back to article Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'

A software developer says a thief siphoned cash from his PayPal account – after a dumbass AT&T rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication. Justin Williams, an iOS code jockey based in Denver, Colorado, said someone was able to dupe an AT&T support tech into assigning …

Silver badge

why would anyone link their bank accnt to paypal

Unless it is a throw away account that only has funds for a limited time.

I don't use paypal often but when I do i only use protected credit cards issued by in my case bank of america shop safe. Credit line is set for the purchase price in paypal. I make the purchase and the virtual card is useless after that.

As for sms and 2 factor. It's still better than single factor. None of my bank accounts with major banks have 2 factor as far as I know. Though each account has a unique username a unique password, and a unique email address hosted on my personal server(which does NOT correspond to any user accounts on my server, i have a general login account with access to my dozens of email inboxes and 150 or so email addresses spread over multiple domains).

4
14
Silver badge

Re: why would anyone link their bank accnt to paypal

I agree 100%. Originally it was horror stories about Paypal reversing charges on the say-so of someone else that made me resolve to never link it to a bank account, this is merely another reason. I have linked it to a credit card, so if a fraudulent charge is ever made, I can go to my credit card company and have it reversed, instead of being at the mercy of Paypal.

If you have a lot of money coming in to Paypal you may have reason to link it to a bank account, but IMHO it should be a bank account you open specifically for that purpose, and have some sort of automated 'sweep' function set up to leave as little money in it as possible to minimize potential losses. Linking to your own main/only bank account is criminally stupid, and you deserve what you get if you do that.

4
5
Anonymous Coward

Re: why would anyone link their bank accnt to paypal

Credit cards? Ah yes, I've heard of them. People use them to get massively into debt with really high interest rates right?

I don't like borrowing money, I'll stick to debit thanks.

5
15
Silver badge

Re: why would anyone link their bank accnt to paypal

"I don't like borrowing money, I'll stick to debit thanks."

Or you could just set up a direct debit to pay the whole bill every month, and enjoy the better protections provided through credit card use without ever going into debt. As is so often the case, just because some people misuse a thing does not mean such misuse is required for all users. It makes no more sense than complaining that some people are bad at painting so you'll stick to having bare plaster for your walls.

As for the article itself, pretty much a big "eh". Yes, social engineering remains by far the biggest threat when it comes to fraud. Humans are always the weakest link when it comes to security; as long as there is someone, somewhere, with the ability to screw around with your account details, this kind of fraud is always going to be possible. And since changing account details is something that often needs to be done legitimately, that's never going to change.

19
2

Re: why would anyone link their bank accnt to paypal

Typical AC comment, blame 'the system' for lack of control.

As has been pointed out, using a CC has many benefits to the user. I have a low limit card for all online purchases (yes I even keep rejecting their limit increases) my logic being if it got hacked it'd a) not be my money anyway and b) the amount they could obtain would be limited to a few hundred quid.

I can happily argue with a CC company or PayPal until the cows come home, my current account is totally unaffected; mortgage, gas, mobile etc all get paid. Try that when your debit card is trashed and your account is plundered. Yes you may get a refund eventually but trying to cover bills or plead with service providers isn't my idea of fun.

8
1

Re: why would anyone link their bank accnt to paypal

"Credit cards? Ah yes, I've heard of them. People use them to get massively into debt with really high interest rates right?"

I happen to have 6 CC's. Not a single dime in debt. You should hear more broadly.

11
2
Silver badge

Re: why would anyone link their bank accnt to paypal

Credit cards? Ah yes, I've heard of them. People use them to get massively into debt with really high interest rates right?

And people also use them correctly (as in: pay them off in full every month. Which, BTW, credit card companies *hate*).

7
1

Re: why would anyone link their bank accnt to paypal

Why would credit card companies hate being paid off in full each month?

They get their funds from the Credit card transaction fees the merchant pays for the privilege of being able to take credit card payments, and they do so whilst accepting the minimum of risk of default from the card holder.

Yes they can make money from your interest payments on any ongoing debt each month, but the risk of default is higher on credit cards than other unsecured debt, hence the higher interest rates. And in the UK the credit card company also has to accept the shops liability on certain purchases, so they get the risks from both ends. Surely anything that reduces that risk (like prompt payments from the card holder) would be positive thing.

1
0
Silver badge

Re: why would anyone link their bank accnt to paypal

Yeah, I doubt credit card companies care if you pay in full every month or not. They make money either way, and if you don't carry a balance they won't make interest charges but they also don't have to worry about selling the account into collections for pennies on the dollar if the person can't pay, disappears, dies etc.

1
0

Re: why would anyone link their bank accnt to paypal

This sounds suspiciously like what happened to me about four weeks ago.

My first indication that something strange was going on was a text from T-Mobile on Saturday stating that I was a valued customer and to rest assured that my changes would handle quickly. Well, since I was at a BBQ and hadn't made any changes, I was suspicious, and called them. T-Mobile said that there were no changes and the text had been sent in error. Fast forward to Monday....

My cell phone had no service and was in "searching" mode. So I opened up my web mail and reached out to T-Mobile. They proceeded to tell me how that was normal when my requested that my cell number be transferred to another phone on another carrier. Thus the battle began with them. At the time I thought it was just a phone related issue. Then the notification e-mails began coming in....

I started getting user account modification e-mail notifications from my bank where the modification texts were being sent to my cell phone, which had been hijacked already. So I hung up with T-Mobile and immediately called my bank, while getting into my account. While setting on hold with the fraud department of the bank, while waiting to speak to someone, these clowns added themselves as an auto-pay recipient to my account and tried to send themselves two $1,000 transactions and one $2,000 debit. By the time that the account was closed down and a fraud alert put on it, the two $1,000 transactions were killed by the bank (only because they take 24 hours to process), but the $2,000 debit had gone through (which I am presuming that he had used the banking app to do as he had added his phone to it). It took them ten business days to get me my $2,000 back on a temporary basis. The phone that they used was a pre-paid "burn" phone.

I was lucky. Because I had notifications set up, and because this guy missed it, I was able to catch it super early.

1
0
(Written by Reg staff) Silver badge

Re: fbt3

Wow - how did they manage to transfer your T-Mobile number? (I'm assuming it's T-Mobile USA, right?)

C.

0
0

Re: fbt3

Yeah. It was T-Mobile.

They purchased a pre-paid Verizon phone. According to Verizon, they don't do any real checks when you buy a pre-paid phone because you're not technically getting an "account". So once they bought that phone they some how convinced Verizon to trigger an inter-carrier transfer. From what I was told by T-Mobile, there's no real verification done for inter-carrier transfers because they assume the requesting company has done their due diligence checks.

With that being said, I am getting this info from phone lackeys, so I don't know what the real process is.

I did verify with Verizon that they didn't have my SSN in their system anywhere, but I still can't guarantee that it wasn't a full identity theft. I treated it like it was and reached out to all of the credit agencies, the local police, the FTC, etc. and got everyone involved in it.

0
0
(Written by Reg staff) Silver badge

Re: fbt3

Wow, that's crazy. Thanks for letting us know.

C.

0
0
Anonymous Coward

Re: why would anyone link their bank accnt to paypal

I've been close to having the same thing happen to my AT&T account, I think. We (several family members on the same account) received notice that our passcode had changed. Followed up and AT&T indicated that "someone logged on and changed the passcode". They couldn't tell us who changed it, or where they were from (or even confirm if it's from their app or from the website). Did the change password thing and reset the passcode. A few days later the same deal happened. AT&T was helpful in that they locked the account down completely for us. We left it that way for the rest of the billing cycle, then reset the password in the store. Now we have "enhanced" security, and need password + passcode for any changes.

The unsettling part is not knowing the source. Rogue app on the landfill android tablet they sold (sorry: "gave for free") to my wife? Malware on the home PC? Some brute force attack from a bot farm overseas? Some 400# guy on his bed in his mom's basement? Hard to believe they don't have sufficient logging to track things down.

Was wondering what the end game was. This makes more sense.

Made sure my Paypal account isn't linked to my bank account... Keeping one extra eye on all financial stuff for the time being.

1
0
Anonymous Coward

Re: why would anyone link their bank accnt to paypal

I work for a Private Label Credit Card company that also does some Co-Brand stuff (your visas and mastercards) and we don't hate it. Its less whining out of you over late fees and finance charges which don't make us that much money in reality. We make a little less money off of having people clear balances on the monthly, but we're making plenty by lending to you in the first place.

1
0
Anonymous Coward

Re: why would anyone link their bank accnt to paypal

"I have linked it to a credit card, so if a fraudulent charge is ever made, I can go to my credit card company and have it reversed"

Are you sure about that? Have you tried it? You have explicitly authorised PayPal to take money from that account so, as far as the bank is concerned, their transaction with PayPal is authorised. Whether the original PayPal transaction with the external party is legitimate has nothing to do with the bank as they aren't a party to that transaction and they would be well within their rights not to get involved or issue a refund.

0
0
Silver badge

Any other luddites about?

I guess I'm safe then... I only use my phone to make..<gasp> phone calls. No purchases, money transactions, etc. are done on it. I guess I'm a luddite at heart.

14
6
Silver badge

Re: Any other luddites about?

Yep another here. Considering all the data slurping that is also going on, best to leave the phone for phone calls and carry cash

4
5
Silver badge

Re: Any other luddites about?

The other problem is, using a token app is fine, as long as you are not / cannot access any services using those tokens on the smartphone... Then it is just 1.5 factor.

My bank uses a token generator, where I have to enter the receiving account number and the amount into the generator, plug my chip-card into the device and it creates a unique code for that transaction. This should also stop MitM attacks, because I enter and confirm the recipient and the amount, if the MitM uses a different account or amount, the transaction code won't match and the transaction will be rejected.

A bit of hassle, but worth it.

4
1

Re: Any other luddites about?

you might only use your phone for calls, but the person who calls up and pretends to be you can then use it to order phone upgrades and tablets on your phone account (as I discovered to my cost).

Fortunately it looks like AT&T are slightly more on-the-ball than EE, because the latter don't seem to have any security precautions at all - they let the hacker repeatedly access my account and order stuff (10 times in a month) despite not knowing any security details except my name and address.

1
0
Silver badge

Re: Any other luddites about?

My bank uses a token generator, where I have to enter the receiving account number and the amount into the generator, plug my chip-card into the device and it creates a unique code for that transaction.

Likewise. Except, for me, it's not a bank, it's a building society. And bonus points for the fact that the device itself isn't unique (my wife has one too - and we can use each other's device) but the number generated is.

2
0

Re: Any other luddites about?

what you use your phone for is irrelevant.

as long as your service providers allow the use of a phone number to secure your account, you're vulnerable - even if you dont even have a phone.

what's a self professed luddite doing on a tech website anyway?

1
0

Re: Any other luddites about?

I use my phone for alot of data consumption...

Because of this, to be on the safe side, I don't use my phone for actual financial transactions, luke Amazon Ordering, Banking apps, etc.

0
0
Silver badge

Bah!

Dimwit shaming the "tech" who "broke protocol"?

Of course we all know that while we think of the call center people as working in an office of many, in actual fact they are working from home over a network connection. This week's customer account service technician is last week's full-time facebooker.

1
17
Silver badge

Re: Bah!

ATT does not use work at home call center.

5
0
Silver badge

Re: Bah!

Well, it is called two factor for a reason.

How did the miscreant know the SECOND factor?

If he can explain that, than he should be blame ATT for all it's worth. If his authentication was JUST SMS code, that's still SINGLE factor, not two factor.

4
6

Re: Bah!

They didn't know the second factor, as per the article:

"This allowed the attacker to go to PayPal and use the service's two-factor authentication (which sends a one-time code via SMS) to reset the password on his account and take control of that"

4
0
Silver badge

Re: ATT does not use work at home call center.

Assuming you are right (a big assumption, but I am implying AT&T obfuscation rather than kain preacher misdirection) then the "breach of protocol" is even more bewildering and should result in an immediate firing and outing on the intranet as a warning to others - just like they do in my own enterprise. Shouldn't be necessary, but sadly is. Dimwits infest the world.

0
0
Silver badge

Re: ATT does not use work at home call center.

How is what I said is misdirection ? I've worked at an ATT call center. I can tell you what he did fireable offence.

2
0
Anonymous Coward

Re: ATT does not use work at home call center.

Yep, sure is. I was at Rio Rancho and they'll terminate you an hour later for that kind of crap, if not sue you or have you arrested like those idiots who unlocked those hundreds of thousands of phones in Bothell in 2015.

1
0
Anonymous Coward

We need to collectively stop calling SMS/phone verification 2FA

2FA should be for actual authentication. Time or token based systems do that. Verifying an email/phone/SMS line without authentication does not provide the same level of security. It should be used as the last resort option for customers without access to a smartphone/computer. It is especially galling as the time based 2FA is easy and free, and does not require the user to have an active network connection so it can be confirmed over the phone/face to face.

They could easily use it as an alternate to ATM/Point of Sale pin codes as well, with only back end changes on the banks servers, which would really inconvenience ATM skimmers as well.

The problem is the people running those systems are barbarians, and maliciously savage ones to boot. Squatting over musty heaps of old FORTRAN and COBOL punchcards, waving incantations over Visual Basic powered Excel spreadsheets. They invoke the names of Old Gods, and pray for the return of the AS/400 mainframe to the cave of the great wind god HAY-LON.

They even managed in successive firmware updates to screw up Apple Pay. It asks for your PIN code now. The whole point of Apple Pay was it never needed your PIN code. Why are they even asking for it? To make A.P. as inconvenient as their highest profit/fee service is my guess. Possibly charging a phantom merchant fee and skimming the profit? Where is that PIN even GOING?

The majority of these people will only change when it's mandated by an exterior force like the PCI standards body, and then only grudgingly and late...

13
0
Silver badge

Re: We need to collectively stop calling SMS/phone verification 2FA

Almost everyone takes this shortcut because it is easy - everyone has a phone and text messages are free for almost everyone these days. Personally I'd rather run a standard RSA app on my phone after having them provide me a seed, but what would really happen is that everyone would want their own damn app which is no kind of solution.

However, a separate device is MUCH worse - then everyone will want their own separate device - the result would be that I simply wouldn't use 2FA unless forced because no way I'm carrying around a Paypal 2FA device, another for my bank, yet another for my retirement account, etc. etc. etc.

The company I'm consulting for has smartcards that can be used with employer issued PCs that have a smartcard reader, or with a standalone PIN reader for those like me without employer issued PCs. They use these for remote access and access to most resources in their intranet.

Last year they enabled SMS as an alternative to the smartcard, so now I use that, so when I got notification my smartcard certificate was going to expire I didn't even bother to renew it. I suppose it is less secure given that SMS is not secure and someone might be able to "brute force" AT&T and find a stupid rep who will transfer my phone number. But using my phone to login is a lot more convenient than using a PIN pad and smartcard that adds to the crap I have to carry around, so as long as they choose to allow it, I'll choose to use it. If there was a way I could use the RSA app on my phone, I'd switch to that from SMS.

2
1
Silver badge

Re: We need to collectively stop calling SMS/phone verification 2FA

If everyone supported FIDO U2F , you would only need to carry one very small key. Google, Facebook, Dropbox, Github (to name just a few) do support it. Sadly PayPal cannot be bothered

0
0
Silver badge

Re: We need to collectively stop calling SMS/phone verification 2FA

I don't want to carry even one thing around. I want a single app, or I'm going to continue using SMS for 2FA because that's the only other alternative that doesn't make me carry shit around with me. It is 2017, there's no reason I should have to carry a physical object around with me for this purpose when I carry the equivalent of 1990's fastest supercomputer in my pocket!

0
0
Silver badge

Re: We need to collectively stop calling SMS/phone verification 2FA

Fido U2F key is smaller than most door keys and can be conveniently attached to them. You probably carry your home keys with you?

I do understand your objection to carrying extra things with you though, but similarly some object to having such a crucial application installed in a not-so-secure environment which is a phone.

0
0

No 2 factor authentication method will overcome social engineering. There will ALWAYS be a way to admin override the settings and reset them. You know this, you live it every day resetting user passwords.

5
1
Silver badge

And these always have to deal with human fallability. What happens the day you leave the fob at home on a crucial day you're hours away? Or what about the RSA attack which was apparently after secrets behind 2FA tokens so as to crack them?

0
3
Silver badge

There will ALWAYS be a way to admin override the settings and reset them.

Suppose I use Authy or similar to generate TOTP codes and my phone is lost, stolen, or broken. I'm well and truly screwed. (Yes, I know about backup codes, but storing them securely so that they can be accessed from anywhere in an emergency without the 2FA device is problematic.)

So here's the conundrum of 2FA as it exists now:

* If there is no way to reclaim accounts without the 2nd factor, you're in a world of hurt if you lose access to the device.

* BUT -- if there is a way to talk customer service into doing a password reset, then it's not really 2FA because you don't need the 2nd factor to get control of the account. So what's the point?

It's fashionable so say that people should use 2FA for everything now. But doing so is not without risks, and those risks are rarely mentioned...until a story like this comes along and reminds us that the weakest link is always the wetware.

4
1
Silver badge

If you can reset the account with only access to the phone it is single factor, not two.

1
0
Silver badge

"If there is no way to reclaim accounts without the 2nd factor, you're in a world of hurt if you lose access to the device."

I see this, but one solution would be a third factor, a letter sent to your home address. It'll take a while, but that one is even harder to deal with. Anyone who is up for stealing your phone, e-mail and intercepting your post, well, not every crime can be stopped.

2
0
Silver badge

The software could not let the call centre drone get to do things if the customer doesn't get the password right.

If the customer's forgotten the password it could go on to other security questions, again not letting the drone go on to later screens unless the customer gets most or all of them right.

And it should certainly not allow repeated spamming of the call centre.

If there is some doubt about the customer then the drone should be able to play back previous calls to the call centre to compare voices, check if the caller is calling from their own home or mobile, and so on.

There are certainly ways to tighten up things.

5
0
Silver badge

Back in the day I went with a mate to his dad's business for the day as one of those bring your kids to work day jollys. They were a delivery firm and had been the target of an attack where someone had tried to change the delivery address of a regular order (of electronics if my memory serves me). The lady who ran the dispatch office had a novel solution to this problem and had her own version of two factor authentication. When you called there was amongst other things a codeword you had to use to change an address if they didn't supply that or got it wrong then nothing changed. She also had in the same book a series of letters next to the client. She'd got everyone listed with letters like SNB, FA, RA, DV (those are the ones I remember) which also related to the client. So if you called up as a customer and even if you gave the correct code word if you didn't sound like your acronym(s) Snobby (SNB), have a Foreign (FA) or Regional (RA) accent or Deep Voice (DV) then she'd be very wary.

2
0
Silver badge

But now you're on the sliding scale. Make things TOO tight and you end up with complaints from people who can't get their business done because they've LOST their second factors and can't get a new one issued. Too tight or too loose, you end up losing business, and there's always the risk the medium is not happy but UNhappy: loose enough that accounts STILL get stolen, yet tight enough that people STILL complain too much about losing access.

0
1
Silver badge

"She'd got everyone listed with letters like SNB, FA, RA, DV (those are the ones I remember) which also related to the client. So if you called up as a customer and even if you gave the correct code word if you didn't sound like your acronym(s) Snobby (SNB), have a Foreign (FA) or Regional (RA) accent or Deep Voice (DV) then she'd be very wary."

How did the secretary handle things, though, when the voice change was for a legitimate reason (usual person was on vacation, for example)? False negative?

0
1
Silver badge

No idea as I was only there for a day but it struck me as a good idea at the time. You would at least know that you weren't speaking to the regular person and then make further checks as to the veracity of the caller. Just seemed a better plan than accepting blindly the new address the person on the other end of the phone line was giving you. Could result in an expensive mistake otherwise.

1
0
Bronze badge

The software could not let the call centre drone get to do things if the customer doesn't get the password right.

If the customer's forgotten the password it could go on to other security questions, again not letting the drone go on to later screens unless the customer gets most or all of them right.

That is always the process, but the issue is the operator. They are the ones who say, no you haven't got it right, but they also have to say, yes they did get it right.

In this case, one operator eventually said, yes they did get it right, when they didn't. You can't stop that. Do you really think every 'drone' really cares that much about their job? Of course not, they do what they can for an easy life, and some people are easily persuaded...

0
0
Silver badge

"PayPal is terrible"

Yes, the problem is definitely PayPal.

5
2
Silver badge

Re: "PayPal is terrible"

No, the problem was the dimwit AT&T "technician", and a lack of AT&T gumption when it comes to how to react to individuals' repeated call-bombing the help and support center sans proper credentials.

The PayPal part is the one where the attempt to make them act like a real bank hits their terms and conditions. I've only anecdotal evidence to offer, but there seems to be no dearth of people who are less than impressed by the problem mitigation offered by PayPal. The victim (who is of course being blamed in these comments - big surprise) is expressing a lack of sanguinity vis-a-vis a speedy and angst-free resolution of the breach caused by a dimwit working for AT&T.

1
1
Anonymous Coward

Simply dont

leave money in a paypal account.

As much as paypal like to bleat how safe they are, they are not goverened in the same way as banks are.

They are free to do WTF they like with your money.

Any seller on ebay who now insists on paypal only doesn't get my trade, when i sell on ebay i make a very clear point that i DONT accept paypal.

You leave money in the hands of paypal and its a lottery if you ever see that money without jumping through numerous hoops.

3
3

Re: Simply dont

eBay requires paypal as a payment option.

0
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018