Attackers exploited SS7 flaws to empty Germans’ bank accounts

Cyber criminals have started exploiting a long-known security vulnerabilities in the SS7 protocols to bypass German banks’ two-factor authentication and drain their customers’ bank accounts.

What is SS7 and what do these vulnerabilities allow?

SS7 (Signaling System #7) is a set of telephony signaling protocols that are used by over 800 of telecoms around the world. It allows their customers to seamlessly connect to different telecom networks when travelling, and use their mobile phone in much the same way they would at home.

The exploited vulnerabilities were first publicly reported by German researchers Tobias Engel and Karsten Nohl in 2014. They were apparently exploited for years before that by various intelligence services to track targets’ location.

In 2016, Nohl demonstrated how the vulnerabilities could be easily exploited by well-resourced attackers to eavesdrop on phone calls and track the current geographic position of any one user. He tested the attack on US congressman Ted Lieu, who willingly participated in the experiment.

At the time, Lookout founder John Hering said that the average person does not have to worry about most of these attacks, but things have now obviously changed.

What happened?

According to a report by Süddeutsche Zeitung, criminals have managed to re-route SMS messages with mTANs (one-time confirmation numbers) intended for legitimate bank customers to their phones. They used those mTANs to confirm and execute fraudulent withdrawals of funds from targets’ bank account.

In order to pull off this trick, the attackers have to know the target’s phone number, and have access to SS7. According to Germany’s O2 Telefonica, the latter was achieved by getting access to the network of a foreign mobile network operator in January 2017.

The attackers have likely purchased access to the foreign telecommunications provider – this can nowadays be apparently done for less than 1,000 euros – and have set up call and SMS forwarding.

Another pre-requisite for a successful pilfering is knowing the target’s online banking credentials, and they got those either by stealing them from the targets’ computers with the help of banking Trojans, or through phishing.

The final attacks were performed during the night, to minimize the possibility of the victims noticing that something was amiss and blocking the fraudulent transactions.

SS7 vulnerabilities exploited: What now?

It’s on the telecom industry to make the change from the vulnerable SS7 systems to more secure ones. Many have already started the switch to the Diameter protocol, but the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) has recently revealed that this protocol also has security issues, making it also vulnerable to attacks.

In the meantime, banks and other organizations that use SMS to deliver the second authentication factor should switch to using alternative authenticators such as (hardware) security tokens or mobile apps like Google Authenticator.

“SS7 exploits just reached a new level. News of the first real bank hack executed using SS7 loopholes will serve as a real warning to the mobile community. Operators are already collaborating to better understand the ways in which vulnerabilities can be exploited, and mitigate them. This latest assault will not be easily ignored and now, more than ever, providers will be looking to vendor solutions to protect customers, their networks and vulnerable areas,” Mark Windle, Strategy and Marketing Director, Security at Mavenir, commented the news.

“Legacy SS7 technology may eventually be replaced by Diameter or SIP, but SS7 will be around for at least the next 10 years, and simply closing a protocol isn’t the solution. As long as there is national and international interconnect access, the window will still be there. In the meantime, by continuing to address security flaws in signaling protocols by using an optimal, multi-layer solution, operators can increase subscriber trust levels, decrease churn rates and, most importantly, protect mobile devices.”

The National Institute for Standards and Technology (NIST) has advised last year that SMS-based two-factor authentication should be on its way out.