When you’re as ginormous a target as the global telecommunications industry, and you’re sitting on a flaw as big as the one affecting its SS7 protocol, best not rely on “security through obscurity”. You and your customers could get badly bitten – and so they have.
The Signalling System No. 7 (SS7) telephony signaling protocol used to establish interoperability across some 800+ service providers worldwide, is deeply vulnerable to interception by hackers, criminals, and corrupt insiders. We’ve known this for years. Now, in Germany, someone’s used that vulnerability to raid consumers’ online bank accounts.
SS7 was designed back in the 1970s, when access to phone networks was viewed as rare and controllable: back then, for example, AT&T still had an essentially complete monopoly over all US phone service. But now, a world of internet, VoIP, and wireless providers can link into SS7 to do all manner of fascinating things, and mess-with-SS7 skills and tools aren’t nearly so scarce. The telecom industry, however, has been appallingly slow to react. Maybe they will now.
As first reported by the German daily newspaper Süddeutsche Zeitung, this two-part attack zeroed in on SS7 call-forwarding features that allow networks to validate your SIM card when you travel internationally.
First, according to Bank Info Security, hackers sent conventional fake phishing emails to victims, suckering them into visiting fake bank websites, where they were told to enter account numbers, passwords and the mobile phone numbers they had previously given their banks.
Meanwhile, per The Register, the attackers “purchased access to a rogue telecommunications provider and set up a redirect for the victim’s mobile phone number to a handset controlled by the attackers”. Now, they could wait until late at night, log into the victims’ online accounts, and start money transfers. As part of their SMS-based two-factor authentication (2FA) systems, the banks would dutifully send one-time mobile transaction authentication number (mTAN) numbers to their customers. These would be hijacked by the criminals, who now had the second authentication factor they needed to complete the thefts.
Ars Technica reports that“the interception of the mTANs came only after attackers had compromised bank accounts using traditional bank-fraud trojans. These trojans infect account holders’ computers and steal [bank account] passwords… From there, attackers could view available balances, but they were prevented from making transfers without the one-time password the bank sent as a text message. In the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity of phone numbers.”
What’s disheartening about these attacks is how long service providers have known that SS7 was becoming vulnerable. Bank Info Security summarized the history this week:
- Tobias Engel’s 2008 Chaos Communication Congress presentation showed how unauthorized SS7 users could track a phone’s location.
- Ed Snowden’s 2013 document dump revealed that the NSA was using SS7 to spy on individuals.
- Karsten Nohl’s 2014 Chaos Communication Congress presentation showed how SS7 could be hacked, enabling hackers to listen to calls, read short messages, and intercept Internet traffic. (He even demonstrated the technique by hacking a US Congressman’s messages on America’s #1 news documentary program, 60 Minutes.)
- The same year, Positive Technologies demonstrated even more powerful SS7 message interception and redirection hacks using standard Linux PCs and freely accessible software tools, reporting that “the world’s 10 largest mobile telephony providers were vulnerable… and that blocking related exploits was difficult, because attacks could be crafted using legitimate SS7 messages, meaning it was almost impossible to filter them out.”
- Also in 2014, Ukraine’s telecommunications regulator reported evidence of “in the wild” SS7 attacks apparently coming from Russia.
The short-term solution is for telecommunications service providers to turn off SS7’s call forwarding features except for trusted providers. O2-Telefonica told Süddeutsche Zeitung that it blocked the specific foreign carriers who were the source of these attacks in January – but that doesn’t prevent similar attacks arising from other sources against other carriers.
The long-term solution is to fix SS7. According to the UK’s National Security Cyber Centre, such work is under way there – and will hopefully, once proven, be propagated more widely. In the meantime, as Naked Security and the US National Institute of Standards and Technology told you recently, 2FA via SMS text message is now deeply vulnerable. It’s time to stop relying on it for any significant transactions.
7 comments on “Bank accounts raided after crooks exploit huge flaw in mobile networks”
Hopefully Sophos be turning off 2FA for sections of the partner portal?
If 2FA via SMS text message is deeply vulnerable, what is the alternative solution while we wait for improvements in SS7?
U2F (universal 2 factor)
Use Authenticator Apps
Backdoors included – presumably?
“2FA via SMS text message is now deeply vulnerable. It’s time to stop relying on it for any significant transactions.”
Does the size (“significant transactions”) matter at all as long as the crooks can log in and empty the account? If the transaction was just one cent, the same thing could happen as I see it.
Can users avoid the SS7 vulnerability by requesting a code via voice call (instead of SMS message) when logging in (if the web site allows it)?
Likewise, can users avoid the SS7 vulnerability by using a landline instead of a cell phone. Granted, you need to be sitting by the landline phone when logging in!