Password hashing best practice (TL;DR use bcrypt) has been a bit in the spotlight recently.

There has been a natural progression in the blogosphere as it tracks LinkedIn’s shame. Yes you should use a password hash function with integrated salting e.g. bcrypt or scrypt. Yes its scary reading developers comment as they fuddle through trying to invent their own solution in the comments to stories.

And that blogosphere progression has now reached 2-factor authentication. This just slipped in from an expert (who downplayed salt; yes, stretching is critical, but you would be crazy to stretch without salting too):

But the real answer is things like two-factor authentication with smart phones. Two factor authentication seems like the answer to me. I think ten years from now this is going to be a common approach. [Thomas H. Ptacek]

Its a step in the right direction of course. But a chain is as weak as the weakest link and phone companies are very weak links indeed:

Google send me an SMS with confirmation number when I log into gmail. I like this feature. But it can be overcome by a determined attacker who social-engineers the phone company. Case in point: CloudFare hacked by password reset on gmail account.

My own interest is piqued because I too know someone who knows first hand about the spoofability of phone numbers :(

Their computer had a banking trojan. The hacker logged into the bank website and transfered a large sum of money to the hacker’s own account. The bank rang my friend to confirm such a large transfer (as is their routine policy). And the hacker answered…

The hacker had phoned British Telecom and reported a fault on his [as in the victim’s] fixed phone line. The hacker asked BT to investigate and, in the meantime, redirect the victim’s phone to a pay-as-you-go mobile phone.

It was that simple.

The story gets all the more bizarre! I’ll try and write it like I’m short of breath:

Friend randomly logs into bank website and sees outstanding transfer and calls bank. Bank un-transfers money, relief all round. But bank then says “but we did transfer a large sum last week”…

Luckily the police do investigate (apparently they mostly decline to) because there is video footage of someone(?) withdrawing the money. The bank un-transfers the first amount.

Friend phones BT. BT have a phone recording of the transfer being requested, but is spooky to listen to. This is a common enough attack that BT have a system whereby you can put a password on your phone account so random people cannot redirect your phone…

Not long after, mother rings friend… and call is answered by stange person instead! The attacker had redirected the phone again.

BT apologise. The support line had asked for the password but validated it even though it was the wrong password. What password had the attacker given? BT had a recording again. Attacker gave the friend’s email password.

Friend has phone number of attacker. Friend phones attacker.

At first attacker pretends wrong number. Then says ‘yeah, something is wrong with the phones, I keep getting your calls; phone company fault or something, goodbye’. Then attacker changes tack; they are from the bank’s fraud department and they are investigating some irregularities and if friend can only confirm their details… Crazy that all that can be in the same call conversation and yet it all so feel so believable.

Attacker finally says to friend “I know all your details, I know all about you; if you let me get away with a little bit of money, I will leave you alone." And then a negotiation on how much is a little bit proceeds. Friend says "I’ll think about it” and hangs up.

I said it was bizarre.

They key thing? Phone company support staff have been successfully socially engineered from like forever, and for those preferring technical attacks phones can be cloned too.

2 factor authentication with phones is only going to be a small speed-bump against determined attackers.

ADDED now in the same vein:

So lets iterate the ways the system failed:

his computer had a trojan

his cleaning of the trojan between the calls obviously didn’t work effectively

the bank was using password website login and phone-call confirmation

as the vast majority of people phoning to report a fault are legitimate, there is no default security on call forwarding

and BT doesn’t publicise the password protection it offers (to my knowledge)

and BT’s own staff failed to actually confirm call transfers in this particular instance

and the trojan failed in that it didn’t rewrite his bank view to hide its own transactions

and the attacker failed to just transfer amounts under the limit that requires phone confirmation

Have I missed any? Probably.

I told him to burn and build. I told him to use a Knoppix CD when using the computer for banking. I don’t think I was heeded.

Using bootable CDs for banking is a great idea. Its impossible for a write-only media to get infected with a trojan that will survive a reboot. I tried to get someone who has access to some shared accounts to use one, but sadly KHTML didn’t work with the banking website. Arrrgggh.

My banks all use secure fobs. To log in on-line, and to confirm transactions, they present you with a challenge; you enter the challenge into the fob and then type the code it displays.

The latest banking trojans are nasty pieces of work. They can piggy-back sessions where you are using a secure fob as two factor and add their own (hidden) transfers to your own. I’ve heard of trojans that are adapted to my banks and their non-English language; these trojans are moving down to target even regional banks now.

It annoys me that a trick is missed with the secure fob. Imagine that:

the challenge screen includes the amount you are authorising

and you type that amount into your secure fob along with the challenge code

It’d be impossible for a banking trojan to slip its own transfers in with a transaction I authorise. Me, the human, will balk if the amount being authorised is too much.

And I don’t think customers will think twice at being asked to enter the amount when they confirm transactions. In fact, I think it feels natural.

A comment said this well; “something I can access” (the secure fob which can still be piggy backed) is not as strong a factor as “something I know/am/have” (the sum of the transaction).



Notes

"share"