A wave of thefts in the locker rooms of sports halls reminds us that two-factor authentication (2FA) based on SMS is total, say garbage. A fraudster steals phones and debit/ATM cards, using them to rack up big bills in London.
The victims are all women, which makes the British police think that the thief is too. But how does it work? And how can you protect yourself?
Let’s uncover the fraud. In today’s SB Blogwatch, we’re pumped.
Your humble blogwatcher curated these blog bits for your entertainment. Without forgetting: Cat in mourning.
SMS 2FA: Go
Avast! What is the craic? Shari Vahl reports, arrr—”How does a thief kidnap thousands of people from London gyms?”:
“Your phone settings”
The similarities in each of the cases seem striking – female victims who put their belongings in a locker at a popular chain of gyms, only to return to find their phones and cards had been taken. A number of high value purchases were made, from the same stores. The thief also treats himself to a fast food meal.
Phones, of course, can be made inaccessible through the use of passwords and face or fingerprint unlocking. …But the thief has a method that bypasses these basic security protocols. Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. As this is the first time this card will be used on the new device, a unique security password is required. This verification code is sent by the bank to the stolen phone. The code flashes on the locked screen.
The most important tip is to never leave your phone and card together, and certainly never keep your card in your phone case. …Other than that, the best way to stop … this particular method is to make sure they can’t read the verification code sent by the bank. This is done in your phone settings [so] messages will no longer flash when your phone is locked.
It looks like a bad dream. This is Lydia Chantler-Hicks—“Gym thief stealing thousands”:
The sophisticated scam saw women lose as much as [$14,000] with their bank accounts emptied of their savings while they exercise. … It is thought that the thief is probably a woman, because she can repeatedly access the women’s locker room without arousing suspicion.
A woman named Charlotte has recounted the “nightmare” experience which left her financially and mentally “broken”. … Someone broke into his locker and stole his backpack containing his phone, bank card and key. The thief then reset his… online banking details and transferred thousands of his savings to his checking account, before embarking on a ‘whistle blow’ shopping spree.
Charlotte who? Charlotte Morgan—@MorganBroadcast— is not satisfied with the reaction of its bank:
“blame the victim”
After a painful and frustrating week, I need to talk openly about something that happened to me (which could happen to you too). …And I’m not alone. At least two more [gym] members have also had their lockers broken into and their belongings stolen. We are all without phones, without money, without keys.
We are talking about seriously organized, sophisticated and calculated fraud at unprecedented scale and speed. Ignoring it and blaming the victim cannot be the answer. … It is up to the supplier to prove that I was negligent or fraudulent, which he cannot. Simply saying that my PIN has been used does not mean that I have authorized the purchase. [It] is lazy and beyond exasperation.
Verification code? They talk about our old enemy SMS 2FA. Next grid reminds us how simple it is:
SMS 2FA simply sends a time-limited secret via SMS and verifies that the user returns it to you.
Which could maybe be mistaken? Christine Dodrill, Cadey and Cendyne explain—”Two-factor authentication considered harmful”:
“It's 2022 and it's still a thing”
Don’t even tell me how messed up things like SMS-based two-factor authentication are. They use OTP codes for themselves on the backend, but then send them over the single carrier channel that is most likely to be supported by phishing so that an attacker intercepts these codes. It’s a mess.
We are in 2022 and it is still a thing. I think many users and developers are conditioned to think this is a safe implementation because everyone is still using OTP SMS.
A mess? slut says it more strongly:
[It] is total garbage and should never be used in any application that requires real security. If a code is sent to you, it is broken.
The way 2FA should work is that only you have access to the code and a password. So for example with the Google Auth application, or with several other open source alternatives (less used) which do not require you to give them any information. … The fact that the victims’ banks apparently use SMS “authentication” is theater of security, because it is in no way secure.
But how does fraud work? Surely you still need the card’s PIN code? (Because they do Chip + PIN in the UK.) jamescocker tried to reproduce the hack:
I was curious about that too, so I decided to…see what would be needed to get my card pin, imagining that I just had my phone and wallet locked. … In a word, [my bank’s app] demand :
• [Routing] Code & Account number (on physical card)
• Full name (on physical card)
• Date of birth (the [license] in portfolio)
• 6-digit SMS code (iPhone default is “Show previews”)
• 4-digit code via phone call (no need to unlock the phone)
This allowed me to :
• Retrieve Online Banking Username
• Reset online banking password
• Reset the “rememberable information” of online banking
[Now] I have full control, including displaying the card PIN.
But even if the OTP was not displayed, the thief could move your SIM card to another phone. you/ramakitty advises as follows:
That’s why it’s [also] important to set a SIM PIN code.
Meanwhile, fropenn suggests another layer of security:
If you turn off the iPhone, the password is required for all functions, including the camera or displaying texts on the lock screen. So just turn off your phone if you leave it anywhere.
Have you read SB Blogwatch by Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites…so you don’t have to. Hate messages may be directed to @RiCHi Where [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.