Something you should be aware of...

[Tronhard]

While this may not be seen as strictly a photography issue, it's worth being aware of...

http://www.nzherald.co.nz/business/n...ectid=11851025

for the technically inclined here is an article from the IEEE:

https://securityintelligence.com/ss7...gned-that-way/

In short relying on two-step authentication using your cell phone to send you a text code is not as secure as most would like to think.

[george013]

While this may not be seen as strictly a photography issue, it's worth being aware of...

http://www.nzherald.co.nz/business/n...ectid=11851025

for the technically inclined here is an article from the IEEE:

https://securityintelligence.com/ss7...gned-that-way/

In short relying on two-step authentication using your cell phone to send you a text code is not as secure as most would like to think.

I never have understood and probably never will how we accept the use of a cell phone for more and more private issues. The cell phone is the last tool I'll use for that.

George

[Tronhard]

The problem is that most of us want convenience, and when that, along with the addictive nature of these devices to connect to the world are combined we have a generation who are tied to their cell phones. Having worked in IT security for some years I was aware of the dangers of the architectures that are associated with cell devices - created at a time when no-one really envisaged the development of smart phones apps. I never use the cell for anything except the odd call or text, or to find out where something is. But so many people use them for everything, and seek out free Wi-Fi sites to do it on. When I was teaching classes at NZ's largest Telco, I ran a poll to see how many employees had security software on their phones, and was appalled to discover that VERY few did, yet they were doing all sorts of things, including banking on their phones. I showed them a graph plotting the movement of malware attacks from conventional computers to smartphones going up exponentially as hackers exploited both the vulnerabilities of the devices and the ignorance of their users. I have three security packages on mine.

[DanK]

I have three security packages on mine.

I'm curious: which? I'd be interested in installing one or more, I think.

[Tronhard]

Essentially phones are computers, so you need reliable internet security packages to avoid the same malware risks as their bigger cousins. There are some good free packages out there, but they tend to have their strengths and weaknesses: hence multiple apps. Also it depends what operating system you use, so I suggest you do a Google search for best (pay- or free-ware) phone security packages for your configuration. I have installed on my laptop a full copy of Norton Internet Security, and I got a full package for free to put on my phone. I also have Norton's excellent (free) Identity Safe (ID vault) software, plus Avast free and Malware Plus.

What a lot of people don't do is read the fine print in the agreement for their internet banking software. I know that my bank has a clause that stipulates that ANY device used to access their bank via the web must have an approved internet security package, up-to-date. Failure to do so could mean the bank would not cover losses due to a malware attack. Frankly, as I have said I personally would NEVER use a phone to do banking.

[lunaticitizen]

You must be a really high-value target since the attackers have to go through the effort of infecting your PC with a malware, deciphering the login information for your online banking account, identifying your phone number, and finally re-routing messages to the attackers' phone. Well, if the bank account contains lots of zeros in it I guess it would be worth it..

Some better options to protect yourself would be using a dedicated security token, or even using a novel technology for authentication. The level of inconvenience might be acceptable for security-conscious users, although it also depends on your bank to provide them to you.

[JBW]

Personally I chucked my cell phone. Perhaps something to remember. During WW2 both Germany and Japan believed their electronic security and all around top secret encoding was 100% reliable. It wasn't. Either is anything you can put into your cell phone or computer.

[Tronhard]

Not at all... what you describe is only one, and not very efficient type of intrusion. The money is in the gathering of information and attacking on a grand scale and it's all automated. Some malware is used to automatically hoover data en masse which is then on-sold to criminals who will use it for their own purposes, including using your credentials to infect other, perhaps more lucrative targets. Recent scams have included a malware attack on over 2,000,000 phones that withdrew the paltry sum of $65.49 from the each of the owners' accounts. Many people either did not notice or never bothered to follow up the small deduction, but the hackers took $130M on that one attack. So individually not high value targets but together a nice income.

The point of the article I posted was that many institutions use two-step authentication to enhance their security, however this is based on a set of protocols that are themselves flawed and vulnerable to attack. This cannot be resolved alone by users, it must be dealt with at a corporate and governmental level, and likely involve some work in tightening up security through the IEEE. However many users are their own worst enemies by not protecting their devices and by using unsecured networks to do things like banking.

You must be a really high-value target since the attackers have to go through the effort of infecting your PC with a malware, deciphering the login information for your online banking account, identifying your phone number, and finally re-routing messages to the attackers' phone. Well, if the bank account contains lots of zeros in it I guess it would be worth it..

Some better options to protect yourself would be using a dedicated security token, or even using a novel technology for authentication. The level of inconvenience might be acceptable for security-conscious users, although it also depends on your bank to provide them to you.

[lunaticitizen]

Not at all... what you describe is only one, and not very efficient type of intrusion. The money is in the gathering of information and attacking on a grand scale and it's all automated. Some malware is used to automatically hoover data en masse which is then on-sold to criminals who will use it for their own purposes, including using your credentials to infect other, perhaps more lucrative targets. Recent scams have included a malware attack on over 2,000,000 phones that withdrew the paltry sum of $65.49 from the each of the owners' accounts. Many people either did not notice or never bothered to follow up the small deduction, but the hackers took $130M on that one attack. So individually not high value targets but together a nice income.

I'm not sure I'm following you. Is the incident you cited above related to the vulnerability of two-factor authentication? I don't understand how a malware can identify login information for your online banking account. The login information isn't supposed to be saved to smartphones. You are supposed to input the information manually every time you access the account.

The point of the article I posted was that many institutions use two-step authentication to enhance their security, however this is based on a set of protocols that are themselves flawed and vulnerable to attack. This cannot be resolved alone by users, it must be dealt with at a corporate and governmental level, and likely involve some work in tightening up security through the IEEE. However many users are their own worst enemies by not protecting their devices and by using unsecured networks to do things like banking.

Yes, according to the article you cited SS7 is vulnerable to attacks. Why don't we just stop using SMS as the second factor of two-factor authentication? It's faster than trying to fix something that wasn't designed to be secure. There are methods better than using SMS, such as using an authenticator application. Google has an app for that.

[Tronhard]

Hi Leo:

My first comment is a response to my understanding of your somewhat smart comment: "You must be a really high-value target since the attackers have to go through the effort of infecting your PC with a malware, deciphering the login information for your online banking account, identifying your phone number, and finally re-routing messages to the attackers' phone" . Well, since you brought the subject up, at one time I might have been a high-value target, but not for my bank account, as I worked in Military Intel, which is one reason I am not on social media and I don't do more than the most basic things on my smartphone. My point was that many malware attacks are carried out en masse and not one at a time as you seemed to suggest, and users are particularly vulnerable when users connect with unsecured Wi-Fi.

As regards your comment: "Why don't we just stop using SMS as the second factor of two-factor authentication?" Since the vulnerability has been known for some years I completely concur! Ironically this at a time when several major service providers are moving TO two-factor authentication!

[lunaticitizen]

Hi Leo:

My first comment is a response to my understanding of your somewhat smart comment: "You must be a really high-value target since the attackers have to go through the effort of infecting your PC with a malware, deciphering the login information for your online banking account, identifying your phone number, and finally re-routing messages to the attackers' phone" . Well, since you brought the subject up, at one time I might have been a high-value target, but not for my bank account, as I worked in Military Intel, which is one reason I am not on social media and I don't do more than the most basic things on my smartphone. My point was that many malware attacks are carried out en masse and not one at a time as you seemed to suggest, and users are particularly vulnerable when users connect with unsecured Wi-Fi.

As regards your comment: "Why don't we just stop using SMS as the second factor of two-factor authentication?" Since the vulnerability has been known for some years I completely concur! Ironically this at a time when several major service providers are moving TO two-factor authentication!

Trev,

I meant "you" here as a substitute word for "people" or "victims", not you personally. I should've been more precise with a language that isn't my mother tongue.

My understanding as a layman is that you can't automate this particular attack by using a malware, because it can't possibly gain the information that isn't supposed to exist (such as the login information of online banking account). If it can't be automated, then purposely targeting "high-value" people must be the only reason why hackers are using this kind of attack. The ROI of attacking "low-value" targets is surely bad! Obviously I was wrong about the automation, according to the incident you cited.

[Tronhard]

Hi Leo:

Thank you for your explanation, and no harm done. Hacking into devices has become a lot more sophisticated than it used to be. At one time your comment would have been spot on, however, led by major crime rings, terrorists and various countries militaries, there have been major advances in mass intrusions. Absolutely, you will still get individual emails from people who have "come into fortunes they need you to move" for a small fee, and the inevitable dreary queue of messages telling me some account or other has been locked and would I please click on "this link". They are still an issue, but the real damage is done from places like the North Korea, China, Russia and the middle east (although not necessarily directly) using highly sophisticates system disseminated via the dark web. In the case of terrorists they are harvesting funds for their activities, criminals are just that, and government-sponsored intrusions may not be after money itself, but tracking it and people.

Cyber warfare is going on constantly and on an ever-increasing scale. As recent events in the UK, USA and France have shown massive attacks have taken information and released it, along with carefully crafted mis-information via social media.

[proseak]

"..it can't possibly gain the information that isn't supposed to exist (such as the login information of online banking account)"

Keyloggers are used for just that purpose.

I concur with the OP about much of this - while I have a cell, it's a Dumbphone, and carries little sensitive info. When I suggest installing a security app, only one person has said "Yes, I'll do that now"; the others have said they might do it next week, or just not bother. Many people seem to think that because their phones are in their pocket, they are secure.

I wonder how long before the billion phone botnet is upon us?