This is more dangerous than it sounds. As the blog post points out you can only get account balance and last transactions. Here's what's really dangerous: the last transactions.
Say you have one more piece of information: account # and routing #. This can be obtained from any check the person has written. Now you can link their account to your account from your bank's website. Your bank will make some small deposits into their account that you will have to verify. Now you use the security hole discussed in this post and you can find out what the amount of those small deposits was. You have now successfully linked their account to your account and you can withdraw their entire account balance into your account from your bank's website.
Now go to your local bank branch and withdraw your entire account in cash and walk away. So yes, this security hole is bad.
It's how everything I've ever used for ACH transfers does account linking, from Paypal to other banks. They assume, and mostly rightfully so, that if you can view an account's recent transactions, you control the account.
Google also does this method of verification for their Adsense payments -- just type in the amount deposited and your account can now receive payments from Google.
I had once a check stolen. No money was taken, since the bank got suspicious and called me and I told it's not authorized, so they did not pay anything. But I had to close that account and open a new one, because having the check the thief has account # and routing # (the latter is public anyway) so he can initiate electronic transactions from my account without asking anybody. I myself did so on many billing sites - you just given them account number and payment is processed, my bank has no idea if I authorized it or not (in those cases I did, but the bank has no way to verify it).
Security of this system doesn't even deserve the name, the only resort it to catch it after the fact and rely on the bank rolling back the transaction.
...and then prepare for the FBI to show up at your door. You can't open a bank account without producing several pieces of ID bearing you current address. Not discounting the apparent stupidity of BofA relying on caller ID for auhthentication, but it's not quite that easy. Moving money from one account to another leaves a trail.
Current address can change. The only reason my bank knows my current address is because I've repeatedly informed them, and it took about half a year and some effort from my side to have them update all accounts and records with the correct address. So the FBI has a good chance of scaring some innocent men living in a rental apartment that was used by some bad guy two years ago. In one place I lived, I regularly got payment demands from various credit companies to the name of somebody that (I suspect) lived there 2 years ago at least (I knew who lived there before me, and that wasn't the bad credit person). So address doesn't give much.
The responsible thing to do in this situation is to keep escalating at the bank until somebody listens. "Bank of America supervisor" implies a manager at a call centre. A few more escalations and you reach some pretty senior people with actual authority to change things.
A zero-day involving actual dollars (BoA) is a lot different than a zero-day involving email addresses (AT&T, recently). If this exploit makes withdrawals possible, and it sounds like it does, then you're making it easy to seriously mess up someone's life before it's fixed.
This is basically a lookup which authenticates users based on caller ID (the password is the ssn). This is the same as when your carrier changed your voicemail password to be your phone number (and self-authenticate on inbound calls).
The problem everyone is looking at effects 100% of customers but the bank (mistakenly) believes the barriers to entry are high.
The important takeaway is this: You cannot have a secure service that is authenticated with a phone number.
Phone numbers have been, and will continue to be, an invalid source of identity. In fact, considering a phone number as a signaling agent in a Web of Trust is a terrible decision to make. Time and again we hear of these exploits which wouldn't happen without terrible assumptions.
PSA: YOUR PHONE NUMBER IS SPOOFABLE; IT TAKES 10 SECONDS. DO NOT BUILD SYSTEMS THAT TRUST YOUR PHONE NUMBER AS IDENTITY.
I am no expert but I think the problem is assuming that the caller ID of the incoming call to the bank is authentic.
I'm curious if you could break a similar system that assumed that receipt of an outgoing call made to the customer's phone number was validation of identity.
Outbound call to a number is harder to break. One way is to port the number to another provider, illegally. If you have the person's information and bill, you probably have enough info to get the line transferred. And sometimes, providers will accidentally/idiotically allow a number to be ported even if the information isn't correct; there's plenty of room for mistakes.
Another attack is to target the way they place the outbound call. Suppose they place the outbound call with provider X. An attacker might sign up and start a port via provider X. If provider X has poor code, they might activate the number internally, and route all their customers calls to your account, before they find out the port's been rejected. Or you might be able to compromise the provider another way - many providers and VoIP software systems are hilariously weak on security.
The first attack will work across the entire phone network; the second requires the authentication call to be made via an insecure provider.
Right but you're talking about owning the DID, which one may or may not need to do in order to compromise your connection. For example, if I pwn the Asterisk box your call routing runs through, I can mirror the audio or redirect the audio pretty trivially.
Going a step further, given how few people aren't buying through a reseller, it's possible to pwn an upstream provider and impact boxes through a man in the middle attack. Even over TDM you're not safe because of physical taps which are difficult to detect (albeit easier than IP).
No, Phone numbers are not secure and should never be used as a form of authentication. You don't even need to port a number, you just need to be somewhere in the stream.
I think there's a significant scope difference in performing a MiTM attack (via hacking a provider or installing a tap) and forcing a port through.
After all, it's implicit in telephone banking when you authenticate via voice that you trust the connection. The argument you're making is that telephony is insecure, which is arguably true, but sorta irrelevant within the scope of telephone banking.
How is it irrelevant? Is it not the crux of the issue here?
Many upstream providers are just Asterisk boxes forwarding traffic. Those boxes can be overloaded with a malformed SIP header; hell, most application switches get wrecked by malformed headers.
What I'm trying to say is that money is one of those things where security is actually important. Trusting telephony, even as a signal and not source, is foolish. There are many better methods of deriving identity.
My point, and arguably the point of the article, is that telephony is insecure, and I think it's pretty far from irrelevant... Please correct me if I misunderstood, I'm not trying to offend I just don't understand.
Well this depends on delivery medium. If the outbound call is routed to a SIP URI instead of over TDM, you actually have no idea where that calls going.
A DID (direct inbound dial) is physically punched down into an exchange somewhere near the actual physical area (415 exchanges are physically punched down in or around San Francisco, for example). If calling a specific DID results in a forward to a carrier like, say, bandwidth.com, then the routing commands applied after that would not be traceable (or at least not easily).
In short, only if you know the method of delivery, and I'd argue that it's virtually impossible to know what kind of routing a number you're calling will trigger.
Does that help? Inbound caller ID is just Fubarr'd because you can fake it in two seconds.
>I'm curious if you could break a similar system that assumed that receipt of an outgoing call made to the customer's phone number was validation of identity.
That would certainly defeat the caller-ID spoofers. "Please hang up now. We will call you right back ...". Receiving a call from the bank's automated service out of the blue would also alert you to the fact that hackers are attempting entry via spoofing. Or are phone-phishing for whatever details the automated system requires in order to proceed.
Google now offers two-factor authentication for its accounts. You sign in with your username and password. Then Google texts a random code to your phone, which you enter into a third dialog. That way, the bad guys have to steal your phone in addition to your password.
> Then Google texts a random code to your phone, which you enter into a third dialog. That way, the bad guys have to steal your phone in addition to your password.
Nope, they just need access to your phone account at the carrier.
In the case of an AT&T business account, it's just your EIN from the IRS and the billing address of the company.
Then they just pop the "replacement" SIM from AT&T in their burner and receive the text message.
Sure, it's harder than just stealing a password. But don't think it requires stealing your phone. It's just one more account that needs hacking.
You'd need to get the encryption keys to burn that SIM if it should work. You can't extract those from most SIMs(Then again if steal the original SIM, you don't need to clone it).
The other option is to hack the network node where it's stored, which should be a very different place than the main account data - it's normally a lot harder than stealing a phone.
You misunderstand me. I am talking about walking into an ATT store and having them issue a "replacement" SIM for the account. No SIM hacking necessary.
It is fraud, however. But so is lying to a bank IVR.
Wouldn't it be fairly trivial to have an automated system to call the caller back (Verify that they aren't spoofing the caller ID)?
eg
1. Caller phones in
2. System looks at caller ID, and says "We will now call
you right back to verify you are who you say you are"
3. Caller hangs up and has to wait for call.
Surely that system would need a much higher level of hacking to be able to intercept the call.
You could do that, but it would be a terrible idea and experience in practice.
1. Your system is unusable from anything that doesn't provide an accurate and usable caller ID number. Such as any office where outgoing calls route through a trunk number. Or many VOIP services.
2. You've quite possibly doubled your phone bill, or at least substantially increased it.
It's not always correct to throw as much security as possible at a system. Security always involves tradeoffs and sometimes it is correct to make them.
That's just not true. The inbound rate on Toll-free is almost always higher than outbound termination. Only in rare, high-volume circumstances is Toll-Free inbound cheaper than outbound.
Usability is a huge issue, but I think that it comes back to the bottom line cost figure. The usability is just one of those problems that no one wants to start to deal with because of the cost. If outbound was cheaper someone would've found a way to do it (IMHO).
You may want to re-read your comment. If Toll-free inbound is higher than outbound, then why wouldn't they do outbound more often? We're talking about (in many cases) businesses like banks which offer toll free numbers. So obviously cost is not the dominating factor here.
Some systems did implement outbound calling for increased security. I'm thinking dial-up (BBS/remote access) scenarios. Windows NT, for instance, allowed you to allow a user-defined or preset callback number. Although, for user-defined, its more likely a cost issue than security.
how does this affect systems in africa and asia where mobile banking is widespread. tons of money transfer is done by sending it via text messages. any idea how they handle this? is spoofing a text message totally different?
“Our objective is to balance customers' need for convenience and quick access to general information with industry best protection of their accounts,” wrote Betty Reiss at Bank of America. “In addition to at least two levels of authentication required to access very limited information over our automated system, we have additional security controls in place to detect potential abuse of our automated systems. We understand that there will always be individuals who are trying to beat the system, and we're constantly looking at measures to better protect and service our customers.”
Except some systems, such as PayPal, determine authorization to a bank account by making a couple of small transactions and requiring you to confirm the amount. So read-only access to statements does allow you to get more access to the account via other parties. (I found this out after someone I gave read-only access on my account started making withdrawals via PayPal.)
> "Bank of America supervisor" implies a manager at a call centre.
Hahahaha, yep. And that's as far as you'll get.
I've worked at a call center that serviced a lot of big companies. Rest assured you will never, ever speak to an actual manager at a call center (call center managers aren't trained to interact with customers, they mostly do scheduling and deal with attendance policy). You'll get a "Level 2 rep" who's just another rep who has some authority to grant exceptions to policy in certain cases.
Also, if you call the corporate HQ and demand to speak to the president of the company, they'll route your call right back to that level 2 rep in the call center. Most companies go out of their way to ensure that the leadership is protected from the inevitable lunatic customers.
I made it to level 5 once with my bank when a merchant was ripping me off. It was the kind of thing where they could only promise a callback within the week because the person was generally busy not answering customer calls and didn't have anything to do with the call centre. That guy fixed the problem when everyone under him said they couldn't.
If it wasn't a bank, I would say forget about this approach. But based on my own limited experience, I have this belief that retail banks are nowhere near as atrocious as PayPal or your typical telecom or insurance company.
Even if escalation through customer-facing channels didn't pan out, I guess I would like to see more than a public exposé on a blog and YouTube from someone who "is a long-time advocate of privacy and the conservation of the personal realm" and who previously was involved with Mt. Gox. There is no indication that they exhausted all possible avenues before going public with the information, and I'm quite sure there's more to do than simply give up once you reach level 2.
It seems like the author, thieves, and a fraction of a percent of BoA customers are the only ones who benefit from this. His actual core business at the moment is based on safeguarding people's privacy; this kind of thing only makes me want to run far far away.
> I made it to level 5 once with my bank when a merchant was ripping me off.
Eh, in all reality your 'level 5' is likely the other level 2 sitting next to the 'level 4' (who was also a level 2) you spoke to. I know this from experience, there's not a ton of professionalism when everyone is pulling down < $10 an hour. It might've been the one level 2 that knew more than the others. It's really level 2 reps all the way down.
No, it was a guy in a private office who was VP something or other for the west coast, but I had to escalate several times to reach him. Maybe I just have a good bank.
That's entirely possible, the call center where I worked was mostly tech companies (HP, Adobe, Autodesk, etc etc). I'm guessing if you were with a smaller bank you'd get less factory farm-type service.
I managed to hit my bank's internal security team this one time. Pretty cool to chat to them at the time although they mentioned as little as humanly possible about their policies for obvious reasons :)
My account basically got itself into an invalid state where I couldn't verify using my pin or log in online. Must have slipped through the cracks in business logic somewhere because I combined credit and debit onto a single card and created a 6 number PIN. Called customer service, got escalated to higher level, then a few hours later called by someone from the internal team.. which worried me slightly.. but was fine in the end.
You're confusing identities. We're talking about the responsibility of the person who is disclosing the vulnerability, not whether it's responsible for a person to have a BoA account.
Well, they used a proxy to log into their own account, so probably not. Had they tried to demonstrate this using someone else's SSN, then yup - lock 'em up!
If they stole data from 100K bank accounts using SSN generator and then sent those to the press - yes, probably. Since they instead accessed their own account to which they were authorized to connect anyway - no, not right.
From what I understand, knowing somebody's name, SSN, address and DOB would allow you to impersonate him/her at 90% of places. In 90% of the rest, they'd require some password but if you sound convincing enough and desperate enough and claim you forgot the password, they'd give you some information they're not supposed to in exchange for the pieces from above. SSN especially is treated like it's super-secret even though practically everybody asks you for it - banks, employers, car dealers, credit cards, lenders, etc. Government loves to ask DOB for some reason like it's a big secret - even though looking for congrats of anybody's facebook page allows to know DOB for like 90% of people.
In general, this whole system does not collapse only because overwhelming majority of people are honest and don't even think about cheating it. Which I think is good, but still I am a bit scared when I think about how fragile it is.
> SSN especially is treated like it's super-secret even though practically everybody asks you for it - banks, employers, car dealers, credit cards, lenders, etc.
Ironically, the IRS doesn't. I know of someone who had to authenticate himself to the IRS (I think when getting a new social security card) and was prepared to give them his SSN, when the agent scolded him, 'Your SSN isn't a means of identification'.
If only they knew!
> Government loves to ask DOB for some reason like it's a big secret - even though looking for congrats of anybody's facebook page allows to know DOB for like 90% of people.
DOB is public record (by one means or another) for almost any US resident.
I am both amused and annoyed at now having to enter my US postal ZIP code when using my credit card at some gas stations. If someone stole my wallet, they'd have that information already as it is on my driver's license.
It's not just BofA. I know of at least one other popular bank that uses the last four of one's SSN as the default password. They may also require a DOB, but that's simple enough.
First, its not off CID, its off ANI (ANI is what is passed to the remote endpoint when you call a toll free number), not that you cant spoof ANI - but often it can be a little harder, as its used in billing on the telco side.
Second, every bank does something like this, I can access my credit card by phone with just the last four digits of my account number, and by calling in from my phone. I can do the same thing with my BofA account number in lieu of my SSN.
Third, again, every bank is like this to some extent - every CC I have, if I call in from my number, and key in the last for digits of my credit card, I can get info. I should also point that knowing someones Tel Number, Account Number and/or CC number is a considerable amount of info to have.
Credit cards are a vastly different scenario than bank accounts. To a first approximation, unauthorized credit card access poses zero risk to the cardholder. Bank accounts are vastly different in that respect. Can you access your checking/savings account like this, not just your credit cards?
If this is a widespread vulnerability, why is it left open? Also, my bank wants a 13-digit access card number and a 4-digit PIN, which is secure enough for me.
This is the same sort of exploit used in the "Phone hacking" scandal that News of the World and other newspapers got in trouble for. Except in that case they were hacking voicemail boxes not bank accounts. This is pretty serious and not exactly a novel idea, very surprised that BoA hasn't encountered this problem yet.
So the worst case scenario that this maybe non-repeatable process might result in someone: 1) accessing more of your data and 2) maybe perform fraudulent transactions that will be detected and/or reported; investigated; and refunded. Uptown problems.
Say you have one more piece of information: account # and routing #. This can be obtained from any check the person has written. Now you can link their account to your account from your bank's website. Your bank will make some small deposits into their account that you will have to verify. Now you use the security hole discussed in this post and you can find out what the amount of those small deposits was. You have now successfully linked their account to your account and you can withdraw their entire account balance into your account from your bank's website.
Now go to your local bank branch and withdraw your entire account in cash and walk away. So yes, this security hole is bad.