After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

O2 confirms online thefts using stolen 2FA SMS codes

Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.

These shortcomings can be potentially abused to, for example, redirect people's calls and text messages to miscreants' devices. Now we've seen the first case of crooks exploiting the design flaws to line their pockets with victims' cash.

O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.

In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.

In 2014, researchers demonstrated that SS7, which was created in the 1980s by telcos to allow cellular and some landline networks to interconnect and exchange data, is fundamentally flawed. Someone with internal access to a telco – such as a hacker or a corrupt employee – can get access to any other carrier's backend in the world, via SS7, to track a phone's location, read or redirect messages, and even listen to calls.

In this case, the attackers exploited a two-factor authentication system of transaction authentication numbers used by German banks. Online banking customers need to get a code sent to their phone before funds are transferred between accounts.

The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.

Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.

While security experts have been warning about just this kind of attack – and politicians have increasingly been making noise about it – the telcos have been glacial at getting to grips with the problem. The prevailing view has been that you'd need a telco to pull off an assault, and what kind of dastardly firm would let itself be used in that way.

That may have worked in the 1980s, but these days almost anyone can set themselves up as a telco, or buy access to the backend of one. To make matters worse the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol, also has security holes, according to the Communications Security, Reliability and Interoperability Council at America's comms watchdog, the FCC.

This first publicly confirmed attack will hopefully ginger up efforts to fix issues with SS7, at least in Europe, where Germany has a leadership position. As for the US, it might take a series of SS7 assaults before the telcos get their backsides into gear. ®

PS: A US Department of Homeland Security report this month admitted SS7 "can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence organizations" to hijack messages and calls.

Basically, it's time to stop using SMS for two-factor authentication for sensitive stuff.

Send us news

Fukushima studies show wildlife is doing nicely without humans, thank you very much

Biodiversity increasing, endangered species gradually returning despite radioactive terror pig presence

Studies of biodiversity around the former Fukushima nuclear power plant in Japan have shown that a decade after the nuclear incident there in March 2011, the local wildlife, at least, is mostly thriving.

The incident at the Fukushima Daiichi site – in which three of the site's six reactors suffered meltdowns due to damage from an earthquake-induced tsunami – was one of only two events in history to be rated at level 7 on the International Nuclear and Radiological Event Scale (the other being Chernobyl).

This scale is not related to the quantity of radioactive material released (although that was considerable), but by the number of people affected by the event. Following the incident, 154,000 people were evacuated from the area surrounding the plant due to the risk of radioactive contamination, a number second only to the 335,000 evacuated from the environs of the Chernobyl plant in 1986.

Continue reading

HPE campaigns against 'cloud first' push in UK public sector

Because HPE does not do public cloud? No, no, it is 'for the good'

Comment Hewlett Packard Enterprise has posted a "UK Public Sector Manifesto" with nine themes, alongside a campaign hyping the value of hybrid cloud.

The bugbear for HPE is that UK government introduced a "cloud first" policy in 2013.

The current version was revised in 2017 but it mandates that central government, when buying new IT services, must consider a cloud solution – and specifically a public cloud, rather than "a community, hybrid or private deployment model" – before any other option.

Continue reading

Tech contractors fume over payday outage at Giant Pay after it sniffs 'suspicious activity'

Technical difficulties, please stand by

Giant Pay – an umbrella company used by contractors across the UK – has confirmed "suspicious activity" on its platform is behind a days-long ongoing outage that has left folk fretting about whether they'll get paid this month.

In an update on its website today, the firm said: "Upon detection of suspicious activity on our network on 22nd September 2021, we immediately assembled a response team including IT data experts and specialist lawyers, and we are currently working with the highest priority to resolve this issue.

"As part of the investigation and as a measure of caution, we have proactively taken our systems offline and suspended all services temporarily." It also confirmed it had contacted regulatory authorities and assured contractors they would get paid.

Continue reading

Parking is expensive. It can cost an arm, a leg, and a Windows licence

Activate Windows and put up a parking lot

Bork!Bork!Bork! Sometimes only the freshest of borks will do, and sometimes the best laid plans of administrators can go awry.

Continue reading

'Nobody in their right mind would build a naval base here today': Navigating in and out of Devonport

Twisting and turning like a twisty-turny thing

Boatnotes II As HMS Severn continues hosting the Royal Navy's Fleet Navigating Officer's course, The Register has taken a closer look at the precision demanded of naval officers conning their ships in and out of one of the most cramped ports where the Navy routinely operates.

Entering and leaving Plymouth, home to Devonport naval base, is a tricky operation under naval rules as we observed.

Continue reading

CutefishOS: Unix-y development model? Check. macOS aesthetic? Check (if you like that sort of thing)

Also a range of homegrown apps. Still in beta, so plenty of rough edges, though

Review One of the reasons Linux has never caught on as a desktop operating system, as Linux fans know, is that Linux isn't a desktop operating system, it's a kernel. And assembling it into a coherent package users can install is the job of a distribution.

This is a very different distribution model than the one Apple or Microsoft uses, and it confuses newcomers. Windows and macOS are easier to understand, they are single things made by single companies. Canonical and Red Hat notwithstanding, Linux is not packaged and presented this way at all. I've long believed that this difference is one of the key stumbling blocks to wider Linux adoption.

Apple has macOS, Microsoft has Windows, Linux has... hundreds of awkward, confusingly named options.

Continue reading

Nothing works any more. Who decided that redundant systems should become redundant?

It'll all come out in the wash

Something for the Weekend, Sir? Something is out of place; it does not quite fit. I reach down and give it a gentle tug. Ah, that's better.

If you are expecting a harmless reveal of a desperately contrived euphemism, as per usual, you are going to be disappointed. This time I really am talking about my underwear. I am experiencing a clothing comfort conflict below the waist. To misparaphrase an ailing Oscar Wilde, either these new chuddies or my nuts will have to go.

It is my fault, of course, for having purchased the wrong size or whatever. Am I wearing them back to front? It's a bit difficult to tell as I removed the labels. When I say "labels", I am referring to the three-dozen nylon razor blades that were sewn into the hem, each adorned with iconographic instructions helpfully reminding you not to clean the item with a circular saw, industrial sander or quarry explosives.

Continue reading

BOFH: You'll find there's a company asset tag right here, underneath the monstrously heavy arcade machine

Flame purifies all

Episode 17 It's barely 9am in the morning and we're all standing outside while the fire brigade inspects the premises for the source of the fire.

A fire that in all likelihood never happened.

"What was it?" the Boss asks, no doubt fearing a discovery of the charred remains of a Beancounter in a closet somewhere on the third or fourth floor.

Continue reading

UK Ministry of Defence tries again to procure £1.7bn tri-service recruitment system

New guys can't do a worse job than Capita, right? Right?

The UK Armed Forces are looking to restart a £1.7bn procurement for recruitment and onboarding of personnel to cover extensive IT investments as well as process outsourcing.

The move follows in the footsteps of an earlier Army deal which saw Capita under-perform on a £1.3bn recruiting project.

Under a 10-year contract, the UK services are looking for a single, common, tri-service recruiting process under the banner of the Armed Forces Recruiting Programme.

Continue reading

Stop worrying that crims could break the 'net, say cyber-diplomats – only nations have tried

Global Commission on the Stability of Cyberspace is a bit miffed its 'Don't attack the internet core' norm is misunderstood

The Global Commission on the Stability of Cyberspace (GCSC) is worried its guidance on preventing the internet and all it connects becoming a casualty of war is being misinterpreted.

The GCSC works to create global behavioural norms that hopefully find their way into the diplomatic documents that govern nation-states' behaviour. The organisation does so because conventions governing kinetic warfare prohibit attacks on hospitals or schools, but many nations are yet to formalise recognition that information warfare could easily disrupt hospitals. The GCSC therefore wants nations to recognise that information warfare needs rules that match the intent of those governing kinetic conflict.

The Commission has had considerable success in those efforts, having defined eight norms. The first, the Norm on non-interference with the public core of the Internet, seeks to forbid attacks on the Domain Name System, DNSSEC, WHOIS information services, systems operated by the Internet Assigned Numbers Authority and of Regional Internet Registries.

Continue reading

Check your bits: What to do when Unix decides to make a hash of your bill printouts

Symbol shenanigans turned out to be the least of the government's problems

On Call Fire up the Cossie*! We're going back to the '80s with an On Call tale that combines the drama of a fast Ford motor with the eldritch horror of Unix serial port settings.

"Neil," today's Regomised reader, ran a consultancy specialising in Uniplex, an office automation suite compromising the usual suspects: word processing, spreadsheets, email, database and so on. It predated Microsoft's efforts in the integration arena by a good few years.

"It supported printers from the FX-80 upwards," Neil explained, "but by far the most popular was the HP LaserJet series with its 8-bit ECMA-94 charset."

Continue reading