The security hole has been known by telcos for years. Hackers used SS7 to redirect text messages banks used to send one-time passwords to customers. Instead of the text being delivered to the bank account holder's phone, they were diverted to phone numbers under the control of hackers. These hackers then used mTANs—short for "mobile transaction authentication numbers" to take money out of victims' accounts.
The interception of mTANs only came following hackers compromising bank accounts using Trojans to steal passwords from an account holder's computer. While with the Trojans hackers could view balances, they could not transfer money without having the one-time password as well (which is sent as a text message). Previously, hackers have had to use duplicate SIM cards to take control of victim's phone numbers to obtain mTANs.
Hackers then bought access to a rogue telco and set up a redirect for the victim's phone to a device controlled by the hackers. Hackers then accessed accounts to transfer money.
O2 confirmed to the newspaper that such an incident took place in mid-January.
"A criminal attack from the network of a foreign provider was carried out in mid-January”, a spokesperson told the publication. The spokesperson added that the provider was blocked and customers informed.
The flaws have led calls in the US to have SS7 patched up. According to reports from SC Media US, Congressman Ted Lieu has called on the FCC and the telecom industry to take action.
Michael Downs, director of Telecoms Security, EMEA of Positive Technologies told SC Media UK that the incident is a “sharp wake-up call”.
“It is a sign that it's getting easier for attackers, motivated by greed and nefarious intent, to access once closed parts of the global mobile infrastructure to not only steal money, but also track location, eavesdrop on private communications and even take down entire areas,” he said.
“While no-one denied vulnerabilities existed, the sector believed the risk was minimal. However, as this incident shows, they clearly open mobile users up to the same kind of mass cyber-crime problem that Internet users have suffered from for years.”
Bill Welch, senior product manager, Signalling Solutions at Sonus, told SC Media UK that while logic may suggest that a step towards preventing these attacks would lie in defining modifications to the SS7 protocol, this is not a practical option.
“Even if standardisation bodies develop new specifications for call setup, completion, and roaming, network equipment vendors would have to implement the new standards and network operators would have to upgrade all of their switches to use the new versions of software,” he said.
Amichai Shulman, CTO and co-founder at Imperva, told SC Media UK that the existence of an unsecure telco network in some countries was enough for bypassing this specific type of 2FA.
“Hence account takeover protection must always be a combination of attempting to prevent it and at the same time attempting to detect it (which I think happened in this case). The same applies for any data protection domain whether of internal or external nature.”