A netizen recently posted that when he woke up in the morning, he found that his mobile phone had received more than 100 verification codes, and the balance of Alipay, Yu ‘ebao and related bank cards had all been transferred away. JD.COM’s account was opened with gold bars and white bars, and he borrowed money and transferred more than 10,000 yuan. The news caused great concern.
According to the investigation of Zi Niu news reporter of Yangzi Evening News, there are not a few people who have been attacked by this kind of SMS verification code recently. Previous reports have not fully explained the attack methods, and the preventive suggestions such as "turning off your phone while sleeping" are not necessarily useful. Experts pointed out that the continuous occurrence of SMS verification code attacks is a sign of the industrialization of attack tools. Using SMS to verify identity can no longer guarantee security, so we need to improve it as soon as possible and choose a more secure way. Zi Niu news reporter Song Shifeng
SMS verification code attacks occurred continuously, mostly in Longgang, Shenzhen.
On August 1st, an old man fishing in the cold river-snow, a netizen in Longgang District, Shenzhen, posted, "I was awakened by urine at 5 am on July 30th, and found that my mobile phone had been shaking. At first glance, I received more than 100 verification codes, and Alipay, JD.COM and Bank had everything. I was so scared that I suddenly woke up and went to see Alipay. The balance treasure, the balance and the money associated with the bank card were all transferred away. JD.COM’s account was opened with gold bars and white bars, and more than 10,000 yuan was borrowed. "
Another victim lives near the central city of Longgang, Shenzhen. He told Zi Niu news reporter that when he was sleeping at 6 o’clock in the morning on July 24, he suddenly heard his mobile phone ringing off the hook. He picked up his mobile phone and found that he had received more than 100 SMS verification codes. "Alipay, JD.COM, bank, and house purchase have everything. Suddenly I saw the consumption of 2,999 yuan, and I suddenly woke up." He immediately called the Construction Bank to report the loss of the card and freeze the account in JD.COM, and then reported it to the police station. During the reporting period, he found that Alipay was stolen and swiped 466.12 yuan, the construction bank card was stolen and swiped 5,000 yuan, and JD.COM IOUs borrowed 19,000 yuan.
There was an earlier victim in Longgang District, Shenzhen. He told Zi Niu News reporter that he was attacked by SMS verification code on the night of May 27th. Criminals invaded a Netcom client of China Merchants Bank in this way, raised his credit card limit from 30,000 yuan to 40,000 yuan, and then stole it all. Because his Agricultural Bank card is also tied to China Merchants Bank’s Netcom, the balance of this card has also been brushed away. The next morning, he turned on his mobile phone, only to find that he had received more than 70 SMS verification codes and debit information. On the night of July 5, his wife was similarly attacked.
Although Longgang District in Shenzhen may be a frequent area, such attacks are not limited to there. Qian Qian (pseudonym), a victim in Wuhan, told Zi Niu News reporter that she was attacked in the early morning of July 18th, and the online banking of CCB was stolen and her JD.COM account was invaded. However, because the bank card balance was only over 300 yuan, the actual loss was not too much.
Defending rights frequently encounters prevarication, and the victims experience "can write a book"
After the attack, the victims’ experience of defending their rights was quite difficult. They have to go to the police station to report the case and record the confession, go to the bank to make a running account, inquire about the abnormality of the account, contact Alipay customer service, JD.COM customer service, and customer service of various banks, and wait for various commissioners to reply.
Mr. Tang’s loss mainly occurred on the platform of JD.COM. He believed that there was a serious deficiency in identifying the authenticity of user accounts in JD.COM, and the gold bar loan review process was useless. He said that he communicated with JD.COM personnel many times at first, but every time he shirked his responsibility. Other victims often encounter similar situations when negotiating with institutions such as Alipay.
Some victims have no choice but to expose online, and after the experience of netizen "an old man fishing in the cold river-snow" was disclosed by the media, the attitudes of third-party payment platforms such as JD.COM and Alipay began to become positive.
JD.COM said on the 4th that he could waive the gold bar loan of 11,000 yuan from an old man fishing in the cold river-snow. Alipay staff told him on the 5th that they would pay 932.31 yuan for the Q-coin recharge order consumed by Alipay and exercise the right of subrogation. Mr. Tang has received a phone call from JD.COM on the 6th, expressing his willingness to pay for the loss, but he still needs to submit some information. Ms. Wu Fang from the marketing department of Jingdong Finance told the reporter that Jingdong Finance paid close attention to this matter and set up a special channel for handling stolen brush cases.
In contrast, victims generally find it more difficult to negotiate with banks. Qianqian first looked for a bank and met with prevarication. She went to the police station to make a record, but the amount was not enough to file a case. The police asked her to complain to the CBRC about the bank. After she complained, the bank called and replied that the case was sent back to the bank, and someone was found to contact me to provide information to enter the claim settlement process. However, whether you can claim compensation after providing the information depends on the audit of the provincial bank, and you can pay 70% of the stolen brush amount at most. The victim, who had been attacked by himself and his wife, told the reporter, "From May to August, you can write a book about the experience of defending rights when bank cards were stolen."
One or two hundred yuan to get the attack equipment, the security of mobile phone short messages is worrying.
After this short message verification code attack was exposed, some people called it a "GSM hijacking+short message sniffing" attack. Criminals set up pseudo base stations to obtain the surrounding mobile phone numbers, and then used short message sniffing equipment to sniff short messages. However, a veteran in the information security field said that the specific attack type cannot be determined, and there are many ways to obtain the SMS verification code.
Seeker, the founder and CEO of China Haitian Group Co., Ltd., enjoys a high reputation in the network security field and is known as the "hacker alchemist". In 2016, he exposed the vulnerability of using pseudo base stations to attack SMS verification codes. Zou Xiaodong told Zi Niu news reporter that there are four ways to attack SMS verification code, two of which do not need pseudo base stations. What is even more frightening is that among the four methods, three can intercept the short message and prevent the victim’s mobile phone from receiving it. If you don’t see the inexplicable verification code and consumption tips on your mobile phone, the victim may not even know that the account has been attacked.
Zou Xiaodong said that it seems that these victims have encountered the lowest attack method recently, and all the attack equipment can be handled with a minimum of 100~200 yuan. Because it is relatively low-level and not difficult, it is easy to be mastered by the black industry and has a great social impact.
As early as 2011, the GSM network of mobile communication has been cracked. GSM network can not only talk, but also send short messages. Although mobile communication is generally upgraded to a more secure 4G network, GSM network is still playing a role.
Criminals use jammers and other devices to drive the surrounding mobile phones to the GSM network, and then they can listen to the victim’s SMS verification code. In addition, the disclosure of personal information is very serious now. Information such as mobile phone number, ID number, bank card number, home and work address of individual users can almost be bought at a very low price. If the user’s mobile phone number and SMS verification code are mastered, such users are basically transparent to attackers.
When banks and third-party payment platforms verify the identity of users, if they only use SMS, there is no security for such attackers. Some people suggest that users turn off their mobile phones at night to prevent SMS verification code attacks. In this regard, Zou Xiaodong said, "Turning off the phone or flying mode is useful, but don’t forget that it will still be attacked when it is turned on, and there are many ways to make the victim’s mobile phone not receive or prompt the text message."
Experts say
Businesses that have loopholes and do not improve in time should bear the main responsibility.
Zou Xiaodong said: "From the hacker’s point of view, no one’s system is 100% secure, and it is impossible for all services to pursue 100% security when designing. They all made some compromises for ease of use. Users and businesses have enjoyed the benefits of ease of use in the past. As long as the security risks are controlled within a certain range, they will not be serious. When the threat of black products increases, businesses should respond in time and increase security measures. At the same time, ease of use used to bring more benefits to businesses than to individual users, so morally, businesses should bear most of the losses in the case of Shenzhen. "
Logics, a well-known legal blogger, told Zi Niu news reporter that "at present, the referee’s thinking in the case of bank card theft in China is relatively clear, that is, to protect the interests of depositors and strictly require banks to fulfill their security obligations."
He said that a case in Shanghai was selected as a typical case to protect people’s livelihood by the Supreme Court, and the judge thought so: banks are better equipped to prevent criminals from using banks to commit crimes, so banks should formulate perfect business norms and strictly abide by them to avoid risks as much as possible and ensure the safety of depositors’ deposits.
"logics Logics" believes that the court may conclude that the mobile online banking service provided by the bank failed to resist similar technical means, which is a "security obligation" not stipulated by law and requires the bank to bear the liability for compensation.
Attack tools or industrialized
It’s time to say goodbye to SMS verification code.
Zou Xiaodong told Zi Niu news reporter that SMS verification code is really fragile, loopholes have always existed, and there are solutions. It is only because it is convenient to use that it is barely used as an identity authentication method. Zou Xiaodong believes that a secure system should at least adopt "two-factor authentication", which means a method of authenticating users by combining the two conditions of password and physical object. Only when both pass can identity authentication be considered.
In fact, the central bank has long demanded "two-factor authentication". On June 13th, 2016, the People’s Bank of China issued the Notice on Further Strengthening the Risk Management of Bank Cards, requiring all commercial banks, payment institutions and card clearing institutions to strengthen the internal control management and security protection of sensitive payment information.
The notice clearly requires strengthening the security management of business opening identity authentication. Since November 1, 2016, when establishing related business with payment institutions and commercial institutions based on bank cards, commercial banks should strictly adopt multi-factor identity authentication to directly identify customers and obtain customer authorization. Identity authentication should use digital certificate, transaction password and dynamic token device to combine at least two kinds of authentication.
The circular also requires all commercial banks and payment institutions to use big data analysis, user behavior modeling and other means to establish a transaction risk monitoring model and system, promptly warn abnormal transactions, and take measures such as investigation and verification, risk warning and delayed settlement. For abnormal behaviors such as batch or high-frequency login, IP address, terminal equipment identification information and browser cache information should be used for comprehensive identification, and additional verification and rejection of requests should be taken in time.
Many victims have received hundreds of verification and transaction messages in a short period of time, and it is doubtful whether the relevant banks and payment institutions have fulfilled the monitoring obligations required by the central bank.
Zou Xiaodong pointed out: "If there are many SMS verification code attacks in succession, it is a sign that the attack tools may be industrialized. In this case, it is even more difficult to rely solely on the SMS verification code. " There was a glorious time for SMS. In 2012, the number of SMS messages sent nationwide reached an astonishing 897.31 billion. With the change of communication mode, SMS has declined rapidly in recent years, and receiving verification code has almost become its main function. However, in the face of the attack of black products, it may be time to say goodbye to the mobile phone verification code.