A spate of thefts from gym lockers is reminding us that SMS based two-factor authentication (2FA) is utter, utter garbage. A fraudster is stealing phones and debit/ATM cards, using them to rack up big bills in London.
The victims are all women, which makes British police think the thief is too. But how does it work? And how can you protect yourself?
Let’s unpick the fraud. In today’s SB Blogwatch, we get pumped.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Cat in mourning.
SMS 2FA: Go Away
Avast! What be the craic? Shari Vahl reports, arrr—“How is a thief taking thousands from London gym-goers?”:
“Your phone’s settings”
The similarities in each of the cases appear striking – female victims who have put their belongings in a locker in a popular chain of gyms, only to return and discover their phones and cards have been taken. A number of high-value purchases have been made, at the same shops. The thief also treats themselves to a fast-food meal.
Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. … But the thief has a method which circumnavigates those basic safety protocols. Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded. That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen.
The most important tip is to never leave your phone and card together, and certainly never keep your card in your phone case. … Other than that, the best way to stop … this particular method is to make sure they cannot read the verification code sent by the bank. This is done in your phone’s settings [so] messages will no longer flash up when your phone is locked.
Sounds like a bad dream. Here’s Lydia Chantler-Hicks—“Gym thief stealing thousands”:
The sophisticated scam has seen women lose as much as [$14,000] with their bank accounts drained of life savings while they exercise. … It is thought the thief is likely to be female, as they are able to repeatedly access women’s locker rooms without rousing suspicion.
One woman named Charlotte told of the “nightmare” experience that left her financially and mentally “broken.” … Someone broke into her locker and stole her rucksack, containing her phone, bank card and key. The thief then reset her … online banking details and transferred thousands from her life savings to her current account, before going on a “whistle-stop” shopping spree.
Charlotte who? Charlotte Morgan—@MorganBroadcast—isn’t happy with her bank’s reaction:
“Blaming the victim”
After a distressing and frustrating week, I need to talk openly about something that happened to me (which could happen to you, too). … And I’m not alone. At least two other [gym] members have also had their lockers broken into and belongings stolen. We are all without phones, money, keys.
We’re talking seriously organized, sophisticated and calculated fraud on a scale and speed like never before. Ignoring it by blaming the victim cannot be the answer. … It’s up to the provider to prove I’ve been negligent or fraudulent, which they can’t. Simply saying my PIN was used does not mean I authorized the purchase. [It] is lazy and beyond infuriating.
Verification code? They’re talking about our old enemy SMS 2FA. Nextgrid reminds us how simplistic this is:
SMS 2FA is just sending a time-limited secret by SMS and checking that the user gives it back to you.
What could possibly go wrong? Christine Dodrill, Cadey and Cendyne explain—“Two-factor auth considered harmful”:
“It’s 2022 and this is still a thing”
Don’t even get me started on how messed up things like SMS based two factor authentication are. They use OTP codes on the backend for them, but then send them over the one carrier channel that is the most likely to have support be phished in order to have an attacker intercept those codes. It’s a mess.
It’s 2022 and this is still a thing. I think many users and developers are conditioned to think this is a safe implementation because everyone is still doing SMS OTPs.
A mess? splutty puts it more strongly:
[It] is utter garbage, and should not ever be used in any application that requires actual security. If a code is sent to you, it’s broken.
The way 2FA should work is that you are the only one with access to the code, and a password. So for example with the Google Auth app, or with several other (less used) open source alternatives that do not require you to give them any information. … The fact that apparently the banks of the victims use SMS based ‘authentication’ is security theater, because it’s not in any way, shape or form secure.
But how does the fraud work? Surely you still need the card’s PIN? (Because they do Chip+PIN in the UK.) jamescocker tried to reproduce the hack:
I was curious about this too, so decided to … see what would be required to get hold of my card’s PIN, imagining I just had my locked phone and wallet. … In a nutshell, [my bank’s app] asked for:
• [Routing] Code & Account No. (on physical card)
• Full name (on physical card)
• Date of Birth (on [license] in wallet)
• 6 digit code via SMS (iPhone default is to “Show Previews”)
• 4 digit code via phone call (no need to unlock phone)
This allowed me to:
• Retrieve the online banking username
• Reset the online banking password
• Reset the online banking “memorable information”
[Now] I … have full control including displaying the card’s PIN.
But even if the OTP wasn’t displayed, the thief could move your SIM to another phone. u/ramakitty advises thuswise:
This is why it’s [also] important to have a SIM PIN set.
Meanwhile, fropenn suggests another security layer:
If you turn the iPhone off, the passcode is required for any function—including the camera or showing texts on the lock screen. So just turn your phone off if you are leaving it anywhere.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.