Device ID
> "although in some cases, the fraudsters gave the appearance they were customers who were accessing their accounts from new phones"
SMS
> "... report doesn’t explain how the crooks managed to steal SMS messages and device IDs"
GPS
> "spoofed GPS locations the device was known to use."
If you can gather all 3, is there any way to stop you? They probably have some hardcore malware (potentially using zero-day vulnerabilities).
The only solution might be to ban certain phone models (usually the cheap ones...)
Mine lives on my keyring and is smaller than my house key or bike key, and I'd argue holding it against the back of my phone is actually more user friendly than typing in a number from a text message.
Yes, off-device 2FA like a yubikey or the stuff I described in another comment. Anything that involves using your bank card and a secret that only you know (like a PIN code), separate from your account details.
There are dedicated hardware tokens that don't require any particular support on your phone, you copy the number just like if you were using an app to generate TOTP codes except it's on a little LCD screen instead.
Phone apps have largely replaced them but for my bank I wouldn't mind having a separate device that's not internet connected.
But they cause other issues, like being one more little device to lose and not providing accessibility features like a phone app does (good luck if you're blind).
Yet another example of why SMS shouldn't be used for 2FA ever.
Besides the fact that Sim-swap attacks are still super common, if they've compromised the Android devices themselves (as is implied in the article) then they could grab the Device ID that way and potentially add some SMS-forwarding malware perhaps?
They probably run a mobile app ad network for a freemium game and know which phone numbers pay the most.
Would explain the preparedness for phone emulation and the thought of it too.
Same regarding GPS, this is really prevalent on darknet market tutorials and services, where you get the ID and credit card of someone (large markets for that called fullz) and then find a compromised windows computer near that residential/billing address (there are whole markets for that called rpc, sorted by bandwidth and location) and then run the credit card but from a computer near where the owner lives, to avoid being flagged.
What happened here seems to be a mixture of those concepts, to address bank accounts without getting flagged.
In the US at least, the bank is responsible for losses right? At what point do they begin to secure all this? I have a number of accounts and not one is true 2FA: only one is SMS, the rest are user/password only.
When the cost of fraud handling exceeds that of redoing their security, I guess. It'd have to be a 10x or more factor though, because companies seem to be quite accepting of existing / recurring costs.
That said, my banks have had 2FA for a long time. The one started off 20 years ago with a device where you'd punch in the numbers on screen, it would give you some numbers back. The second version required you to insert your bank card, PIN, and the number on screen, while the website asked for your account number and card number. The third version that I'm using nowadays is pretty much the same, but instead of punching a code it has a camera that scans a color-QR code on screen.
The other bank used to send printed lists of one-time codes, where the website would say 'type the code at index xyz'. Later they went for SMS-based 2FA, I think they're still on that nowadays.
Both have mobile apps, and use PIN codes or Face ID for quick access. They know it's a higher risk than their 2FA solutions, so they limit the maximum amount that can be transferred (thus limiting their own damage). The limit has slowly increased over time as their security proved itself. In essence it's like an insurance policy, whose price changes depending on risks and track record.
>The other bank used to send printed lists of one-time codes, where the website would say 'type the code at index xyz'. Later they went for SMS-based 2FA, I think they're still on that nowadays.
One of the banks I use in India adds this grid to the back of your debit card. For higher value or non-usual transactions, they both ask for an SMS code and 3 values from the grid, in addition to the password to login to the netbanking site. The app allows you to get in with your fingerprint or a "quick access code", but these other factors kick for many transactions.
If any device can be used for banking I don’t see why accessing the bank using the the same device that generates the second factor is a problem.
You could just as well use a different device to access the bank.
This is the folly of assuming a 1:1 binding between person and hardware. When I worked in fintech, I warned risk and our architects that you could not rely on any measuee that didn't take into account SIM swapping or strategic config cloning. No one listened. This despite tge fact that SIM swapping became a hot commodity for people when ID's started to be required for legal purchases from a vendor, and when device ids were getting integrated into fingerprinting.
If you start one to one-ing hardware, you track User-Agents. Not Users. These are not equivalent.
Because it’s multidimensional. Security is one aspect, but the firm exists to generate profit for the shareholders, so the management has to balance these priorities.
The problem is that SMS 2FA is more user friendly.
App based 2FA requires user to download Google Authenticator, copy the key there, copy the resulting number out. It’s a lot of friction. And on top of that users can lose the 2FA key.
SMS is less secure, cloneable, but it reduces friction, which in turn results in more revenue. And without revenue, there will be nothing at all, secure or not.
Either only few phones had SMS as MFA or SMS swapping wasn't used at all. The later is more logic:
- You have to have a physical/esim card which costs money to buy and is perfectly Geo-trackable.
- You can only SIM-swap by duping any given cellular operator in personal interaction with their Support. Article says US & Europe - different countries, different mobile operators. Each such call is recorded, costs air time money, again Geo locates the caller.
What is more probable - yet another stupid malware was installed on phones, which can easily read Device ID/SMS received. In such case, great that Trusteer busted this operation (I guess, no mentioning of LE involved), but nothing news-worthy in technological sense. So, it is still better to have SMS as MFA versus no MFA at all, and of course it is time to switch to Authenticaiton Apps for MFA/Hardware keys.
25 comments
[ 3.3 ms ] story [ 69.2 ms ] threadSMS > "... report doesn’t explain how the crooks managed to steal SMS messages and device IDs"
GPS > "spoofed GPS locations the device was known to use."
If you can gather all 3, is there any way to stop you? They probably have some hardcore malware (potentially using zero-day vulnerabilities). The only solution might be to ban certain phone models (usually the cheap ones...)
I would imagine there’s some point at which there’s an equilibrium between fraud costs and customer acquisition/retention costs.
https://www.cdw.com/product/RSA-SecurID-SID700-Enterprise-pl...
Phone apps have largely replaced them but for my bank I wouldn't mind having a separate device that's not internet connected.
But they cause other issues, like being one more little device to lose and not providing accessibility features like a phone app does (good luck if you're blind).
Besides the fact that Sim-swap attacks are still super common, if they've compromised the Android devices themselves (as is implied in the article) then they could grab the Device ID that way and potentially add some SMS-forwarding malware perhaps?
Would explain the preparedness for phone emulation and the thought of it too.
Same regarding GPS, this is really prevalent on darknet market tutorials and services, where you get the ID and credit card of someone (large markets for that called fullz) and then find a compromised windows computer near that residential/billing address (there are whole markets for that called rpc, sorted by bandwidth and location) and then run the credit card but from a computer near where the owner lives, to avoid being flagged.
What happened here seems to be a mixture of those concepts, to address bank accounts without getting flagged.
When the cost of fraud handling exceeds that of redoing their security, I guess. It'd have to be a 10x or more factor though, because companies seem to be quite accepting of existing / recurring costs.
That said, my banks have had 2FA for a long time. The one started off 20 years ago with a device where you'd punch in the numbers on screen, it would give you some numbers back. The second version required you to insert your bank card, PIN, and the number on screen, while the website asked for your account number and card number. The third version that I'm using nowadays is pretty much the same, but instead of punching a code it has a camera that scans a color-QR code on screen.
The other bank used to send printed lists of one-time codes, where the website would say 'type the code at index xyz'. Later they went for SMS-based 2FA, I think they're still on that nowadays.
Both have mobile apps, and use PIN codes or Face ID for quick access. They know it's a higher risk than their 2FA solutions, so they limit the maximum amount that can be transferred (thus limiting their own damage). The limit has slowly increased over time as their security proved itself. In essence it's like an insurance policy, whose price changes depending on risks and track record.
One of the banks I use in India adds this grid to the back of your debit card. For higher value or non-usual transactions, they both ask for an SMS code and 3 values from the grid, in addition to the password to login to the netbanking site. The app allows you to get in with your fingerprint or a "quick access code", but these other factors kick for many transactions.
It's something the computer knows, so it's more like a non-human password than a "Something you have"
That said, most people probably don't even have TOTP, so these farms are probably not targeting them yet?
If you start one to one-ing hardware, you track User-Agents. Not Users. These are not equivalent.
The problem is that SMS 2FA is more user friendly.
App based 2FA requires user to download Google Authenticator, copy the key there, copy the resulting number out. It’s a lot of friction. And on top of that users can lose the 2FA key.
SMS is less secure, cloneable, but it reduces friction, which in turn results in more revenue. And without revenue, there will be nothing at all, secure or not.
- You have to have a physical/esim card which costs money to buy and is perfectly Geo-trackable.
- You can only SIM-swap by duping any given cellular operator in personal interaction with their Support. Article says US & Europe - different countries, different mobile operators. Each such call is recorded, costs air time money, again Geo locates the caller.
What is more probable - yet another stupid malware was installed on phones, which can easily read Device ID/SMS received. In such case, great that Trusteer busted this operation (I guess, no mentioning of LE involved), but nothing news-worthy in technological sense. So, it is still better to have SMS as MFA versus no MFA at all, and of course it is time to switch to Authenticaiton Apps for MFA/Hardware keys.
Air time is practically free and untraceable. How do you think the ‘I’m Bob with Microsoft’ scam works?