Lei Feng network (search "Lei Feng network" public concern) : SMS verification code defect is a very long long chain, this article is only carrying Xiaomi SMS verification code event for preliminary analysis, not for the Xiaomi family, precisely In this case, it is unfair for the muzzle to be just for millet. The author shotgun, vice president of Venusen, and invited columnist of Lei Feng.com, hope this article will give you a preliminary understanding of the millet incident and protect your information security.
Before the incident occurred, the suspected attacker stole the bank's verification message through the Xiaomi SMS Cloud Sync feature, and thus stole 100,000 yuan in cash. I would like to analyze it carefully on the responsibility behind the issue.
| "Two-factor authentication"We know that there is a principle in the field of information security that “do not put eggs in a basketâ€, so in general, operations like high-security requirements such as online banking transfers should implement two-factor authentication.
Two-factor authentication: In the early days of user authentication, only accounts and passwords were used. The default account password was the user. If the user's account password was lost, the entire account would lose control.
With the increasing popularity of informatization, various attack methods have emerged for account passwords, including Trojan horse backdoors, network tapping, brute force cracking, and drag-and-drop library crashes . The method of authenticating the user's identity through the account password alone cannot protect the security of the user account.
Therefore, most important systems have introduced two-factor authentication, which means that in addition to account passwords, it is necessary to verify user identities again through other authentication methods, so as to ensure that even if the user's password is lost, it will not suffer huge losses .
There are many ways for two-factor authentication, from early dynamic tokens, U-keys, to the most popular mobile verification codes today, which are two-factor authentication. Two-factor authentication greatly improves the user's account security, making it more difficult to steal user accounts than originally.
Everyone will find it very strange that since online banking has adopted two-factor authentication, then theft of bank cards should rarely occur. Why did you hear a lot of cases of mobile banking being stolen recently?
| Defective SMS verificationThat's because using mobile SMS verification codes to perform two-factor authentication for mobile banking is extremely incompetent.
Let's take a look at the payment process of mobile banking:
Users - Mobile banking applications - wifi - Carrier networks - Bank servers - SMS verification codes - User mobile phones
Bank card password + SMS verification code
We know that two-factor authentication can greatly improve the security of the premise that two different authentication methods are difficult to be solved at the same time.
For example, if a computer version of online banking is used for SMS verification, then an attacker needs to take down both the victim’s computer and the mobile phone to succeed. This is more than twice as hard as just taking down the computer or simply taking the mobile phone (because the computer is confirmed The relevance of mobile phones is also a very large amount of work).
However, as shown in the above figure, for mobile banking, the situation is completely different. The SMS verification code is shared with the mobile banking on the terminal and the communication link. The mobile banking uses the mobile phone as the payment terminal and the short message also uses the mobile phone as the receiving terminal. The mobile phone bank uses the operator's link as the data channel, and the short message also uses the operator's link as the data channel. This leads to the fact that both the mobile terminal and the operator channel are compromised and the two-factor authentication will fail at the same time . At this time, the two-factor verification is completely inconsistent with the principle that “eggs should not be placed in a basketâ€.
In the past, there have been many incidents of stealing bank deposits by using phone Trojans, pseudo base stations, fishing Wi-Fi, operator SMS hosting services, and SIM card replacement cards to steal user SMS verification codes . The incident was suspected to be via the cloud backup service of mobile phones to obtain bank verification SMS. Although the means are different, the idea of ​​committing the crime is similar.
So why did the bank choose SMS as the main method of two-factor authentication?
On the one hand, it is because of cost, and on the other hand, it is because of ease of use.
Although we say that there are many ways of two-factor authentication, from dynamic tokens (small boxes that randomly generate 6-digit passwords) to U-Keys (small boxes that can be inserted on a computer/mobile phone to verify user identities) are all different at different banks. The scope of application, but because both the dynamic token and the U-Key have a certain cost (a few blocks to a dozen or so blocks), it is difficult for the bank to promote it on a large scale. And after all, a little more box, it is not convenient to carry. The mobile phone message can be said to be a cheap and most convenient means. It does not require additional acquisition costs and no additional equipment, and is therefore favored by users and banks.
| Operators, mobile phone manufacturers, banks, who is responsible?Then the security problem of the SMS verification code is frequent, and who is the responsibility of the bank, operator, mobile phone manufacturer, and user? My opinion is that everyone has the responsibility. The bank has the most responsibility .
1. Why is the bank's responsibility the greatest?
Because of the promotion of mobile banking and the use of SMS verification codes for secondary verification, the most important beneficiary is the bank .
Mobile banking can greatly reduce the operating costs of banks. The cost of e-banking is almost negligible compared to the traditional opening of business outlets. Compared with the universal use of dynamic tokens or U-Key before online banking, the cost of mobile banking is also Greatly reduced.
Banks must vigorously carry out innovations, reduce costs, and improve the ease of use of users. This is ridiculous. However, when some banks chose mobile phone text messages as a two-factor authentication method, they neglected to analyze and control the information security risks that existed in them. Mobile banking adopts SMS verification codes to significantly reduce the intensity of two-factor authentication. What has the bank adopted? Measures? Is there any obligation to inform and disclose risks when encouraging users to open mobile banking? Has the bank actively invested resources to control the corresponding risks in technology? Are there any timely compensation for users who are stolen because of reduced security?
2. Operator: There is no adequate preparation for the security risks of SMS verification
On the other hand, although mobile operators have launched SMS-based password authentication services (including but not limited to banks, mailboxes, stored-value cards, etc.), there is no information on SMS and technical processes. Security requirements have been raised to corresponding heights . For example, security incidents such as copy cards, camouflage identity cards, pseudo base stations, counterfeit text messages, and SMS gateways have emerged in an endless stream. Some operators also provide SMS hosting services to support remote real-time viewing of text messages on the Internet. This shows that mobile operators do not systematically plan the information security of SMS authentication services and do not fully understand and prepare for the risks they may pose.
3. At the same time, some mobile phone manufacturers have not fully realized the sensitivity of mobile phone text messages.
Some mobile phones support applications to directly read the content of SMS. Some mobile phones back up SMS on the cloud server by default. Some mobile phones fail to repair security vulnerabilities in time, and there are various flaws in security protection.
A considerable degree of users lack security awareness. They did not read the user agreement carefully when opening mobile banking, and multiple systems (such as mobile banking, email, and cloud services) use the same password.
The vigorous promotion of one party, the ignorance of users, and the negligence of the three parties eventually led to the emergence of multiple incidents. Ultimately, ordinary users lacking safety awareness and skills are exposed to the eyes of the black industrial chain.
In terms of consequences, the occurrence of such incidents is not only a disaster for ordinary users, but also a disaster for the entire industry. Imagine if the security of mobile payment/financial security cannot be guaranteed, and who would dare to continue using it? ? Everyone should work together to improve the level of mobile financial security so as to ensure the healthy development of the industry.
| Some SuggestionsFrom the perspective of banks, it is necessary to balance business development, ease of use, and risk, and take certain risk control measures.
In advance, users of mobile banking are prompted to provide risk warnings, strengthen information security awareness education for users, and improve the safety of mobile banking applications through application detection and reinforcement.
In the event, the upper limit of transfer of SMS verification is controlled, and additional risk control is imposed on large-scale transfer of mobile banking.
Afterwards, it actively pursued and cracked down on illegal and criminal acts against electronic banking, and provided timely compensation to the victimized users.
From the operator's point of view, it is necessary to fully realize that SMS is no longer just a chat tool but is often applied to the occasion of identity authentication. Therefore, it is necessary to comprehensively manage user accounts, SIM card management, communication links, and related value-added services. Improve the security of SMS verification code.
From the perspective of mobile phone manufacturers , we should fully respect the privacy and security of users. We must not store user privacy or even sensitive data in the cloud in order to develop cloud services. The default configuration should not store sensitive information in the cloud, but also strengthen user account management and High-risk operation secondary verification.
For the average user, to increase safety awareness -
Don't just download untrusted apps on your phone;
Do not use insecure Wi-Fi;
Do not use the same password with a simple password or multiple accounts;
If possible, mobile banking and SMS verification use two different mobile phones;
Don't store too much cash in the bank card that has opened a mobile payment transfer.
Lei Feng Net Note: Reproduced please contact the authorization, and retain the source and the author, not to delete the content.