Fraudsters Defeat Poor Risk Management - Not Two-Factor Authentication

Thursday, December 08, 2011

Nick Owen

Aecf1189abe745df32ec68f5864649a6

 

SC Magazine's Australian edition recently published an article entitled $45k stolen in phone porting scam.

This article was then rewritten on Help Net Security as "Fraudsters beat two-factor authentication, steal $45k"

The summation of the SC Magazine article:

Call your mobile phone provider on the phone numbers below and insist on additional security questions being added to your account before the number can be ported.

The last paragraph of the Help Net Security article, despite its inaccurate headline, gets closer to the true issue:

But, the bigger problem in all of this is the fact that Australian banks have been informed of the possibility of the "porting" option being misused to mount this kind of attack back in 2009, but a lot of them declined to implement a verification system that would make sure that the number to which they send the additional verification code has not been recently "ported".

The truth is that any use of SMS is a problem and not just because of porting.  The list of dangers about the SMS system should be well known by now:

Carriers are not incented to secure their users accounts. If they increase the difficulty of resetting a password or performing some change, users will start calling support. If you have 100,000,000 users and an extra 2% start calling, it adds up fast.

So SMS is really just an email sent to a phone over a provider that barely cares about security. 99% of SMS messages don't require security (and probably 99% of those don't even need to be sent, but that's another story), so don't expect the carriers to add any soon.

If some application warrants two-factor authentication, then it warrants even the most basic risk analysis. Would you start using an unencrypted VPN because it ran on a phone?

If a bank outsourced it's VPN service, what types of audits would they do?  What kinds of guarantees would they demand?  Did the carriers agree to similar demands when financial institutions outsourced their authentication to them?

Cross-posted from Wikid Systems

Possibly Related Articles:
10504
PDAs/Smart Phones
Information Security
Encryption Passwords fraud Authentication VPN SMS Mobile Security Porting Attack
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.