Take the money and run
Two-factor authentication (2FA) is held up by the information security community as one of the most effective ways to mitigate credential stealing and avoid account compromise. What happens, though, when 2FA is undermined by malicious actors and used against consumers? The very protections lauded by security teams become a gateway to theft, creating a stir among security practitioners, and potentially causing consumers to question security’s authority on the matter.
The recent exploit of Signaling System No. 7 (SS7) that depleted the bank accounts of some German citizens is an example of what can go wrong if organizations are putting too much stock in “industry best practices” without considering the organization’s unique threat profile or environmental factors, in this case, like the rise in cyber attacks against financial institutions, and widespread utilization of online banking despite mobile phone vulnerabilities.
This here’s a story about Billy Joe and Bobbie Sue
Regarding the attack in question, the German newspaper Süddeutsche Zeitung reported last week that online banking customers had been targeted in a money-stealing scam. A known vulnerability in SS7—a set of protocols first developed in 1975 that allow phones to exchange information across platforms or geographies—facilitated the attack, but it wasn’t the SS7 vulnerability alone that created an opportunity for wrongdoing. The SS7 exploit is more interesting to the security community because it’s less prevalent, but the simple truth is that phishing was the first step in allowing the criminals to steal consumers’ account numbers, online banking credentials, mobile numbers, and associated data. Examples of phishing emails used in this attack have not yet circulated, but it’s likely that they were standard fare, run-of-the-mill, preying on people’s curiosity or falsely claiming that urgent action was necessary. Odds are, malware was missed by the banks’ security systems, resulting in harmful emails being delivered to people who didn’t stop to question the legitimacy of an unsolicited notice asking for the input of sensitive information.
That second factor, though, that was the banks’ precaution to stop illicit transfer of funds.
Attackers were one stop ahead of the banks, however; they used the flaw in SS7 to intercept authentication/security codes texted to consumers’ phones, used those codes along with other previously gathered information, and were able to re-route consumers’ money into their own accounts. Attackers are crafty, you say, and they will employ every covert tactic to enact harm, but here’s the problem: This was no zero day. The vulnerability in SS7 has been known for more than two years.
Two young lovers with nothin’ better to do
First discovered in 2014 by German security researchers, SS7’s exploitability has been debated among security circles and beyond. The subject made its way to the U.S. Congress shortly after its disclosure, at which point a senator from Oregon and a representative from California started pushing for reforms from telecom companies and asking the FCC to institute regulations requiring remediation. A group of representative from the telecom and banking industries should have met earlier this year in Berlin as well.
A fix for SS7 isn’t so easy, though. Rearchitecting the system would be tricky—and researchers don’t seem to agree on the best method anyhow. With this in mind, coupled with additional considerations for the potential of compromised mobile endpoints, the National Institute of Standards and Technology (NIST) issued a warning in July 2016 that “Verifiers [i.e., organizations communicating with their customers] SHOULD be aware of indicators such as device swap, SIM change, number porting, or other abnormal behaviorbeforeusing the PSTN to deliver an out-of-band authentication secret.” Further, NIST stated that “Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.” Memorized secret authenticators, lookup secrets, one-time passwords, and cryptographic software authenticators are among the solutions NIST suggests instead.
Here’s what happened when they decided to cut loose
While companies’ security teams are valiantly attempting to persuade customers to implement 2FA to protect accounts and identities, not all 2FA is created equal. Text-based 2FA might be the most convenient method for users, but it’s no panacea, even though it’s generally presented as the first mechanism for 2FA or account recovery. Jonathan Sander, CTO of STEALTHbits, says that given the known flaws with smartphone security, “organizations should consider other forms of 2-factor authentication outside of SMS—like a push notification or an app.” Even without the SS7 exploit, he warns, “If you are a high value target and someone puts effort into it, they can hijack your SMS messages. If they’re really good, you may not even know it.”
Additional factors of authentication should absolutely be part of organizations’ security toolbox, but now that we’ve seen the severity of this mobile exploit in the wild, security teams need to pivot away from text (even though it’s cheap and easy). Hardware tokens, apps, and biometrics are all viable solutions, though they will require some user awareness and training.
Further, as phishing was once again the initiation point for the attack, organizations need to tune firewalls and filtering to drive down the number of infected emails that reach employees in the first place. Inspect and analyze traffic in real-time, and log and monitor any potentially suspicious activity coming into and out of the network.