Hackers Using Two-Factor Authentication to Hack Bank Accounts

Topic

New Reply

Two-factor security is so broken, now hackers can drain bank accounts
Criminals have exploited a known flaw in how calls and text messages travel around the world to redirect a two-factor code for a person’s bank account.

By Zack Whittaker for Zero Day | May 4, 2017

 
We’ve known for years that a key protocol that allows global cellular networks to communicate with each other had vulnerabilities — and nobody really took it that seriously.

Hackers and politicians alike have been warning for years that these flaws in the calling and text message routing system, known as Signaling System 7 (SS7), can be used to intercept and redirect calls and text messages, allowing hackers to eavesdrop on almost any phone in the world.

Now, financially driven hackers are using the weakness to intercept text messages that deliver two-factor codes to bank customers to break in and empty their bank accounts, according to a report in a German newspaper.

It’s likely the first known account of the SS7 vulnerability being exploited in the wild by a malicious actor, rather than for demonstrative purposes.
…
“Both the Federal Communications Commission and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number,” he added, before urging Congress to hold “immediate hearings” on the matter.

Just last year, the National Institute of Standards and Technology (NIST) said that it would deprecate its advice — albeit, not entirely advise against — for text message-based authentication, because it wasn’t as secure as other forms of two-factor authentication — such as apps, like Google Authenticator and Authy, which use end-to-end encryption to send two-factor codes.

 
Read the full article here

 
Further articles on this issue:
Hackers are stealing money from Bank accounts in Germany by exploiting flaws in #SS7 protocol
On SecurityAffairs.co

Is your money safe? Bank hack could affect MILLIONS of customers around the world by intercepting two-step login verification codes
On DailyMail.co.uk

Phone Hack Drains German Bank Accounts
On PCMag.com

5 users thanked author for this post.

MrBrian, ch100, AlexEiffel, HiFlyer, satrow

Reply | Quote

Replies

Best to avoid online banking and shopping, esp for wealthy web-surfers.

The above bank account drain/fraud from online banking may not be refundable. Bank deposit insurance mainly insures/covers against bankruptcy of banks. Such insurance won’t provide enough coverage when many banks go bankrupt during another Great Depression (= 1928).

Even though credit card fraud from online shopping can be refunded, it is conditional on the victims reporting the fraud within a certain time period, and it is quite a hassle to get the refund and/or card replaced.
… In comparison, debit card fraud from online shopping is mostly not refundable. So, better to use reloadable debit cards(= topup only US$100 most times) which are not linked to a bank account.

There have been many fraud cases of online sellers disappearing after having accepted direct bank payments from online buyers, eg for high-demand iPhones, concert tickets, etc.
… Overseas tourists are sometimes defrauded by small retailers/restaurants who swipe extra sales receipts with the victims’ credit cards for in-store purchases/meals. So, better to pay cash in foreign currencies at such foreign stores/shops.

Reply | Quote