Mobile Hackers Intercept Bank 2FA to Drain Accounts

A known flaw in the messaging system that underpins global mobile phone networks has been hacked by cyber-criminals to intercept two-factor banking passcodes.

O2-Telefonica told the German Süddeutsche Zeitung newspaper that some of its customers had been affected by the attacks, leaving their bank accounts short of funds.

Its statement read:

"A criminal attack was carried out from the network of a foreign provider in mid-January. It redirected incoming SMS messages for certain numbers in Germany to the attackers.”

The issue apparently lies with the Signalling System No. 7 (SS7) protocol, developed in the 1970s, which allows networks around the world to interoperate.

It allows attackers with access to a network operator’s systems – either via hacking or paying a corrupt insider – to effectively access the back-end systems of any other operator around the world.

This appears to be what happened in the O2 Telefonica case, although it’s unclear which foreign operator the hackers targeted first. The hackers are said to have already gained access to the victims’ bank accounts by phishing their log-ins or launching banking malware, and transferred funds out once they intercepted and entered the required one-time passcode.

The same SS7 flaw could also be used to listen in on conversations or even pinpoint a user’s geographic location, it’s claimed.

The issue was made public at the end of 2014, when researchers demonstrated it at the Chaos Communication Congress in Hamburg.

It was put in the media spotlight again last year after a 60 Minutes broadcast in which white hats demonstrated how US Representative Ted Lieu’s phone messages and conversations could be intercepted.

It’s possible that the telcos have delayed taking any action on this because they believe the global community of operators would never let a hacker access back-end systems. However, an expert told Süddeutsche Zeitung that access could be bought for as little as €1000.

Lieu has repeated calls he made last August for the FCC to get the problem fixed:

“Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”

Michael Downs, Positive Technologies EMEA director of telecoms security, argued the news will be a wake-up call for the industry.

“While no-one denied vulnerabilities existed, the sector believed the risk was minimal. However, as this incident shows, they clearly open mobile users up to the same kind of mass cybercrime problem that internet users have suffered from for years,” he added.

“Of equal concern is that Diameter, the new protocol for 4G and 5G networks, is similarly vulnerable despite being designed as a platform for thousands of emerging IoT applications – from cars to connected cities. Networks must accept the threat, educate themselves about the attack vectors being used and move to monitor and neutralize the problem. If they don’t, the brave new future where everything is connected, will suffer.”

What’s Hot on Infosecurity Magazine?