Earlier this year, hackers exploited vulnerabilities in the Signaling System No. 7 (SS7) protocols to sidestep two-factor authentication and steal funds from German victims’ bank accounts, according to Germany’s Suddeutsche Zeitung.
The hackers stole bank login credentials via phishing emails that appeared to come from the victims’ banks, then leveraged flaws in SS7 to redirect the SMS messages required to confirm funds transfers.
“Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January,” a representative of Germany’s O2 Telefonica said, according to Ars Technica. “The attack redirected incoming SMS messages for selected German customers to the attackers.”
Ars Technica notes that security researcher Karsten Nohl demonstrated the potential impact of the flaws in SS7 last year by recording calls and tracking the location of U.S. Rep. Ted Lieu.
Earlier this week, Lieu tweeted, “I’ve been screaming for FCC & telecom industry to fix #SS7 security flaw. Perhaps bank losses will get them to act.”
“EVERYONE’S BANK ACCOUNT IS AT RISK until FCC and telecom industry fix the devastating #SS7 flaw,” he added.
A Warning to Mobile Operators
Mark Windle, strategy and marketing director for security at Mavenir, told eSecurity Planet by email that the news should serve as a warning to the mobile community. “Operators are already collaborating to better understand the ways in which vulnerabilities can be exploited, and mitigate them,” he said.
“Legacy SS7 technology may eventually be replaced by Diameter or SIP, but SS7 will be around for at least the next 10 years, and simply closing a protocol isn’t the solution,” Windle added. “As long as there is national and international interconnect access, the window will still be there.”
“In the meantime, by continuing to address security flaws in signaling protocols by using an optimal, multi-layer solution, operators can increase subscriber trust levels, decrease churn rates and, most importantly, protect mobile devices,” he said.
Balancing Security and Convenience
A recent survey of more than 800 representatives from financial institutions worldwide found that 24 percent of banks struggle with the identification of their customers when delivering digital and online banking services.
The survey, sponsored by Kaspersky Lab and conducted by B2B International, also found that 30 percent of banks have had security incidents affecting banking services delivered via the Internet, and 59 percent anticipate an increase in financial losses due to fraud in the next three years.
Thirty-eight percent of respondents said balancing prevention techniques with customer convenience is one of their specific concerns.
“While thinking of different approaches to secure digital and mobile channels, banks naturally avoid putting too much pressure on customers,” Kaspersky Lab head of fraud prevention Alexander Ermakovich said in a statement.