HACKERS HAVE EXPLOITED a flaw in Signalling System No. 7 (SS7), a telephony signalling language, to drain customers' bank accounts.
The SS7 protocol is used by more than 800 telecoms companies globally and it enables data communications between different telco networks. It is the protocol used to ensure text messages can be sent to people in another country; and that phone calls are uninterrupted when travelling on an over ground train. It can even be used to eavesdrop on calls and track users' locations.
The weakness within the protocol has been known about since 2014, and in January, criminals exploited it to bypass the two-factor authentication method that banks use to protect unauthorised withdrawals from online accounts, German newspaper Suddeutsche Zeitung has reported.
Specifically, telecoms company O2 in Germany confirmed that some of its customers had their accounts drained by hackers in a two stage process. The first stage involved bank-fraud trojans that enabled the attackers to harvest user names, passwords, phone numbers and bank account details by infecting account holders' computers.
Attackers then used SS7 to intercept and redirect text messages used by the banks to send 'one off' passwords to their own numbers, and then used mobile transaction authentication numbers (mTANs) to transfer money out of a targeted account.
"Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January," a representative with Germany's O2 Telefonica told Süddeutsche Zeitung.
"The attack redirected incoming SMS messages for selected German customers to the attackers."
The foreign operator has since been blocked, and any customers that were affected were informed of the breach. The SS7 flaw is yet to be fixed meaning that there are likely to be other types of attacks on the horizon for telecoms operators. µ
Check Point warns that 'the next cyber hurricane is about to come'
He who controls the Animoji, rules the Animoji
Ha ha ha, hee hee hee, Will Cooke from Ubuntu had a chat with we
POKE no more. Oh wait, that was 30 years ago