ITEM: Cyber criminals are reportedly exploiting long-existing security flaws in the SS7 signaling network to hack SMS-based two-factor authentication for banking services and successfully steal money from their customers.
That’s according to Motherboard, citing a report in a German newspaper:
In short, the issue with SS7 is that the network believes whatever you tell it. SS7 is especially used for data-roaming: when a phone user goes outside their own provider’s coverage, messages still need to get routed to them. But anyone with SS7 access, which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung, can send a routing request, and the network may not authenticate where the message is coming from.
That allows the attacker to direct a target’s text messages to another device, and, in the case of the bank accounts, steal any codes needed to login or greenlight money transfers (after the hackers obtained victim passwords).
As Motherboard points out, the flaws in SS7 that were exploited to pull this off are not new. Security experts have warned for years that SS7 has serious security problems, from giving third parties the ability to track individuals to intercepting SMSs used for two-factor authentication (2FA). That’s why the US National Institute of Standards and Technology (NIST) said in 2016 it would no longer recommend SMS-based 2FA codes for services connected to government IT systems, and recommended other 2FA code-generating tools like Google Authenticator or special USB dongles. The Süddeutsche Zeitung report shows exactly why SMS-based 2FA is risky.
There are a couple of obvious caveats here. First, as the Süddeutsche Zeitung article notes, criminals need more than just the SMSs to drain bank accounts – they also need the corresponding bank account details and passwords. Also, the hackers have to actually gain access to the SS7 network first, which is not easy – if you go to the trouble of hacking your way in.
On the other hand, why bother hacking through SS7’s security defenses when you can just buy access? The report claims that anyone can buy access to an SS7 network for 1,000 euros, raising an issue that’s been floating around for at least a few years: telcos allowing third parties like VoIP providers, smaller phone companies, third-party SMS messaging services and even law enforcement agencies to access their SS7 networks – and sometimes those third parties allegedly sublease that access to other companies for a fee (1,000 euros, say).
In other words, SS7 has security problems on multiple levels, has had them for a very long time, and it’s unclear when (if ever) telcos are going to address this to the extent that it’s reasonably safe to rely on SMS as a 2FA tool. Even an exchange fire can potentially send such SMSs to the wrong people (apparently). Frankly the easiest solution would be for banks to stop using SMS as security tokens altogether.