Can you or someone else explain/link to me the basics of why SMS-based 2FA is so terrible? I've never really heard the sentiment before, but it appears to be common knowledge.
Because the telephone companies are terrible about security and often highly disorganized internally. They are beyond stupidly susceptible to Social Engineering and any "passcodes" against giving away access do not stand in the face of stupid customers and the need for customer service to satisfy them.
Your number can easily be stolen or redirected to get and sometimes send SMS from/to your number. Your cell phone account is the linchpin for a very extensive identity theft attack.
In their defense, being able to successfully identify a customer is who they say they are is a difficult problem that is only compounded when you might only speak to a customer as infrequently as every few years. 2F devices and codes can be lost. Passwords and pins can be forgotten. Answers to security questions can change. Have you ever tried to access your own account with a company like this without this data? There are few things more frustrating than being locked out of your account because you can't recall what you said your favorite movie was in 2012. Throw in the low odds of actually being targeted in a social engineering attack and companies optimize for customer satisfaction and convenience over security.
Blaming companies for responding to that incentives isn't going to accomplish anything. The way to fix things is to change the incentives by either increasing the punishment for falling for social engineering or create a system that makes it easier to remotely identify people.
In May 2017, O2 Telefónica, a German mobile service provider, confirmed that cybercriminals had exploited SS7 vulnerabilities to bypass two-factor authentication (2FA) to make unauthorized withdrawals from users' bank accounts. The criminals first installed malware on people's computers, allowing them to steal online banking users' account credentials and phone numbers. Then the attackers purchased access to a fake telecom provider and set up redirects from the victims' phone numbers to lines controlled by them.
Telephone companies are insecure and susceptible to social engineering, and their backup authentication schemes often rely on publicly accessible information. This enables attackers to hijack the account and reassign the phone number to a device they control.
This seems to indicate a level of sophistication behind traditional hacking skills. How did they get the phone number to know which carrier to contact to socially engineer?
Also, I am not sure I understand:
> we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident
It seems that optaining employee login credentials was the root cause, and bypassing 2FA was the second hurdle but not the root cause.
You don't need to know the carrier, just the number. Talk to a carrier in the country and ask to port "your" number to a new plan. Most salespeople would have no problem ignoring security for a sale.
Its too easy to hijack someone's phone number by socially engineering a phone company (ignoring routing/signaling vulnerabilities). A quick search brought up this article:
Your number can easily be stolen or redirected to get and sometimes send SMS from/to your number. Your cell phone account is the linchpin for a very extensive identity theft attack.