May 19, 2017

Why two-factor authentication is not enough

News Security

The usual argument “do you really need an antivirus” quite often goes something like this:

— I don’t need antivirus! I have nothing to steal! Viruses? Ransomware? Go on and infect me! I’ll just reinstall the operating system, and I don’t have anything to lose — there is nothing valuable on my computer.

— But you have a bank account, right? You do online shopping, don’t you?

— Bah, the bank has two-factor authentication. That will protect me. Even if hackers stole my card number, they could not withdraw my money.

Well, turns out they can. First, not every online store uses 3D Secure protection, which means that not every transaction requires a confirmation SMS message with a code. Even the CVC code (three digits on the back of the card) is no guarantee against misuse — not all transactions require one.

Also, hackers can intercept the SMS messages banks send and use the verification codes to gain full access to an account. Recently, a substantial sum of money was stolen from unlucky consumers in Germany in exactly this manner. Let’s take a closer look at how it happened.

Why two-factor authentication via SMS is not enough

SS7: A hole in the phone

Intercepting SMS messages is possible because of vulnerabilities in a set of telephony signaling protocols referred to by a common name — SS7 (aka Signaling System 7, aka Common Channel Signaling System 7).

These signaling protocols are the backbone of the contemporary telephone communication system; they are designed to transmit all of the service information within a telephone network. They were developed as far back as the 1970s and implemented for the first time in the 80s, and since then they have become a worldwide standard.

Initially, SS7 protocols were designed for fixed phones. The idea was to physically separate voice and service signals by putting them on different channels, and it was done to harden protection against telephone intruders using special boxes to imitate the tone signals used at the time to transfer service information within telephone networks. (Yes, the same boxes Steve Jobs and Steve Wozniak were making back in the day — but that’s another story.)

The same set of protocols was implemented later, in mobile networks. In between, developers added a range of features. Among other things, SS7 is used to transfer SMS messages.

But information security was not a matter of concern fifty years ago — at least, not for civil technologies. Efficiency was what mattered, and that got us the efficient but insecure Signaling System 7.

The main weak point of this system (along with many other systems designed in those times) is that it is based on trust. It was assumed that only network operators would access it, and they were generally thought to be nice guys.

Ultimately, however, the system’s security level is defined by the least protected member. If any of its operators is hacked, then the whole system is compromised. The same is true if any network administrator working for any of those operators decides to exceed authority and to use SS7 for their own purposes.

SS7 access can allow someone to wiretap conversations, determine the location of the user, and intercept SMS messages, so it’s no surprise that both secret services of various countries and criminals are active users of unauthorized SS7 access.

How the attack actually happened

In the case of the recent attack in Germany, it went like this:

1. Users’ computers were infected by a banking Trojan. It’s very easy to be infected by a Trojan if you do not use a security solution, and they can work without any obvious signs, so users may not notice them at all.

Using the Trojan, hackers stole bank logins and passwords. (Of course, stealing those credentials is not enough in most cases — the confirmation code from the bank sent by SMS is also required.)

2. Apparently, the same Trojan was used to steal the users’ phone numbers. This data is usually requested when people make purchases online, and it’s not hard to steal. So, the crooks had both the credentials to access the users’ bank accounts and their mobile phone numbers.

3. The criminals used the stolen bank logins to initiate the money transfer to their own bank account. After that, having access to SS7 on behalf of some foreign carrier, they forwarded SMS messages sent to those phone numbers to their own phone and received the confirmation codes they needed to complete the logins and transfer money. The bank didn’t have a reason even to suspect possible abuse.

The German carrier whose subscribers were harmed by this case has confirmed the attack. The foreign carrier whose SS7 network access was used for the attack was blocked, and affected persons were notified. We do not know if they managed to get the money back.

Don’t you still need an antivirus?

Two-factor authentication is usually considered solid security — if no one but you has access to your mobile phone, then who else could read a message on it? Well, anyone who has access to the SS7 system and who is interested in using your SMS messages to get to your money.

What can you do to build proper two-factor authentication and protect against attacks similar to the one described in this post? Here are two tips.

  • Use a good security solution on every device. Unfortunately, banks may not use alternative kinds of two-factor authentication; some send confirmation only by SMS, and then your only hope is a strong security solution. In the case of the attack described in this post, a proper antivirus would not have allowed the banking Trojan to infect the computer in the first place, so the bank login would not have been stolen. At that point, access to your SMS would be beside the point.