Known SS7 network flaw used to drain customer bank accounts

The vulnerability allowed hackers to bypass two-factor authentication

Despite years of warnings that the SS7 networking protocol contained significant vulnerabilities, it now appears to have been exploited by hackers to drain customer bank accounts, according to reports.

Signaling System No.7 (SS7), as the protocol is known, is used by more than 800 telecommunications companies around the world, allowing customers in one country to send text messages to users in different countries. The protocol also helps with interoperability between networks, and also allows for phone calls to go uninterrupted while in low signal areas.

However, it has been discovered that the same protocol, which was created in the 1970s, can be used to track users and eavesdrop on their conversations. These vulnerabilities have been publicised as early as 2008, yet most recently, security researchers in 2016 were able to demonstrate the ease at which they could track the movements of US Representative Ted Lieu using his phone number and the SS7 network.

It has now emerged that unidentified hackers used the same vulnerabilities in the SS7 protocol to bypass two-factor authentication services of banks in Germany, according to the Sddeutsche Zeitung newspaper. This same protocol is used in the UK, although it is known instead as Common Channel Interoffice Signaling 7 (CCIS7).

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The hackers were able to use SS7 to divert the text messages that the banks send to customers as one-time password checks, sending them instead to phones controlled by the attackers. The codes were then used to authorise the transfer of funds out of customer accounts, according to the report.

To locate the targets, the hackers used a malware campaign to identify bank account numbers, login details, passwords and balance amounts. They were then able to purchase access to as yet unidentified foreign telecommunications provider to gain backdoor access to the customers' phones.

Speaking to the Sddeutsche Zeitung, Germany's O2 Telefonica said: "Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January. The attack redirected incoming SMS messages for selected German customers to the attackers."

This news shouldn't come as a surprise to those advocating against the use of the SS7 protocol. In August last year, Representative Lieu requested the FCC to investigate the reported vulnerabilities of SS7, and impose changes to prevent these kinds of attacks. However, this could take years to address given the size of its reach and the number of companies using it.

Immediately following the news of the hack, Lieu issued a statement which read: "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number."

The silver lining is that since this is the first reported public attack using the SS7 protocol, it may spur other regulators to help fix the vulnerabilities.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020