.
In the Meadow, our residents don’t have many banking needs.
We generally have the usual checking and deposit accounts, and mortgages. Occasionally,
especially in the winter, our residents may not desire to visit Margie’s window
at the bank. At this point, the residents may check their balances or if a
check has cleared with an app on their smartphones, desktops, or laptops. When
our residents have checked their accounts, they have used the two-factor
authentication recommended by Margie. Generally, this has not been an issue.
Current events have indicated there is an issue with this.
Banking is one of the industries where there should be an
extra layer or two of security, just to ensure, as much as possible, there are
no issues with the client's money being wired out to others by someone other
than the bank’s client. To better secure transactions with mobile banking, an
additional measure has been used for years. This two-factor authentication has
been accepted as an additional layer of security for years. Recent events
and attacks have indicated there is an unauthorized, malicious bypass for this cybersecurity
feature due to flaws in the SS7 protocol.
SS7 (Signaling System 7)
The SS7 protocol is used by telecom companies to coordinate
how they route texts and calls globally. There have been notably significant flaws
in the SS7 protocol that have been known for years. The basic issue is the lack
of authentication. The protocol does not authenticate who had sent the message.
The attacker may gain access to the network and reroute the text message or
call.
This may not only be used to intercept the SMS and 2FA
codes, however, this also allows for unauthorized access to the user’s
personal data. This has the potential for rather unpleasant circumstances for
the users. Although known for years, this flaw/bug/feature is still viable. It’s
curious as this is still an issue, as the phone companies spend billions
upgrading their networks. Although this initially may have been a thought problem,
the attack recently has been verified many times.
There have been recent reports indicating at least Metrobank,
a UK bank had been targeted by the attackers. The attackers have been using this
SS7 flaw to bypass the 2FA with mobile applications. With the banking targets,
the attacker would acquire the user’s username and password. This could be
accomplished through a simple phishing attack. When the user logs in, the bank
may send a verification code to the user. With the SS7 attack, the message
would be intercepted by the attackers. While this does appear to be a rather
simple and straight-forward attack, this does take time to formulate and
execute, and for the user to accept the phishing hook. The attack, while
complicated, is still possible.
In the real world, the actual SS7 attacks began to empty the
bank client’s accounts in 2017, primarily in Germany. This has spread and was
being used throughout Europe. One bank confirming they were targeted and
successfully attacked was MetroBank, the UK based bank. The bank did note,
however, that only a small number of clients had been affected. This would be
expected, as the first step involves a successful phishing attack.
This attack, while not designed for attacking the masses,
reminds us even with the most current technology in use, if a third party which
the business depends on has a faulty protocol or methodology, there is the direct
opportunity for significant issues.
Thanks for visiting Woesnotgone Meadow, where the encryption
is strong, and the O/Ss are always using the latest version.
Resources
Android Police. (2019, February 3). UK bank falls victim to
ss7 attacks, allowing cybercriminals to drain accounts and reminding us why SMS
two-factor authentication sucks. Retrieved from https://www.technologybreakingnews.com/2019/02/uk-bank-falls-victim-to-ss7-attacks-allowing-cybercriminals-to-drain-accounts-and-reminding-us-why-sms-two-factor-authentication-sucks/
Cox, J. (2019, January 31). Criminals are tapping into the
phone network backbone to empty bank accounts. Retrieved from https://motherboard.vice.com/en-us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
Millman, R. (2019, February 4). Criminals hit metro bank
with multi-factor authentication bypass ss7 attack. Retrieved from https://www.scmagazineuk.com/criminals-hit-metro-banks-multi-factor-authentication-bypass-ss7-attack/article/
Security Experts. (2019, February 4). Hackers targeting UK
banks through ss7 banks. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/hackers-targetting-uk-banks/
Telegraph. (2019, February 3). Metro bank hit by cyber
attack used to empty customer accounts. Retrieved from https://fireballcybersecurity.blogspot.com/2019/02/metro-bank-hit-by-cyber-attack-used-to.html
No comments:
Post a Comment