WingNews logo WingNews
top | item 28719193

(no title)

flixic | 4 years ago

Banking systems in Baltic countries use a unified 2FA system called SmartID[0]. When authenticating to bank via phone, they ask for two things: your user ID (which is not secret), and to authenticate using Smart ID, which means entering a PIN on your phone.

However, each PIN entry is accompanied by "code check": bank's support person says their 4 digit code, and you can verify that it matches on request for PIN screen. This neatly prevents someone pretending to be a bank during a call, because each PIN request uses a different "code check".

[0]: https://www.smart-id.com

discuss

order

btown|4 years ago

Is it still vulnerable to a MITM attack though, e.g. https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-lo... ?

Attacker wants Victim's code. Attacker calls the Bank impersonating Victim, and also calls Victim impersonating the Bank. Bank tells Attacker the code check, Attacker tells Victim the code check, Victim sees the match and enters their PIN into the Smart-ID app, and Attacker's phone session with Bank is now fully authenticated and has no more need for Victim.

flixic|4 years ago

I never thought about this, but yes, I think it can be MITM'ed exactly as you described. Same attack can probably be performed on the web, where Smart ID is also a sign in method.

im3w1l|4 years ago

I like how the ones in my country work, when you want to send money you have to sign the transfer with the 2fa app, and the 2fa app itself will display how much money you are transferring, preventing an mitm from displaying one amount but actually sending another. However the recipient is not displayed. So a mitm could modify a legitimate transfer to have another recipient, stealing the $100 destined for your utility bill. But at least that is not a catastrophic loss.

londons_explore|4 years ago

It can still be man-in-the-middle'd. Theres no way to know the attacker isn't calling you on one line while calling your bank on the other. As soon as you've authenticated, they'll continue talking to your bank, and fob you off with some excuse like "oh, the system is down, can you call back tomorrow".