Attackers exploited SS7 flaws to empty Germans’ bank accounts

Cyber criminals have started exploiting a long-known security vulnerabilities in the SS7 protocols to bypass German banks’ two-factor authentication and drain their customers’ bank accounts.

SS7 vulnerabilities exploited

What is SS7 and what do these vulnerabilities allow?

SS7 (Signaling System #7) is a set of telephony signaling protocols that are used by over 800 of telecoms around the world. It allows their customers to seamlessly connect to different telecom networks when travelling, and use their mobile phone in much the same way they would at home.

The exploited vulnerabilities were first publicly reported by German researchers Tobias Engel and Karsten Nohl in 2014. They were apparently exploited for years before that by various intelligence services to track targets’ location.

In 2016, Nohl demonstrated how the vulnerabilities could be easily exploited by well-resourced attackers to eavesdrop on phone calls and track the current geographic position of any one user. He tested the attack on US congressman Ted Lieu, who willingly participated in the experiment.

At the time, Lookout founder John Hering said that the average person does not have to worry about most of these attacks, but things have now obviously changed.

What happened?

According to a report by Süddeutsche Zeitung, criminals have managed to re-route SMS messages with mTANs (one-time confirmation numbers) intended for legitimate bank customers to their phones. They used those mTANs to confirm and execute fraudulent withdrawals of funds from targets’ bank account.

In order to pull off this trick, the attackers have to know the target’s phone number, and have access to SS7. According to Germany’s O2 Telefonica, the latter was achieved by getting access to the network of a foreign mobile network operator in January 2017.

Another pre-requisite for a successful pilfering is knowing the target’s online banking credentials, and they got those either by stealing them from the targets’ computers with the help of banking Trojans, or through phishing.

The final attacks were performed during the night, to minimize the possibility of the victims noticing that something was amiss and to block the fraudulent transactions.

The attackers have likely purchased access to the foreign telecommunications provider – this can nowadays be apparently done for less than 1,000 euros – and have set up call and SMS forwarding.

SS7 vulnerabilities exploited: What now?

It’s on the telecom industry to make the change from the vulnerable SS7 systems to more secure ones. Many have already started the switch to the Diameter protocol, but the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) has recently revealed that this protocol also has security issues, making it also vulnerable to attacks.

In the meantime, banks and other organizations that use SMS to deliver the second authentication factor should switch to using alternative authenticators such as (hardware) security tokens or mobile apps like Google Authenticator.

The National Institute for Standards and Technology (NIST) has advised last year that SMS-based two-factor authentication should be on its way out.

Source: Help Net Security – News @ May 4, 2017 at 05:08AM