On August 14, Shenzhen Longgang Police announced that it would destroy a new criminal gang of bank card stealing, arrest 10 suspects, confiscated 6 sets of fake base stations and other electronic equipment, and solved more than 50 similar cases, involving more than one million yuan. . According to expert analysis, the suspect intercepted the victim's SMS verification code through the "GSM hijacking + SMS sniffing" technology, thereby completing operations such as stealing and swiping. So far, this is the largest number of people involved and the largest amount of money in this type of case in the country.
"The security risks of implementing identity verification based on SMS verification codes have increased significantly." The National Information Security Standardization Technical Committee pointed out in the "Network Security Practice Guidelines-Technical Guidelines for the Implementation of Network Identity Counterfeiting Attacks on Intercepted SMS Verification Codes."
Netizens meet strange things
Dream of receiving SMS online banking was stolen and brushedAt 5 a.m. on July 30, the netizen who woke up from his dream "fishing in the snow on the cold river alone" discovered a strange thing: "The phone has been shaking. I saw it and received more than 100 verification codes. Alipay, JD.com, and bank. It has everything. I was so scared that I went to look at Alipay. Yu'ebao, balance and money from the associated bank card were all transferred. Jingdong opened the gold bar and white bar functions and borrowed more than 10,000 yuan."
The person is sleeping, and the cell phone is by his side. Who remotely took a peek at the SMS verification code, and also used the SMS verification code to complete operations such as transfer, shopping, and lending? It is understood that this is the use of "GSM hijacking + SMS sniffing" technology by criminals to obtain the content of users' mobile phone text messages in real time, steal user information, and steal user accounts.
"The criminals first use the pseudo base station to obtain the user's mobile phone number, and then use the database leaked online to check the user's name, ID number, bank account number and other information based on the mobile phone number. Then initiate registration or transactions on certain websites, and use and The feature of similar user location steals the user's SMS verification code." said Chen Jiang, an associate professor at the School of Information Science and Technology of Peking University.
According to industry insiders, the sniffing hardware is "as small as a mobile phone and as big as a suitcase, and the lowest cost is only for a meal of Pizza Hut." According to Zhou Zheng, a security expert of Tencent's Guardian Program, most mobile Internet services currently use identification strategies based on mobile phone number and SMS verification, but the authentication and encryption of domestic GSM voice and SMS services are weak. Criminals use a customized, low-cost, easy-to-port sniffing system to obtain the victim's mobile phone number and SMS verification code, and then commit the crime.
There have been many cases of "GSM hijacking + SMS sniffing" stealing brushes. From the end of 2017 to August 2018, the security team of the Tencent Guardian Program assisted the police in Beijing, Fujian, Guangdong and other places in combating 5 such criminal gangs and arrested 25 criminal suspects.
Many SMS vulnerabilities
Identity can be disguised and easily leakedTo register a new account, you need a SMS verification code; if you forget your password and want to log in to the website, you need a SMS verification code; when transferring funds online, you need a SMS verification code... Currently, the technology of using SMS verification codes to verify user identity is widely used in various types Mobile applications and website services.
Chen Jiang said: "Although the SMS verification code is convenient and efficient, and easy to popularize, there are loopholes such as'whether the user uses his own mobile phone to complete the verification operation', which provides an opportunity for criminals to pretend to be victims."
"SMS verification code is the core of account security. It undertakes the task of real-name authentication. It is a key to ensure the security of funds, but the current level of attention is not high." said Zhu Wei, deputy director of the Communication Law Research Center of China University of Political Science and Law.
After logging in to the account through the SMS verification code, the criminals can obtain the user’s private information such as the courier address, consumption records, and address book, and can also “collect†the user’s name, ID card, etc. through methods such as “crashing the database†and “social workâ€. Bank card number, the implementation of funds stealing, telecom fraud, extortion and other activities.
In addition to being "peeped", there are many ways to leak the SMS verification code. Some users clicked on illegal links and their phones were installed with monitoring Trojans; some criminals pretended to be bank customer service and directly asked for the content of the verification code; there were also ghosts in the operator who voluntarily leaked, colluding inside and outside. In addition, functions such as SMS cloud synchronization and automatic verification code filling are intended to be convenient for users, but they may also be used by criminals.
Safe to be upgraded
Change the sending method and add biometrics"Change SMS settings, use VoLTE technology (4G-based voice transmission technology), and use 4G network to transmit text messages." "Turn off the cellular function of the mobile phone and use the wireless network instead" "Turn off the mobile phone at night or adjust to flight mode"... In order to prevent SMS verification codes from being "peeped", many media and enthusiastic users have provided solutions.
However, these programs cannot be done once and for all. For example, even if 4G is used to transmit text messages, criminals may "monitor" in areas where 4G networks are weak, or use special means to "force" text messages on unsecure 2G channels.
The National Information Security Standardization Technical Committee recommends that the network platform may require users to actively send text messages to verify their identity, use voice calls to transmit verification codes, bind users’ common devices and accounts, and use fingerprint recognition, face recognition and other biometric recognition technologies. At the same time, a variety of methods are randomly selected for verification.
"When users transmit sensitive and private information, they should choose relatively high-security communication software, and they should promptly change the network environment when they find abnormal mobile phone signal patterns. The network platform should add a multi-dimensional dynamic verification mechanism, and perform strong verification of abnormal account behaviors. Biometric recognition technology. Operators should improve 4G network coverage and stability, and promote the popularization of high-definition data transmission methods such as VoLTE." Zhou Zheng suggested.
"Third-party payment institutions must pay attention to the safety of funds, stop the service in time when they find abnormalities, and avoid user losses. At the same time, third-party payment must cooperate with banks to form a three-dimensional risk control system.
Nanning Goodman Technology Co.,Ltd , https://www.goodmentech.com