There’s a major vulnerability in the way phone networks talk to each other — and hackers have used it to drain victims’ bank accounts.
What’s more: The issue has been known about for years, and public demonstrations have highlighted the issue, but nothing had been done about it.
A number of German customers of telecom network O2-Telefonica were stolen from using the “SS7” vulnerability, according a report from German-language newspapers Süddeutsche Zeitung. (We first heard about it via The Register.)
So what’s the issue, and how does it work?
Signal System No. 7, or SS7, is how phone networks talk to each other, ensuring customers don’t lose service, and is used all over the world. But you can also use it to spy on people — reading their messages, tracking where they go, and redirecting calls. So if an attacker gets access to the SS7 network, they can do real damage.
That’s exactly what happened in Germany. It’s not not clear who the attackers were, or how they obtained their access (though SZ said it could be had for “just under €1,000”), but the report does detail how they hit their targets.
First, the victims were targeted with phishing emails that tricked them into giving up their logins and passwords to their online banking accounts. But this wasn’t enough to steal money from their accounts, because the Germans had a form of two-factor authentication activated. This meant the bank texted them before each money transfer to seek approval — theoretically preventing hackers from stealing cash even if a victim’s login details are compromised.
Now this is where the SS7 attack comes in. Over the “past months,” the attackers reportedly logged into the victims’ accounts, tried to transfer funds, then redirected the two-factor text messages to themselves. They confirmed the transfers, drained the accounts, and the victims couldn’t do anything about it.
Issues with SS7 have been known for years. In 2014, researchers demonstrated how it can be used to track people and intercept their communications. And in 2016, US congressman Ted Lieu was (with his consent) hacked as part of a demonstration of SS7’s flaws for CBS.
But the issue continues today, and can theoretically be used to eavesdrop on calls, track people via their phones, and intercept text messages.
And criminals are awake to the possibilities — as the German incident starkly illustrates.
Ted Lieu has put out a sharply worded statement about the news, warning: “Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC [Federal Communications Commission, a US government agency] and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”