Security

After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

O2 confirms online thefts using stolen 2FA SMS codes

48 Got Tips?

Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.

These shortcomings can be potentially abused to, for example, redirect people's calls and text messages to miscreants' devices. Now we've seen the first case of crooks exploiting the design flaws to line their pockets with victims' cash.

O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.

In 2014, researchers demonstrated that SS7, which was created in the 1980s by telcos to allow cellular and some landline networks to interconnect and exchange data, is fundamentally flawed. Someone with internal access to a telco – such as a hacker or a corrupt employee – can get access to any other carrier's backend in the world, via SS7, to track a phone's location, read or redirect messages, and even listen to calls.

In this case, the attackers exploited a two-factor authentication system of transaction authentication numbers used by German banks. Online banking customers need to get a code sent to their phone before funds are transferred between accounts.

The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.

Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.

While security experts have been warning about just this kind of attack – and politicians have increasingly been making noise about it – the telcos have been glacial at getting to grips with the problem. The prevailing view has been that you'd need a telco to pull off an assault, and what kind of dastardly firm would let itself be used in that way.

That may have worked in the 1980s, but these days almost anyone can set themselves up as a telco, or buy access to the backend of one. To make matters worse the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol, also has security holes, according to the Communications Security, Reliability and Interoperability Council at America's comms watchdog, the FCC.

This first publicly confirmed attack will hopefully ginger up efforts to fix issues with SS7, at least in Europe, where Germany has a leadership position. As for the US, it might take a series of SS7 assaults before the telcos get their backsides into gear. ®

PS: A US Department of Homeland Security report this month admitted SS7 "can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence organizations" to hijack messages and calls.

Basically, it's time to stop using SMS for two-factor authentication for sensitive stuff.

Sign up to our NewsletterGet IT in your inbox daily

48 Comments

Keep Reading

NSA warns that mobile device location services constantly compromise snoops and soldiers

It might be best not to ask how the NSA knows this and why it advises most mitigations don’t help

FCC boss orders probe into 'unacceptable' T-Mobile US outage after carrier plays dog-ate-my-homework card

Yup, the old 'leased fiber line broke' excuse

As nice as Pai: FCC chairman comes out in favour of Ligado Networks' 5G proposal, despite criticism from airlines and military

Updated Backing for use of L-Band spectrum for 5G

FCC sucks its teeth, clicks its tongue, says: Yeah, AT&T, Sprint, T-Mobile US, Verizon gleefully sold your location data. Guess we should fine them?

How much you make, Randy? Wanna cough up, I dunno, twice that or something?

Hey FCC, when you're not busy screwing our privacy, how about those SS7 cell network security flaws, huh?

No one else seems to care, sniff politicians

Your mobile network broke the law by selling location data and may be fined millions... or maybe not, shrugs FCC

US watchdog struggles to do its job over illegal sale of folks' whereabouts

Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees

Eleven flaws cleaned up including one that may be exploited to sling malware downloads

White House creates 'Team Telecom' to probe whether foreign telcos should be allowed near US networks

Speedier license applications possible, uncertainty remains for many

USA decides to cleanse local networks of anything Chinese under new five-point national data security plan

‘Clean Network’ initiative bans use of Chinese clouds, names Alibaba, Baidu, and Tencent as compromised

Congress to FCC: Where’s the damn report on mobile companies selling location data?

Energy and Commerce Committee Democrats not happy with Ajit Pai

Tech Resources

4 Steps to Prove the Value of Your Vulnerability Management Program

Vulnerability management can feel like an endless climb. Learn how to focus your efforts, prove the value of your program, and gain trust, budget, and recognition in 4 doable steps

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Deep Analytics: A New Way to Manage Unstructured Data

Create a virtual data lake to search, tag, and operate on all of your data across your enterprise.