[Informatics] Hooray for two-factor authentication! Oh no, sorry. That's been hacked too.
Mark
mark at vceit.com
Mon May 8 13:53:10 AEST 2017
https://www.wired.com/2017/05/security-news-week-hackers-beat-two-factor-authentication-rob-bank-accounts/
*Hackers Use SS7 Telephony Flaw to Defeat Two-Factor Authentication*
Security researchers have warned for years that a gaping security hole has
persisted at the heart of the global telephony system: Signaling System 7,
or SS7, is designed to connect phone calls between phone networks, but can
easily be hijacked by any carrier—or carrier impersonator—that decides to
maliciously reroute calls.
Now cybercriminals have finally cashed in on that long-lingering flaw. The
German phone company O2-Telefonica told the Suddeutsche Zeitung this week
that hackers had used an SS7 attack to steal the text messages sent to
banking customers as part of their two-factor authentication scheme.
After planting malware on the victims’ computers to steal their passwords,
the hackers also intercepted the one-time codes sent over SMS when the
hackers attempted to use those credentials, defeating that phone-based
protection measure.
The phone companies can’t say they weren’t warned: The technique was
presented in 2014 at the Chaos Communication Conference. Last year, hackers
demonstrated it again for 60 Minutes, using it to wiretap a Congressman on
camera.
And we at WIRED warned that the SS7 flaw is another reason you should stop
using text messages for authentication. That advice applies now more than
ever.
--
Mark Kelly
mark at vceit.com
http://vceit.com
Powered by *two-factor authentication.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.edulists.com.au/pipermail/informatics/attachments/20170508/501094d2/attachment.html
More information about the informatics
mailing list