0

I am assisting another Data Scientist with helping a bank detect and prevent fraud via data analysis and predictive modeling (Machine Learning). It's a challenge because the proportion of known fraudulent cases is small and some fraud goes undetected.

I need to combine my statistical modeling techniques with subject matter expertise (SME) in the domain of fraud / infosec. We had a number of "traditional" rules to serve as SME, such as checking IP addresses, comparing users' current browser data / fingerprint / canvas against the past and for internal consistency, etc. We can catch most fraud this way by requiring 2-Factor Authentication (2FA) whenever something looks suspicious.

However, one of our customers indicated that now fraudsters are able to "defeat 2FA by cloning SIM cards and other methods". This would be a huge complication but I've never heard of it before, at least not on any significant scale that wouldn't involve offline contact between the customer/victim and fraudster. So, my first question is:

  1. Is this true? Does this happen and if so, how is it being done? Any known mitigation strategies?

This is only a small and intermittent part of my job, so it's quite possible that my information is out of date and there are new techniques like this. This leads me to my second question:

  1. Are there other methods like this that I should be aware of, which would allow attackers to bypass 2FA?

We were aware that sometimes the identity thief will have enough personal information to call or login to the bank, pass verification, and update the phone / email contact info so they can later try to bypass 2FA when making a withdrawal. We have a strategy to combat this, but if there are other attack vectors please let me know.

Improve this question
3
  • It depends on the 2FA system. SMS is known to be insecure, TOTP is much more secure, but can be compromised. Physical 2FA keys offer the highest security and are most difficult to compromise.
    – The one who tests
    Commented Aug 10, 2022 at 16:47
  • @Theonewhotests Thanks, and yes I agree. Right now they utilize SMS as an option and I believe the other option via their app is essentially TOTP. I can change the technologies they use however. I just use the data to detect and prevent fraud. So I need to know if fraudsters are really cloning SIMs or otherwise intercepting the 2FA SMS codes or if that's just an exaggeration / rumor / etc. I believe they usually get data (CC numbers, names, addresses, etc) from leaked databases or from the Point of Sale. I don't see how they can intercept SMS based on just that?
    – Hack-R
    Commented Aug 10, 2022 at 19:26
  • 1
    SIM-swap attacks are common and they tend to target people with bitcoin accounts. krebsonsecurity.com/category/sim-swapping I think "SIM cloning" is a much smaller threat as someone needs physical access to the card to perform the attack. For either of these, 2FA for things like changing password or recovery make the problem worse. Use of a PIN or some similar code that is setup when the account is created helps, though many SIM swaps attackers seem to have that information as well. (bad actor provider employees sell those along with the account info)
    – browsermator
    Commented Aug 10, 2022 at 19:56

1 Answer 1

Reset to default
1

Yes, people can and do attack SMS-based 2FA with SIM swapping attacks. Essentially, the attacker convinces the phone provider to port the number from the legitimate owner to a SIM card that they are in possession of, meaning that the attacker can receive all calls and texts. This can happen through social engineering or bribery. (Consider the cost of bribing an employee for $500 if you can make off with $20,000.)

TOTP is more secure, but it is vulnerable to phishing (as is SMS 2FA). Essentially, the attacker creates a phishing site and prompts the user to log in with their username, password, and TOTP code, and then the attacker immediately uses that to log into the real site and perform malicious activities.

FIDO2 and WebAuthn security keys avoid this problem because they produce a digital signature which is bound to the domain of the website (as the browser sees it). As a consequence, on a phishing site, the domain will be different, and the signature will fail to validate if proxied to the real site. In addition to physical security keys such as YubiKeys, WebAuthn can also be handled with the user's unlock code on Android phones or Windows Hello, among other implementations.

Of course, many people don't have devices that can do WebAuthn, but if it's possible to implement, it's the gold standard for 2FA. TOTP is also a good option, since authentication apps like Google Authenticator or Authy are available and easy to use. (Please, for goodness' sake, do not use a proprietary TOTP app, just use the standard approach.) I personally use WebAuthn wherever possible and add TOTP as a backup in case I lose my YubiKey.

My recommendation in general is that if you're using 2FA to just always use 2FA and not just when something looks suspicious. SMS 2FA is insecure, but it's better than nothing and makes widespread attacks more difficult. Providing WebAuthn for those who have it (or, for that matter, standard TOTP) would in fact put your financial institution beyond literally every financial institution I've done business with in the U.S. or Canada. Forcing 2FA in all cases will dramatically raise the cost of attacking your institution, although it may lead to an increase in customer support problems. In conjunction with other measures to prevent phishing sites from being successful, you'll probably end up much less of a target.

Improve this answer
2
  • Thank you (+1). I'm only focused on understanding the attack, not on alternative security measures (due to my job role). If there are any additional links you could provide to supplement the first paragraph that would be great; about the attack vector or references to this happening via bribery (I will also look, but thought I would ask for good measure). Very helpful.
    – Hack-R
    Commented Aug 10, 2022 at 22:37
  • 1
    I'll link you to the Wikipedia article on SIM swapping, which I think covers the situation well: en.wikipedia.org/wiki/SIM_swap_scam. Krebs on Security, as mentioned in the comments, is also a good source for these types of attacks. The Wikipedia mentions statistics from the FBI, and if you're located elsewhere, I'm sure your national law enforcement agency has similar statistics.
    – bk2204
    Commented Aug 10, 2022 at 22:42

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .