Known SS7 network flaw used to drain customer bank accounts

The vulnerability allowed hackers to bypass two-factor authentication

Despite years of warnings that the SS7 networking protocol contained significant vulnerabilities, it now appears to have been exploited by hackers to drain customer bank accounts, according to reports.

Signaling System No.7 (SS7), as the protocol is known, is used by more than 800 telecommunications companies around the world, allowing customers in one country to send text messages to users in different countries. The protocol also helps with interoperability between networks, and also allows for phone calls to go uninterrupted while in low signal areas.

However, it has been discovered that the same protocol, which was created in the 1970s, can be used to track users and eavesdrop on their conversations. These vulnerabilities have been publicised as early as 2008, yet most recently, security researchers in 2016 were able to demonstrate the ease at which they could track the movements of US Representative Ted Lieu using his phone number and the SS7 network.

It has now emerged that unidentified hackers used the same vulnerabilities in the SS7 protocol to bypass two-factor authentication services of banks in Germany, according to the Sddeutsche Zeitung newspaper. This same protocol is used in the UK, although it is known instead as Common Channel Interoffice Signaling 7 (CCIS7).

Advertisement - Article continues below
Advertisement - Article continues below

The hackers were able to use SS7 to divert the text messages that the banks send to customers as one-time password checks, sending them instead to phones controlled by the attackers. The codes were then used to authorise the transfer of funds out of customer accounts, according to the report.

To locate the targets, the hackers used a malware campaign to identify bank account numbers, login details, passwords and balance amounts. They were then able to purchase access to as yet unidentified foreign telecommunications provider to gain backdoor access to the customers' phones.

Speaking to the Sddeutsche Zeitung, Germany's O2 Telefonica said: "Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January. The attack redirected incoming SMS messages for selected German customers to the attackers."

This news shouldn't come as a surprise to those advocating against the use of the SS7 protocol. In August last year, Representative Lieu requested the FCC to investigate the reported vulnerabilities of SS7, and impose changes to prevent these kinds of attacks. However, this could take years to address given the size of its reach and the number of companies using it.

Immediately following the news of the hack, Lieu issued a statement which read: "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number."

The silver lining is that since this is the first reported public attack using the SS7 protocol, it may spur other regulators to help fix the vulnerabilities.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
cloud computing

Google Cloud snaps up multi-cloud analytics platform for $2.6bn

13 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020