Home > News content

There's nothing left for sleeping. How did the phone verification code leak out?

via:博客园     time:2018/8/5 19:02:12     readed:356


Tiger sniffing: the seemingly tight security means, there are always a variety of vulnerabilities, and the most frequently used cell phone verification code may be one of them. What is the reason behind it? In this regard, nutshell network invited TK, a network security expert, to make a detailed analysis.

On the bean paste, the account of stolen accounts for many accounts has been more popular recently.


The victim's cell phone received more than 100 verifying codes in the middle of the night, and woke up to find that his Alipay and other accounts were stolen, and the loss was heavy.

What happened? From these descriptions alone, it is not enough to figure out what way the attacker used. Some people speculate that this is through wireless interception of text messages with authentication codes, and others say that shutting down the phone before bedtime can prevent wireless interception.

Unfortunately, security has always been more complicated. Theft of text messages does not necessarily have to be wirelessly monitored; even if the attack is wirelessly monitored, shutting down the phone before going to bed is not necessarily preventable.

But you can also say why institutions like bank Alipay choose to use SMS authentication mechanism, why the mechanism is not safe enough and what the ordinary users can do.

What is the effect of SMS authentication code?

Generally speaking, information systems are not reliable. A few years ago, when the network security environment was bad, most computers were infected by at least one malware. The situation is better now. Malware infections are much less than in the past, but there are still a lot of leaks from the server side. In addition, the bad people have all kinds of data stolen in the past decade, so when we consider the security problem, we can only assume the basic information of everyone: name, address, ID card number, common password and so on in the bad person's hand.


For example, you have to use a computer to transfer the net silver. People who design internet banking security systems assume that your account password will be stolen by bad guys sooner or later. Under such circumstances, how can you prevent bad guys from using your account password to log on to your online banking system?


Two factor validation is actually very old, much older than computer technology. Some bank vaults have doors that need to be opened by two separate keys, which are called two-factor validation. If the US Army is to launch a militia nuclear missile, not only two operators are required to open a lock with a confirmation key to verify the correctness of the launch code. It also requires two people to insert two launch keys into the two emitter holes, and the two holes are also designed to prevent one person from turning two keys at the same time. This is it. Advanced version.


The cost of U shield scheme is not high and the security is good, but it is not convenient enough. Because if you want to use Internet banking at any time, you need to carry U shield at all times.

Therefore, in some occasions where the security requirements are not so high, people widely use another verification factor: SMS authentication code. Mobile phones are always portable, so this method is much more convenient than using U shield.

Mobile phones are an independent device relative to the computer. SMS verification code is also independent of user password. If we assume that an attacker can invade a user's computer and still have no access to a mobile phone message even if it has a lot of personal data, it is also reliable to use SMS as an independent validation factor.

However, because of the change of network environment, SMS verification is facing a problem.

Vulnerability of SMS authentication

In addition, for computer access business, SMS verification code is a relatively independent factor. But the SMS verification code is not so independent of the business that is being accessed on the phone. After the computer fall, SMS may still be safe. But after the fall of mobile phones, text messages are also likely to be taken by attackers.


Now operators do not save SMS messages on the website, but some phones have the function of automatically backing up SMS to the cloud. If this function is enabled, the attacker can access SMS as long as he controls your cloud account. At this time, SMS is no longer an independent and credible factor.

So if the phone doesn't turn on any function that saves text messages to the cloud, it also ensures that the phone isn't intruded, isn't the message stolen? Even if you are still using NOKIA black and white screen today, SMS may still be stolen. Because the wireless channel used by SMS is not so reliable. Although the current domestic 3G/4G has been popular, but most of the area is just the Internet to walk 3G/4G, SMS or through the unsafe GSM network is sent, and GSM is very easy to be monitored.


More than ten years ago, if we were to steal SMS messages by monitoring wireless signals, the equipment we used would be worth at least several hundred thousand yuan. But today, thousands of dollars can buy the same function. If the request is not high and willing to do it yourself, it will cost less than one hundred yuan to make the equipment that is barely available. In 2013, I gave a lecture on related topics, which talked about the threat of the cost reduction of such equipment. Here's a picture of a traffic flow reminder message that was obtained by monitoring wireless signals.


Text messages obtained by the author by listening to wireless signals

Some people say that turning off their cell phones before going to bed at night can prevent stealing messages through wireless monitoring. That's only half the word. Think about it: when you send a text message to someone else, if the other person's cell phone is off, the text message can still be sent out? So turning off the phone before going to bed may prevent an attacker from stealing text messages near you, but it can't prevent an attacker from stealing SMS near the message sender. For example, if an attacker wants to steal the authentication code from Company A, he only needs to listen to the wireless signal near the device where Company A sends a short message. For attackers, it is obviously a more cost-effective way to monitor A devices nearby. As long as we are in this place, we can steal the verification code sent by all A companies.

Is there a way to prevent the vulnerability of SMS authentication code?

Double factor verification by SMS is still better than no two factors at all. But because of these problems, SMS validation code may still be a validation factor today, but companies need to lower their trust when they are designing a business security system. At least we need to combine geographical location information, device information, user characteristics and so on to judge comprehensively. Instead of just like many years ago, a single SMS verification code is used to determine user identity.

It is not impossible for users to try to open the VoLTE function and send messages through the 3G/4G network to increase the difficulty of wiretapping messages through wireless monitoring. The specific methods are:


China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments