Cellular networks, on the other hand, convey consistently been ignoring this serious issue, maxim that it is a really depression run a jeopardy for most people, every bit the exploitation of the SS7 flaws requires pregnant technical together with fiscal investment.
But roughly unknown hackers convey only proved them incorrect past times latterly exploiting the blueprint flaws inwards the SS7 to drain victims' banking company accounts, according to a report published Wed past times German-based paper Süddeutsche Zeitung.
SS7 is a telephony signaling protocol created inwards the 1980s past times telcos together with powered to a greater extent than than 800 telecom operators across the world, including AT&T together with Verizon, to interconnect together with telephone substitution data, similar routing calls together with texts amongst 1 another, enabling roaming, together with other services.
Real-World SS7 Attack Scenarios
The global telecom network SS7 is vulnerable to several blueprint flaws that could let hackers to head to telephone calls together with intercept text messages on a potentially massive scale, despite the most advanced encryption used past times cellular network operators.
The designing flaws inwards SS7 convey been inwards circulation since 2014 when a squad of researchers at German linguistic communication Security Research Labs alerted the the world to it.
So, the privacy concerns regarding the SS7 protocol is non new.
Last year, Karsten Nohl of German linguistic communication Security Research Labs demonstrated the SS7 develop on on U.S. of America Congressman Ted Lieu's telephone number (with his permission) at TV programme sixty Minutes together with successfully intercepted his iPhone, recorded call, together with tracked his precise place inwards real-time only past times using his jail cellphone telephone number together with access to an SS7 network.
In a dissever demonstration, the researchers from Positive Technologies lastly twelvemonth too gave a demonstration on the WhatsApp, Telegram, together with Facebook hacks using the same designing flaws inwards SS7 to bypass two-factor authentication used past times the services.
Thieves Using SS7 Flaw to Steal Money From Bank Accounts
Now, Germany's O2 Telefonica has confirmed that the same SS7 weaknesses convey latterly been exploited past times cybercriminals to bypass two-factor authentication (2FA) banks used to preclude unauthorized withdrawals from users banking company accounts.
"Criminals carried out an develop on from a network of a unusual mobile network operator inwards the middle of January," an O2 Telefonica example told Süddeutsche Zeitung. "The develop on redirected incoming SMS messages for selected German linguistic communication customers to the attackers."
In short, cyber criminals exploited SS7 flaws to intercept two-factor authentication codes (one-time passcode, or OTP) sent to online banking customers together with drained their banking company accounts.
Here's How:
The attackers commencement spammed out traditional bank-fraud trojans to infect line of piece of occupation organisation human relationship holders' computers together with pocket passwords used to log into banking company accounts, sentiment accounts balance, along amongst their mobile number.
But what prevented the attackers from making coin transfers is the one-time password the banking company sent via a text message to its online banking customers inwards fellowship to authorize the transfer of funds betwixt accounts.
To overcome this issue, the cyber crooks thence purchased the access to a imitation telecom provider together with set-up a redirect for the victim's telephone number to a handset controlled past times them. Specifically, they used SS7 to redirect the SMSes containing OTPs sent past times the bank.
Next, the attackers logged into victims' online banking company accounts together with transferred coin out, because every bit presently every bit the potency codes were sent past times the bank, instead of designated line of piece of occupation organisation human relationship holders, they were routed to numbers controlled past times the attackers, who finalized the transaction.
Can You Avoid this Hack?
This latest SS7 develop on in 1 lawsuit once to a greater extent than shed lite on the insecurity past times blueprint together with lack of privacy inwards the global telephone network protocol, making it clear that real-world SS7 attacks are possible. And since the SS7 network is used worldwide, the number puts billions of users inwards danger.
The incident too underscores the risks of relying on SMS-based two-factor authentication.
Although the network operators are unable to while the hole anytime soon, at that topographic point is picayune the smartphone users tin do. Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based safety keys every bit a instant authentication factor.
