Despite security experts warnings for years about security flaws around the SS7 (Signalling System 7), a protocol used by mobile networks to communicate with each other- hackers have finally accessed a back door and stolen money from German bank accounts.
O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.
The shortcomings of SS7 can be abused to, for example, redirect people’s calls and text messages to miscreants’ devices. Now the first case of crooks exploiting the design flaws to line their pockets with victims’ cash is real.
Thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.
In 2014, researchers demonstrated that SS7, which was created in the 1980s by telcos to allow cellular and some landline networks to interconnect and exchange data, is fundamentally flawed. Someone with internal access to a telco – such as a hacker or a corrupt employee – can get access to any other carrier’s backend in the world, via SS7, to track a phone’s location, read or redirect messages, and even listen to calls.
In this case, the attackers exploited a two-factor authentication system of transaction authentication numbers used by German banks. Online banking customers need to get a code sent to their phone before funds are transferred between accounts.
The hackers first spammed out malware to victims’ computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim’s mobile phone number to a handset controlled by the attackers.
Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.
While security experts have been warning about just this kind of attack – and politicians have increasingly been making noise about it – the telcos have been glacial at getting to grips with the problem. The prevailing view has been that you’d need a telco to pull off an assault, and what kind of dastardly firm would let itself be used in that way.
That may have worked in the 1980s, but these days almost anyone can set themselves up as a telco, or buy access to the backend of one. To make matters worse the proposed replacement for SS7 on 5G networks, dubbed the Diameter protocol, also has security holes, according to the Communications Security, Reliability and Interoperability Council at America’s comms watchdog, the FCC.