German drain bank accounts using SS7 flaw to cheat SMS 2FA

Hackers have drained victims’ accounts secured with 2-factor authentication by exploiting a flow in the SS7 protocol, allowing them to receive confirmation messages. The German operator O2 was attacked.

Signaling System 7 is a set of protocols used to connect most of the world’s telephone and cellular communications. The protocols were defined in the 80s, and have since been pointed out to be insecure. In 2014 the Germans pointed out that the system could be exploited.

The vulnerability allows anyone with access to a telecommunications company to potentially route calls and text messages to another number. Security guys have long pointed out to this insecurity. Telcos were reluctant to do anything about it, assuming no telco would do such a thing. However, in the recent years, it’s become easier to become a telephone company.

Online banks require a confirmation code to complete an outbound transfer. By routeing the text messages the hackers gained access to the codes. They used spamming and phishing attacks to gain access to the users’ passwords and phone numbers. After gaining access to the login details, they would pounce in the middle of the night when the victims were probably asleep.

To make it scarier, the proposed replacement in 5G networks is also vulnerable. The easiest solution in the mean time is to stop using SMS for 2FA altogether. Instead, use cryptographically generated keys as the second factor. Hopefully, this attack will push the operators to fix the protocol.

Source : Süddeutsche Zeitung.

Leave a Reply