May 18, 2017
Two weeks ago O2 Telefonica in Germany confirmed that some of its customers have had their bank accounts emptied in a two-stage attack that exploits SS7 protocol. Unknown attackers exploited weaknesses in SS7 protocol and redirected text messages to numbers controlled by them. Those messages included one-time passcodes sent by the bank to their customer.
SS7 is today used by more than 800 telecom companies around the world. SS7 (Signalling System No. 7) enables the sending of text messages to someone in another country, as well as making phone calls when the caller is traveling, for instance, on a train. The same functionality makes it possible to intercept text messages, track geographic whereabouts or even listen to phone conversations.
“It’s like you secure the front door of the house, but the back door is wide open.” – Tobias Engel
The weaknesses of the protocol began to appear already in 2008, when German researcher Tobias Engel demonstrated how SS7 could be used to determine a phone’s location. Later, in 2014, inexpensive call-interception attacks were first demonstrated by researchers. We also wrote about the dangers of SMS authentication over two years ago, and updated the news a month ago after Instagram pushed out their SMS based two-factor authentication.
The problem with SS7 is that it is only as secure as its least secure member. If any one of the 800 telecom companies is hacked, a lot of information is open for hackers to intercept.
”It’s just not suited to the modern world but it’s still there and as is so many things. The legacy that lives on and comes back to haunt us.” – Alan Woodward
SS7 was created in the 1980s to allow cellular and landline networks to interconnect and exchange data. In fact, the flaws discovered by the German researchers are functions built into SS7 for other purposes (like keeping calls connected when driving). Hackers are just repurposing these functions for their own attacks because of the vulnerable security on the network.
A good thing is that these attacks can be blocked if mobile operators disallow call forwarding or restrict that functionality to only trusted providers. Nevertheless, using SMS authentication gives a signal to hackers that the company is not taking user security seriously. Therefore taking a closer look at the company might be worthwhile. Below are the main reasons for why you and your company should find modern alternatives to SMS authentication.