25 comments

[ 3.3 ms ] story [ 69.2 ms ] thread
Device ID > "although in some cases, the fraudsters gave the appearance they were customers who were accessing their accounts from new phones"

SMS > "... report doesn’t explain how the crooks managed to steal SMS messages and device IDs"

GPS > "spoofed GPS locations the device was known to use."

If you can gather all 3, is there any way to stop you? They probably have some hardcore malware (potentially using zero-day vulnerabilities). The only solution might be to ban certain phone models (usually the cheap ones...)

Issue their own hardware tokens to customers? A FIDO NFC key can be pretty cheap, though I guess the really low-end phones might not have NFC.
SMS is mostly popular today because it’s user friendly. I can’t imagine that most users would like carrying around separate hardware tokens.

I would imagine there’s some point at which there’s an equilibrium between fraud costs and customer acquisition/retention costs.

Mine lives on my keyring and is smaller than my house key or bike key, and I'd argue holding it against the back of my phone is actually more user friendly than typing in a number from a text message.
It's convenient if you have one. If you had one for each financial institution you deal with, it might be a different story.
It's a smaller inconvenience than one more key on my keyring, so a handful of them wouldn't be a big problem.
Yes, off-device 2FA like a yubikey or the stuff I described in another comment. Anything that involves using your bank card and a secret that only you know (like a PIN code), separate from your account details.
Aren't yubikey require NFC or USB OTG? My phone support neither. Is expensive phones the only solution? If so then my blacklist solution still stands.
There are dedicated hardware tokens that don't require any particular support on your phone, you copy the number just like if you were using an app to generate TOTP codes except it's on a little LCD screen instead.

https://www.cdw.com/product/RSA-SecurID-SID700-Enterprise-pl...

Phone apps have largely replaced them but for my bank I wouldn't mind having a separate device that's not internet connected.

But they cause other issues, like being one more little device to lose and not providing accessibility features like a phone app does (good luck if you're blind).

Yet another example of why SMS shouldn't be used for 2FA ever.

Besides the fact that Sim-swap attacks are still super common, if they've compromised the Android devices themselves (as is implied in the article) then they could grab the Device ID that way and potentially add some SMS-forwarding malware perhaps?

They probably run a mobile app ad network for a freemium game and know which phone numbers pay the most.

Would explain the preparedness for phone emulation and the thought of it too.

Same regarding GPS, this is really prevalent on darknet market tutorials and services, where you get the ID and credit card of someone (large markets for that called fullz) and then find a compromised windows computer near that residential/billing address (there are whole markets for that called rpc, sorted by bandwidth and location) and then run the credit card but from a computer near where the owner lives, to avoid being flagged.

What happened here seems to be a mixture of those concepts, to address bank accounts without getting flagged.

In the US at least, the bank is responsible for losses right? At what point do they begin to secure all this? I have a number of accounts and not one is true 2FA: only one is SMS, the rest are user/password only.
> At what point do they begin to secure all this?

When the cost of fraud handling exceeds that of redoing their security, I guess. It'd have to be a 10x or more factor though, because companies seem to be quite accepting of existing / recurring costs.

That said, my banks have had 2FA for a long time. The one started off 20 years ago with a device where you'd punch in the numbers on screen, it would give you some numbers back. The second version required you to insert your bank card, PIN, and the number on screen, while the website asked for your account number and card number. The third version that I'm using nowadays is pretty much the same, but instead of punching a code it has a camera that scans a color-QR code on screen.

The other bank used to send printed lists of one-time codes, where the website would say 'type the code at index xyz'. Later they went for SMS-based 2FA, I think they're still on that nowadays.

Both have mobile apps, and use PIN codes or Face ID for quick access. They know it's a higher risk than their 2FA solutions, so they limit the maximum amount that can be transferred (thus limiting their own damage). The limit has slowly increased over time as their security proved itself. In essence it's like an insurance policy, whose price changes depending on risks and track record.

>The other bank used to send printed lists of one-time codes, where the website would say 'type the code at index xyz'. Later they went for SMS-based 2FA, I think they're still on that nowadays.

One of the banks I use in India adds this grid to the back of your debit card. For higher value or non-usual transactions, they both ask for an SMS code and 3 values from the grid, in addition to the password to login to the netbanking site. The app allows you to get in with your fingerprint or a "quick access code", but these other factors kick for many transactions.

I would add that simply answering a ping on the account's SMS is emphatically NOT by itself 2FA.
Nobody cares. They just jack up the rates. Kindof like welfare for the crooks.
I’m guessing this is an Android only issue. A commenter on the Ars article said they didn’t see any device ids with iPhone sounding names.
(comment deleted)
My bank lets me do online banking with just my phone. How is this secure in view of this? I want proper 2FA!
If any device can be used for banking I don’t see why accessing the bank using the the same device that generates the second factor is a problem. You could just as well use a different device to access the bank.
The problem is that TOTP is so weak that it's almost not a second factor.

It's something the computer knows, so it's more like a non-human password than a "Something you have"

That said, most people probably don't even have TOTP, so these farms are probably not targeting them yet?

This is the folly of assuming a 1:1 binding between person and hardware. When I worked in fintech, I warned risk and our architects that you could not rely on any measuee that didn't take into account SIM swapping or strategic config cloning. No one listened. This despite tge fact that SIM swapping became a hot commodity for people when ID's started to be required for legal purchases from a vendor, and when device ids were getting integrated into fingerprinting.

If you start one to one-ing hardware, you track User-Agents. Not Users. These are not equivalent.

Because it’s multidimensional. Security is one aspect, but the firm exists to generate profit for the shareholders, so the management has to balance these priorities.

The problem is that SMS 2FA is more user friendly.

App based 2FA requires user to download Google Authenticator, copy the key there, copy the resulting number out. It’s a lot of friction. And on top of that users can lose the 2FA key.

SMS is less secure, cloneable, but it reduces friction, which in turn results in more revenue. And without revenue, there will be nothing at all, secure or not.

Either only few phones had SMS as MFA or SMS swapping wasn't used at all. The later is more logic:

- You have to have a physical/esim card which costs money to buy and is perfectly Geo-trackable.

- You can only SIM-swap by duping any given cellular operator in personal interaction with their Support. Article says US & Europe - different countries, different mobile operators. Each such call is recorded, costs air time money, again Geo locates the caller.

What is more probable - yet another stupid malware was installed on phones, which can easily read Device ID/SMS received. In such case, great that Trusteer busted this operation (I guess, no mentioning of LE involved), but nothing news-worthy in technological sense. So, it is still better to have SMS as MFA versus no MFA at all, and of course it is time to switch to Authenticaiton Apps for MFA/Hardware keys.

> Each such call is recorded, costs air time money, again Geo locates the caller.

Air time is practically free and untraceable. How do you think the ‘I’m Bob with Microsoft’ scam works?