{"id":84446,"date":"2017-06-15T20:22:58","date_gmt":"2017-06-16T00:22:58","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2022-08-11T17:09:41","modified_gmt":"2022-08-11T21:09:41","slug":"scary-ss7-flaw-strikes-banks","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/scary-ss7-flaw-strikes-banks\/","title":{"rendered":"Scary SS7 Flaw Strikes Banks"},"content":{"rendered":"

\"Scary<\/a>Lost in last month\u2019s hubbub over WannaCry<\/a> ransomware<\/a> was the revelation that hackers had successfully exploited<\/strong> the SS7 \u201cflaw\u201d in January 2017. In May reports surfaced that hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities in Signaling System 7<\/strong><\/a> (SS7). SS7 is a standard that defines how the public phone system talks to itself to complete a phone call.<\/p>\n

\"Signaling<\/a>The high-tech heist<\/strong> was initially reported by the German newspaper S\u00fcddeutsche Zeitung<\/a> (auf Deutsch). The attack was a sophisticated operation that combined targeted phishing emails<\/strong> and SS7 exploits<\/strong> to bypass two-factor authentication<\/strong> (2FA) protection. This is the first publicly known exploit of SS7 to intercept two-factor authentication codes sent by a bank to confirm actions taken by online banking customers.<\/p>\n

How hackers get in<\/h3>\n

According<\/a> to ars Technica<\/em><\/a>, the attack began with traditional bank-fraud trojans<\/strong>. These trojans infect account holders’ computers and steal the passwords used to log in to bank accounts. From there, attackers could view account balances, but were prevented from making transfers without the one-time password the bank sent as a text message. After stealing<\/strong> the necessary login details via phishing emails<\/strong>, the perpetrators leveraged the SS7 flaw to intercept<\/strong> the associated mTAN (mobile transaction authentication numbers<\/a>) authentication codes<\/strong> sent to the victims \u2014 messages notifying them of account activity \u2014 to validate the transactions and remain hidden, investigators say.<\/p>\n

\"Central<\/a>German Telecommunications giant O2-Telefonica<\/a> confirmed details of the SS7-based cyberattacks to the newspaper. Ars<\/em> says, in the past, attackers have obtained mTANs by obtaining a duplicate SIM card that allows them to take control of the bank customer’s phone number. SS7-facilitated compromises, by contrast, can be done remotely on a much larger quantity<\/strong> of phone numbers.<\/p>\n

O2 Telefonica confirmed<\/a> to Help Net Security<\/em><\/a> that the attackers were able to gain access to the network of a foreign mobile network operator in January 2017. The attackers likely purchased access to the foreign telecommunications provider<\/strong> \u2013 this can apparently be done for less than 1,000 euros \u2013 and have set up a call and SMS forwarding.<\/p>\n

Two-factor authentication<\/h3>\n

\"Ford<\/a>Two-factor authentication<\/a> (2FA) is a security process in which the user provides two authentication factors to verify they are who they say they are<\/strong>.\u00a0 2FA provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices and online accounts because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users’ data from being accessed by hackers who have stolen a password database or used phishing campaigns to get users’ passwords.<\/p>\n

News of the incident prompted widespread concern online. Security advocates railed against the popular and continuous use of text messages to authenticate account information<\/strong> while growing evidence suggests that SS7 is an unsafe channel to deliver such data. Security experts told ars<\/em> that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.<\/p>\n

The end of 2FA?<\/h3>\n

Cris Thomas, a strategist at Tenable Network Security<\/a> warns in the article:<\/p>\n

While this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems \u2026 Vulnerabilities in SS7 and other cellular protocols aren\u2019t new. They have been presented at security conferences for years \u2026 there are other more secure protocols available now that systems can switch to…<\/em><\/p>\n

Cybersecurity researchers began issuing warnings about this flaw in late 2014<\/strong> about dangerous flaws in SS7. I wrote about the SS7 flaw in September of 2016<\/a>\u00a0 and in March 2107<\/a>. Maybe this will be the wake-up call<\/strong> for the carriers. One industry insider quipped<\/a>:<\/p>\n

This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren\u2019t closed \u2026 The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security.<\/em><\/p>\n

SS7 allows voice networks to interoperate<\/h3>\n

\"a<\/a>In 2014 security researchers first demonstrated<\/a> that SS7 could be exploited to track and eavesdrop on cell phones. This new attack is essentially a man-in-the-middle attack<\/strong> on cell phone communications. It exploits the lack of authentication in the communication protocols that run on top of SS7.<\/p>\n

Developed in 1975, today, over 800 telecommunications companies around the world, including\u00a0AT&T<\/a> (T<\/a>) and\u00a0Verizon<\/a> (VZ<\/a>), use \u00a0This technology has not kept up with modern times.\u00a0 In May 2017, Wired<\/em><\/a> published an article<\/a> that explains some of the ways to secure SS7. Overcoming SS7 insecurity<\/strong> requires implementing a series of firewalls<\/strong> and filters that can stop the attacks. Researchers Wired<\/em> spoke to suggest that adding encryption<\/strong> to SS7 would shield network traffic from prying eyes and bolster authentication. Both of these changes are unpopular with the carriers<\/strong>\u00a0because they cost money and can impact the network core, so don\u2019t expect any network changes to address the SS7 flaw anytime soon.<\/p>\n

\"Carriers<\/a>The Register<\/em><\/a> reports<\/a> that the FCC\u2019s<\/a> Communications Security, Reliability and Interoperability Council<\/a> found<\/a> that the proposed replacement<\/strong> for SS7 on 5G networks, dubbed the Diameter protocol<\/strong> has security holes<\/strong> too.<\/p>\n

In March 2017, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security’s<\/a><\/strong> John Kelly requesting that DHS investigate and provide information about the impact of SS7 vulnerabilities to U.S. companies and governmental agencies. Kelly has not responded<\/strong> to the letter, according to the Wired<\/em> article.<\/p>\n

Of course, the TLA’s would never use this \u201cflaw\u201d in SS7 to spy on us.<\/p>\n

What can you do?<\/h3>\n

The Guardian<\/em><\/a> says<\/a> that given that the SS7 vulnerabilities reside on systems outside of your control, there is very little you can do to protect yourself<\/strong> beyond not using the services.<\/p>\n

\"Politican\"They recommend for text messages, avoiding SMS<\/strong>\u00a0instead of using encrypted messaging services<\/strong> such as Apple’s<\/a> (AAPL<\/a>) iMessage<\/a>, Facebook<\/a>‘s (FB<\/a>) WhatsApp<\/a> or the many others available will allow you to send and receive instant messages without having to go through the SMS network to protect your messages from surveillance.<\/p>\n

For calls<\/strong>, the Guardian<\/em> recommends using a service that carries voice over data<\/strong> and not through the voice network. This will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle\u2019s <\/a>end-to-end encrypted Phone service or the open-source Signal app<\/strong><\/a> also allows secure voice communications.<\/p>\n

Your location<\/strong> could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi<\/strong> instead.<\/p>\n

Related articles<\/strong><\/p>\n