Event Review - What went wrong?
On the evening of August 21, an article titled “Millions of SMS Synchronized Defects Encouraged Peasant Bank Cards from Being Scarred by 100,000 Yuan†caught the attention. The entire incident is simply:
The victim’s parents’ SPD bank card was stolen 100,000 (including a loan of 40,000), and it was discovered that they had been breached by Xiao Miyun’s password. The parents of the victim had previously started Xiaomi Cloud’s “SMS synchronization†service, resulting in the bank’s verification SMS. Was intercepted.
"Mother's mobile phone is Xiaomi 5, and the mobile phone received notification notification from Xiaomi's new cloud synchronization device in the morning. Twenty minutes later, it received several SMS verification codes from the bank, multiple transfer successes, and notice of loan success. The time interval is very short." The victim knew this.
Xiaomi "new cloud synchronization device" notification reminder screenshots are as follows:
(from the victim's knowledge, the text has been temporarily cleared)
Incident:
1, how to lose the bank card and password is not clear.
2. Why did the bank apply for a loan?
3, whether the phone is unknown in the Trojan.
In addition, the victim wrote in the original text: "When the criminals attempted to log in to the Xiaomi cloud service with the browser and opened the SMS synchronization permission, they issued a verification code for the mobile phone," but the victim did not know it. "On the Xiaomi mobile phone 5 also Can not see this verification SMS, during the normal operation of the SIM card.†Xiaomi's argument is that the device to accept this verification code is Xiaomi 3, presumably may be a SIM copy card , but if it is a copy card, it can be directly received The bank verifies the text message, so it is no longer necessary to operate the Xiaomi cloud service to synchronize the text message.
(Screenshots from the owner of the last update)
Regarding this statement, Lei Fengnet also consulted with senior security personnel. He said that the logic on both sides is not fully understood.
“First of all, it is true that if the mobile phone card has already been copied, then it is no longer necessary to obtain the bank’s SMS verification code through Xiao Miyun. However, what the owner said about copying the card will cause the original card to fail. It is also wrong. Or when the card is changed, it will cause the original card to fail. If the two cards are successfully copied, they can be used at the same time.
That is, in the case of success, the copy card can be used simultaneously.
2, SMS verification defectsThis is not the first time that Xiaomi has been involved in the fraudulent brushing incident caused by SMS verification flaws.
Last month, Mr. Wang of Shanxi Province used the Xiaomi cloud service's text message to synchronize his SMS verification code because the Xiaomi account was stolen, and automatically removed the sms from the victim's own mobile phone to steal their bank deposits.
Similarly, operators ' SMS hosting services have also been criticized because lawbreakers use illegal means to obtain customers' related information and passwords, and then use customer information to open a "message safe deposit box" for customers' mobile phones. Business, thus getting transactions to verify SMS and steal money.
Operators on the one hand launched the SMS password verification service. In addition, they did not upgrade SMS security, including mobile SMS hosting services. On the other hand, other departments regard SMS as a communication service, and cognitive bias leads to deviations of usage scenarios and design scenarios. The bank will feel that you have to protect the security of the user's text message since your operator has launched SMS verification password service.
In addition to the above methods, mobile Trojans, pseudo base stations, and fishing Wi-Fi can all be used to obtain SMS verification codes, which in turn can steal bank deposits.
So why don't the bank use tokens? In addition to cost, it is the market's pursuit of convenience.
"Why we want to push mobile banking, because of the cost, as well as innovative business and value-added services. Why did Xiaomi want to engage in the cloud, because to increase the viscosity of users and provide long-tail value-added services, maybe it is also possible to tap the content of the message to tap user habits. Where is the security? Security is neglected under the pressure of business promotion and cost pressures. Users are naked in the dark forest.†Senior security officials told Lei Feng Network (search “Lei Feng Net†public concern) .
3, not only the responsibility of XiaomiAfter the owner’s account was stolen, the cloud service synchronized the text message to the final bank card theft and brushing. This process involved mobile phone manufacturers, operators, and banks.
Objectively speaking, it is unreasonable to play Xiaomi in this matter.
First of all, Xiaomi's cloud synchronization is not set by default , and the average user will use the default settings. If you modify the default settings, you will be at your own risk.
Pictured:
Secondly, the principle of direct consequences in the law is the principle of limited liability: Xiaomi provides cloud services and only assumes responsibility for cloud services. Banks provide financial services with responsibility for financial services. To give a simple example, for example, the trade secret you sent out via SMS was leaked, and the operator only has to bear the responsibility of revealing privacy, instead of losing your contract and bearing the consequences of the leak.
This statement is too cold for most users. In this matter, Xiaomi's responsibility is certain. For example, cloud service providers should have a choice of data stored in the cloud. For example, sensitive data such as photos, user privacy, bank information, etc. are used to remind users or are not synchronized by default. Second verification.
From the user's point of view, how did the bank card and password leak? There are too many possible situations:
Is there a problem with the home network?
Have you ever used online banking in an unsafe place?
Millet cloud backup SMS message leaked bank card and password? (Someone will save the bank card password and other information in the message)
......
One of the suspicions of this incident was the issue of loans . If the loans were actually made, either the bank rules had loopholes or the bank's internal personnel had to operate. Because of online loans, this kind of thing cannot be done even by Shanghai Pudong Development Bank.
After the investigation, the core issue of the entire incident is still the bank's risk management. After all, the bank is the ultimate beneficiary of SMS verification.
The bank should subdivide the scene and then carry out risk control, such as the mobile phone payment is under 20,000 yuan, or the suspicious payment behavior has telephone to investigate.
This morning, Xiaomi has already actively cooperated with him. The victim has also temporarily cleared the contents, and the suspicious situation has yet to be further solved. As of the deadline of the release of the report by Lei Fengwang, the content of the victim's knowledge was as follows:
With regard to the responsibility issue behind this incident, Lei Feng invited the vice president of Gundam Starshot to conduct in-depth analysis, which can be followed by the follow-up of Lei Feng.
Lei Feng Net Note: Reproduced please contact the authorization, and retain the source and the author, not to delete the content.