Criminals Are Still Exploiting SS7 Cellular Network Flaws

Discussion in '[H]ard|OCP Front Page News' started by AlphaAtlas, Feb 12, 2019.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,527
    Joined:
    Mar 3, 2018
    Back in 2017, we posted several articles on how SS7 cellular network vulnerabilities are being exploited around the world. Back then, they were using exploits to intercept 2 factor authentication requests and location data. Now, according to a recent Motherboard report, hackers are commonly using similar security holes to empty bank accounts. TechDirt notes that a U.S. Senator wrote to the FCC last year asking for them to do something about the issue, but they say not much has changed since then. Thanks to cageymaru for the tip.

    The fundamental issue with the SS7 network is that it does not authenticate who sent a request. So if someone gains access to the network - a government agency, a surveillance company, or a criminal - SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else’s. There are protections that can be put in place, such as SS7 firewalls, and ways to detect certain attacks, but room for exploitation remains. n the case of stealing money from bank accounts, a hacker would typically first need a target’s online banking username and password. Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message. With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code.
     
  2. toddw

    toddw [H]ard|Gawd

    Messages:
    1,378
    Joined:
    Sep 9, 2004
    Sorry, nothing can be done. Consumer protection = regulation and that's a bad word so just accept loss of life savings. Besides, if the common man doesn't fully understand intercept 2 factor SS7 then that's his fault, amirite?
     
    Snowdensjacket likes this.
  3. Snowdensjacket

    Snowdensjacket Limp Gawd

    Messages:
    304
    Joined:
    Apr 10, 2017
    No one's forcing him to use online banking after all
     
  4. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,260
    Joined:
    Mar 4, 2013
    From the bad guys point of view, the old football axiom of "Keep running the same play until they stop it." applies here.
     
    Nunu and D-Money like this.
  5. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,052
    Joined:
    Oct 29, 2000
    I've always hated two-factor authentication. Completely unnecessary if you use strong passwords, and because of this exploit, possibly ineffective as well...
     
    PaulP likes this.
  6. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,052
    Joined:
    Oct 29, 2000


    My understanding is that consumer accounts are protected by law. If you lose your life savings, the bank must reimburse it.

    Where the real problem arises is when you are dealing with business accounts. These have no such reimbursement protections. This can be catastrophic for small business owners.
     
  7. arnemetis

    arnemetis 2[H]4U

    Messages:
    2,376
    Joined:
    Aug 2, 2004
    This exploit does make phone based two factor less secure, yes. However your paragraph long password is no more secure than password1 during the monthly security breaches that add 500 million username and password combos into the wild. With such things happening so regularly, I would rather trust potentially compromised two factor over a single password.
     
  8. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,117
    Joined:
    Nov 16, 2009
    What? no..... You put too much faith in the companies securely storing your 'strong' password. If they have a breach and don't salt/hash the password being stored, it doesn't matter how strong your password is.....

    This article isn't about 2FA being useless, it's about vulnerabilities in the cell network system, which makes using SMS for the 2FA useless. You should ALWAYS enable 2FA wherever possible, but it should be done using something like google auth that generates the codes. That combined with strong passwords that are unique for each account will make you more secure than most of the idiots on the web.
     
    Darunion and bagelnagel like this.
  9. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,992
    Joined:
    Nov 15, 2016

    well.. if someone is using the same username/password for everything.. well .. not much anyone can do then

    LOL
     
  10. [21CW]killerofall

    [21CW]killerofall Aliens...

    Messages:
    2,703
    Joined:
    Mar 16, 2006
    FDIC only covers deposit accounts up to $100k. Not saying that you couln't still sue to recover the rest.
     
  11. BSmith

    BSmith [H]ard|Gawd

    Messages:
    1,325
    Joined:
    Nov 9, 2017
    Bah. I finally wrote a program to generate passwords for me based on the URL, login, and the month. It will generate the same password for each site for that month. When the login fails,I know it is time to change the password. Every site has a different password.
     
  12. PaulP

    PaulP Gawd

    Messages:
    761
    Joined:
    Oct 31, 2016
    That's very clever.
     
  13. arnemetis

    arnemetis 2[H]4U

    Messages:
    2,376
    Joined:
    Aug 2, 2004
    Well yes, I realize I didn't word that correctly. Anyway the point I was making if you just used a password for your bank, and the bank is breached and your username and password is out there, that is all they need. Even with two factor via phone it's a little more work for the criminals who now have your login details. It's not much work for them to copy & paste a super complex password they got from a breach, even if it's only used on that one site. Should always use different passwords on various sites.
     
  14. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,052
    Joined:
    Oct 29, 2000
    If an attacker is inside their system, your account is already as good as compromised, whether they salt the passwords or not.

    If you are observing good password practice (unique strong password that is different for every site you use) there is no added exposure by them stealing your password.

    Here is a randomly generated password that looks like my typical passwords:

    n@T<NmvD!RB[Dz"cP-^;o!>:xHHx%Z2Ysqq'~dw77oqK:Nu_N$4i_Zm(K[Cm?}o>

    Sometimes they have fewer special characters or are shorter depending on the limits imposed by the system, but in general this is what we are looking at more or less, and the randomly generated password is unique for every site. An attacker can steal it all they want, but the only thing they are gaining access to is the site they already compromised anyway.

    I don't feel like two factor authentication is helping me at all. All it is doing is is inconveniencing me, and assuring that if anything happens to my phone, I can't access any of my accounts, which is a real pain in the ass.

    I call for the death of two factor authentication, and the enforcement of unique randomly generated passwords for every site.
     
  15. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,052
    Joined:
    Oct 29, 2000
    This assumes I use the same password on more than one site.

    Only an idiot would do that.
     
  16. DarkStar02

    DarkStar02 2[H]4U

    Messages:
    2,107
    Joined:
    Mar 1, 2006
    2factor auth saved my steam account recently. How the password got compromised I have no idea but 2factor saved me from losing my entire game library. If you dislike 2fa, just don't use it.
     
  17. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,117
    Joined:
    Nov 16, 2009

    A computer doesn't care about the 'complexity' of your password. It's all the same, and no more difficult to crack than a string of words of the same length with some added numbers/special characters, and is much easier for a human to type. Length should be the focus, not making some random string of characters that would be hell to type out in a field that doesn't allow pasting (Like switching users in an RDP session).....


    And that's incorrect about a hacker being in their system.... Most 'hacks' are just data breaches where they dump the DB. If the passwords are hashed/salted, even rainbow tables won't help as the salt should be unique for that system, and different for users. If it's not stored securely, 2FA will still prevent a malicious user from gaining access to your account, even if they get your credentials. You should have a password vault with all your passwords, and a second vault to store the 2FA recovery keys or 3d barcode for the event that you lose your phone. Yes it's added effort, but absolutely worth it for the additional protection it provides. Mainly because most companies focus very little on security until they are breached, then it's too late for the effected users.
     
  18. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,052
    Joined:
    Oct 29, 2000

    Dictionary attacks are a thing.
     
  19. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,117
    Joined:
    Nov 16, 2009
    Nope. With account lockout policies, you will never brute force a password with decent length.

    This password is much easier for a human to type, and would take exponentially longer to crack than your 'complex' non-human readable password. You'd die before even the fastest computers in the world could brute force it.
    Tonguecreature2maGentaimbibestandfar-flungcellar!
     
  20. MMitch

    MMitch Limp Gawd

    Messages:
    456
    Joined:
    Nov 29, 2016
    I hope you're joking ? How many times were online platform breached and we learned that they stored everything in plain text ? (I look at you PSN saying that my 25 characters long with special char and all was breached because of me... I had to resort to BBB to get this sorted)
    I also look at hotmail... 40 characters, never used account (keeping it active just in case). How I knew it was breached ? After a year of not using it, I received emails to my main account from it... yeah my fault here again.

    Anyway, 2FA if handled properly (I mean not by the same database and preferably not the same company) is better than no 2FA. The things that needs to get out is the stupid questions they put in place to recover accounts... Social engineering is way too easy in 2019.
    Also 2FA would be more practical if instead they sent you a question that once answered you get a pin to enter. This way you confirm you're you and if you first.
     
  21. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,052
    Joined:
    Oct 29, 2000

    My assumption would be that if an attacker is able to dump a database of passwords, salted or not, they already have pretty much full access to the system they have compromised, and as such it doesn't matter if they take your passwords or not. The only time this would then be a problem is if you use the same password in multiple places, which no one should be doing.
     
  22. MMitch

    MMitch Limp Gawd

    Messages:
    456
    Joined:
    Nov 29, 2016
    So you're saying it doesn't matter if they have access to all plain PW at that point (or hashed/salted) ? You assume everything else was compromised ? I don't care if they compromise PSN for example, I care if they compromise my account. If they want to delete everything or empty PSN bank account, feel free but I wish I wouldn't be caught in the process because they were careless.
    Anyway, having 2FA by a 3rd party would prevent them from even using those PW as they won't be able to login anyway. Edit: Unless like you said everything else was compromised.

    I still think 2FA is flawed by not confirming who you're first. A simple question you manually set would make wonders.

    Edit2: Sorry if I sounded agressive and all, I'm just pissed at company putting the blame on users for their mistake and you triggered me saying strong PW is all it needs. We all know it's a 2 way relationship, we use strong PW, they protect their system. Assuming they do is dumb as everybody on this forum knows how it goes in company, bottom line and shareholders are all that matters.
     
    Last edited: Feb 13, 2019
  23. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,052
    Joined:
    Oct 29, 2000
    I just find it frustrating to have to wait for a code that doesn't always arrive immediately, then having to transcribe it, all for what I perceive as at best a minimal improvement in security, if you don't reuse passwords, and keep them complex.

    Many of these 2FA systems have text messaging as their only option. Lets say my phone number changes. Or better yet, lets say I drop my phone in the toilet tomorrow.

    Great. Now I can't access anything.
     
  24. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,117
    Joined:
    Nov 16, 2009
    And that is a TERRIBLE assumption. In fact I can't think of any breaches in the past few years where this was true. Also, 2FA is usually a 3rd party service, so even if a hacker gains access to the DB, they will not be able to access or bypass the 2FA.

    If they offer SMS 2FA only, then yes, it helps a little but as this post shows there is a huge vulnerability that needs to be resolved. Although most people do not have the access required to exploit this vulnerability.
    2FA with a number generator like google auth works perfect, with no waiting to receive a code. And you should be securely storing the recovery keys in the event you 'drop your phone in the toilet'. You could also look into hardware devices like the YubiKey.
     
  25. MMitch

    MMitch Limp Gawd

    Messages:
    456
    Joined:
    Nov 29, 2016
    Yeah, I never had to wait more than 1minute at most and that was at work... with anything "fun" related, almost instantly.
    Also if you lose your phone you can probably get forwarding ? (I know they do call forwarding, maybe they also propose SMS forwarding)

    A perfect solution would be 2FA optional (given you accept a special TOS), multiple solutions (ie text message, phone call, email) and ideally a way to confirm it's you (like a question you need to answer before you get the pin.
    Again, the above is needed from my point of view because the server party isn't as secure as we would think. A strong PW doesn't mean quack if they broadcast it as their SSID lol
     
  26. likeman

    likeman Gawd

    Messages:
    585
    Joined:
    Aug 17, 2011
    Perfect option is to use an app for 2fa with 10 1 time use backup codes (it should never be tied to a sms, Google does. Have the option called hardened mode using u2f keys 2 of them one bt/nfc USB and other one at least usb for account recovery )

    Google and Ms trust sms or call (or another email account) as the only way to recover your account (does not always matter if they don't have the password if they can just reset it via sms)