Known SS7 network flaw used to drain customer bank accounts

Despite years of warnings that the SS7 networking protocol contained significant vulnerabilities, it now appears to have been exploited by hackers to drain customer bank accounts, according to reports.

Signaling System No.7 (SS7), as the protocol is known, is used by more than 800 telecommunications companies around the world, allowing customers in one country to send text messages to users in different countries. The protocol also helps with interoperability between networks, and also allows for phone calls to go uninterrupted while in low signal areas.

However, it has been discovered that the same protocol, which was created in the 1970s, can be used to track users and eavesdrop on their conversations. These vulnerabilities have been publicised as early as 2008, yet most recently, security researchers in 2016 were able to demonstrate the ease at which they could track the movements of US Representative Ted Lieu using his phone number and the SS7 network.

It has now emerged that unidentified hackers used the same vulnerabilities in the SS7 protocol to bypass two-factor authentication services of banks in Germany, according to the Sddeutsche Zeitung newspaper. This same protocol is used in the UK, although it is known instead as Common Channel Interoffice Signaling 7 (CCIS7).

The hackers were able to use SS7 to divert the text messages that the banks send to customers as one-time password checks, sending them instead to phones controlled by the attackers. The codes were then used to authorise the transfer of funds out of customer accounts, according to the report.

To locate the targets, the hackers used a malware campaign to identify bank account numbers, login details, passwords and balance amounts. They were then able to purchase access to as yet unidentified foreign telecommunications provider to gain backdoor access to the customers' phones.

Speaking to the Sddeutsche Zeitung, Germany's O2 Telefonica said: "Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January. The attack redirected incoming SMS messages for selected German customers to the attackers."

This news shouldn't come as a surprise to those advocating against the use of the SS7 protocol. In August last year, Representative Lieu requested the FCC to investigate the reported vulnerabilities of SS7, and impose changes to prevent these kinds of attacks. However, this could take years to address given the size of its reach and the number of companies using it.

Immediately following the news of the hack, Lieu issued a statement which read: "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number."

The silver lining is that since this is the first reported public attack using the SS7 protocol, it may spur other regulators to help fix the vulnerabilities.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.