Known SS7 network flaw used to drain customer bank accounts

The vulnerability allowed hackers to bypass two-factor authentication

Despite years of warnings that the SS7 networking protocol contained significant vulnerabilities, it now appears to have been exploited by hackers to drain customer bank accounts, according to reports.

Signaling System No.7 (SS7), as the protocol is known, is used by more than 800 telecommunications companies around the world, allowing customers in one country to send text messages to users in different countries. The protocol also helps with interoperability between networks, and also allows for phone calls to go uninterrupted while in low signal areas.

However, it has been discovered that the same protocol, which was created in the 1970s, can be used to track users and eavesdrop on their conversations. These vulnerabilities have been publicised as early as 2008, yet most recently, security researchers in 2016 were able to demonstrate the ease at which they could track the movements of US Representative Ted Lieu using his phone number and the SS7 network.

It has now emerged that unidentified hackers used the same vulnerabilities in the SS7 protocol to bypass two-factor authentication services of banks in Germany, according to the Sddeutsche Zeitung newspaper. This same protocol is used in the UK, although it is known instead as Common Channel Interoffice Signaling 7 (CCIS7).

Advertisement
Advertisement - Article continues below

The hackers were able to use SS7 to divert the text messages that the banks send to customers as one-time password checks, sending them instead to phones controlled by the attackers. The codes were then used to authorise the transfer of funds out of customer accounts, according to the report.

To locate the targets, the hackers used a malware campaign to identify bank account numbers, login details, passwords and balance amounts. They were then able to purchase access to as yet unidentified foreign telecommunications provider to gain backdoor access to the customers' phones.

Speaking to the Sddeutsche Zeitung, Germany's O2 Telefonica said: "Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January. The attack redirected incoming SMS messages for selected German customers to the attackers."

This news shouldn't come as a surprise to those advocating against the use of the SS7 protocol. In August last year, Representative Lieu requested the FCC to investigate the reported vulnerabilities of SS7, and impose changes to prevent these kinds of attacks. However, this could take years to address given the size of its reach and the number of companies using it.

Immediately following the news of the hack, Lieu issued a statement which read: "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number."

The silver lining is that since this is the first reported public attack using the SS7 protocol, it may spur other regulators to help fix the vulnerabilities.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019