A major vulnerability in the mobile network O2-Telefonica resulted in hackers using a two-step attack to redirect money from customers’ bank accounts to their own accounts. The mobile carrier O2-Telefonica acknowledged the massive stealing of data of German customers.
Design flaws in SS7, known as Signaling System No. 7, a set of telephony signaling protocols developed in 1975 were exploited to mount an attack on bank accounts.
SS7 is used by AT&T, Verizon and more than 80 telecom providers across the world. The protocol lets banks exchange information and data with each other on a roaming basis.
The hackers sophisticatedly tricked the two-factor authentication system by exploiting the design flaws in SS7. Banks use two-factor authentication as a means of securing bank accounts whereby a customer is allowed to make transactions only after they verify a code sent to their cell number.
Hackers penetrated the system to route this text message to their own numbers and hence were able to withdraw funds from customers’ bank accounts.
How Does It Work?
First, the hackers send a phishing email to customers to glean information such as account number, associated password, and hand number. On receiving this information, the hackers get to the next step which is getting the mTAN (mobile-transaction-number) that banks usually forward to a customer’s mobile number before the transaction is authenticated.
Step two is what you may call a “sim-swap’ attack.
Hackers try to intercept the text messages and calls from a bank customer. They use customers’ confidential information such as mobile number, location and other details through their regular hacking measures.
Once they obtain this information, they initiate the transaction and route the two-step verification message to mobile numbers in their own custody. An access to one mobile carrier’s data gives hackers access to a lot of data points about customers, such as relaying metadata, calls, billing information, text messages, and subscriber data. This is used to mount an attack and withdraw funds from accounts.
When Was The Design Flaw Detected?
It was detected two years ago when a German researcher demonstrated that SS7 design flaw can be used to redirect messages, calls, and location to a device of choice.
The vulnerability in the SS7 design was detected back in 2014. Previously, the Congressman Ted Lieu‘s iPhone was hacked by Karsten Nohl of German Security Research Labs. The Congressman’s calls, location, and further details were detected by the researcher exploiting the SS7 vulnerability. Ted Lieu was shocked to see his identity being revealed.
It’s not that the vulnerability was not known to these banks. A special publication by National Institute of Standards and Technology (NIST) in 2016 stated that:
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators”.
It essentially means that NIST had already deprecated the use of SMS-based out-of-band authentication (SMS 2FA is out-of-band verifier as per NIST publication).
The Way Forward
Until now, users and banks have considered SMS 2FA (SMS-based two-factor authentication) as the Holy Grail of bank account security.
The recent incidents of account hacking show that temporary codes generated through mobile networks are not a security blanket. Essentially, the very method (an SMS containing a short code) that users and companies treat as security measure becomes the weakest link.
Having the short code, there’s nothing that can stop a hacker from his plans. Jonathan Zdziarski, a security researcher states that “SMS is just not the best way to do this”.
Since mobile phones can be socially engineered out of a user’s control, it’s best to switch to a better system such as a physical token that generate one-time code, authentication smartphone app, and cryptographically-based security keys to secure online transactions.
And, there’s an alternative perspective as well. Tech giants such as IBM argue that “SS7 vulnerability isn’t a flaw, it was designed that way”. The best that IBM is able to come up with is that “telephone networks were not designed to be secure. Understanding that and adjusting habits may help when security is needed“. However, the admission and advice don’t leave consumers less vulnerable.
— IBM Security (@IBMSecurity) May 17, 2016
Tools To Use
Tools such as Google Authenticator or an RSA token can be used instead of traditional SMS-based authentication.
Google Authenticator is a software-based authentication token developed by Google. This can help as Google Authenticator App generates a six-digit number, which changes every 30 seconds.
Apart from NIST’s recommendation of abandoning SMS 2FA, security researchers from the industry have advised authenticating a user’s mobile phone using a more rigorous method. Here’s a blog post that compares the popular 2FA tools. You may choose the one that suits your needs.