Anti-Phishing, DMARC , Fraud Management & Cybercrime , Multi-factor & Risk-based Authentication

Bank Account Hackers Used SS7 to Intercept Security Codes

Well-Known Signaling System 7 Protocol Flaws Exploited in Germany

Hackers drained online bank accounts used by some O2-Telefonica users in Germany. (Photo: Mariano Mantel, Flickr/CC)

Hackers have exploited the Signaling System #7 international telecommunications signaling protocol as part of a two-stage attack designed to drain money from online bank accounts.

See Also: Move Beyond Passwords

The attacks successfully targeted online bank account holders in Germany by using call-forwarding features built into the SS7 protocol, German daily newspaper Süddeutsche Zeitung reports.

When mobile phone users travel abroad, the SS7 administrative data network allows local phone networks to verify that the user's SIM card is valid, via what's called the Home Location Register. But that SS7 functionality can also be abused. In the case of the German online bank attacks, which banks began seeing in January, Süddeutsche Zeitung reports that hackers employed a two-stage assault:

Phishing attack: Fake emails tricked victims into visiting lookalike bank websites, where they were directed to enter all login and related information required to initiate a money transfer, including their account number, account password and the mobile phone number they registered with the bank to receive a one-time mobile transaction authentication number (mTAN), which must be entered into the bank's website to approve money transfers. Call forwarding: Using a mobile telephony network located abroad, attackers instruct it - via SS7 - to forward all calls and SMS messages sent to a victim's mobile phone number to an attacker-controlled number. Fraudsters can then log into a victim's account, initiate a money transfer and then receive the mTAN required to approve the transfer.

The attacks demonstrate well-known weaknesses pertaining to sending one-time security tokens via SMS messages, because such messages can be intercepted - not just via SS7 exploits, but also potentially from malware installed on a mobile device. That's why many security experts and financial services regulators - including the German Federal Office for Information Security, known as the BSI - recommend that banks never use mTANs or other two-step verification schemes. Instead, they recommend using two-factor authentication and generating a transaction authentication number, or TAN, via a hardware-based or software-based dongle.

Fraudsters Moved Fast

Security experts say it's no surprise hackers have exploited SS7 features to steal money, especially because related, inexpensive call-interception attacks were first demonstrated by researchers in 2014. But Alan Woodward, a computer science professor at the University of Surrey who last year detailed on a BBC television program how SS7 flaws could be exploited, says he's surprised by how quickly fraudsters have moved.

"Don't get me wrong, this is not a simple hack, this is not trivial," Woodward tells Information Security Media Group. "I'll hold up my hand, I thought it was going to take people a lot longer to do this than it did."

For German bank customers, at least, the news is not bleak. After attacks were spotted in mid-January, O2-Telefonica tells Süddeutsche Zeitung that it blocked the foreign telephony provider attackers used and that German customers are now no longer at risk from these types of attacks.

O2-Telefonica didn't immediately respond to a request for comment about how it is now blocking these types of attacks. But Hendrik Schmidt from IT security firm ERNW tells Süddeutsche Zeitung that the attacks can be blocked if mobile operators disallow call forwarding or else restrict that functionality to only trusted providers.

In other words, it appears that the telcos are "effectively modifying how SS7 works," says Woodward, who's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol. "That's good. We can only hope that other telcos follow suit."

Unfortunately, telcos have had ample time and warning to address these flaws, but so far most apparently have done little.

Mounting Security Concerns

The SS7 protocol dates from the 1970s, and its authors assumed that only a closed group - comprising large telecommunications firms - would be able to provide telephony services, Woodward says. Then the internet and voice over IP communications came along, creating all sorts of inexpensive ways in which mobile telephony networks could be accessed and legitimate features potentially used for unintended purposes.

Professor Alan Woodward of the University of Surrey discusses the SS7 legacy.

Ways in which SS7 could be exploited began coming to light in 2008, when German researcher Tobias Engel demonstrated at the annual Chaos Communication Congress how SS7 could be used to determine a phone's location.

Related research appears to have surged after 2013, when former National Security Agency contractor Edward Snowden leaked information showing that the intelligence agency was using SS7 to help spy on targets.

At the 2014 Chaos Communication Congress meeting, German security scientist Karsten Nohl demonstrated how SS7 could be hacked. He also showed the television program 60 Minutes how, with only knowledge of a target's mobile phone number, he could spy on a user and demonstrated that by eavesdropping on U.S. congressman Ted Lieu's mobile phone calls - with his permission.

Slide from Karsten Nohl's 2014 Chaos Communication Congress 31C3 presentation.

The same year, researchers at Positive Technologies reported that they'd been able to develop low-cost SS7 attacks. Once they had access to SS7 via a mobile provider, the researchers were able to track a phone's location, block calls and intercept incoming and outgoing calls, as well as SMS messages.

Furthermore, such attacks were possible using unsophisticated equipment, the researchers warned, saying they'd used a Linux-based computer and publicly available software development kit. The researchers also reported that the world's 10 largest mobile telephony providers were vulnerable to the proof-of-concept attacks they had developed, and that blocking related exploits was difficult, because attacks could be crafted using legitimate SS7 messages, meaning it was almost impossible to filter them out.

That same year, evidence of in-the-wild attacks also began to surface. In late 2014, researchers at mobile network security firm AdaptiveMobile highlighted a little-seen report issued by Ukraine's telecommunications regulator in May 2014, detailing apparent SS7 attacks launched against Ukrainians, apparently via Russian mobile operators. During the attacks, when someone attempted to telephone a targeted mobile phone user, the call was instead "forwarded to a physical land line number in St. Petersburg, Russia," the researchers said.

Seeking Revised BGP, SS7 Implementations

Given the rising security concerns, numerous experts have been calling on telcos to strengthen SS7, as well as another core infrastructure protocol called Border Gateway Protocol, which controls how internet traffic gets routed.

To date, however, telcos apparently have yet to put in place full-fledged fixes. "If you think about it from a telco's perspective, it would cost them quite a lot of money to put this right," Woodward says.

Unfortunately, few businesses pursue security hygiene for security hygiene's sake, he notes. "It's fixing a security problem that's not very sexy and which doesn't bring them new customers."

Thankfully, government-led efforts to design and test revised BGP and SS7 implementations are already underway in some countries, including Britain.

If these efforts are successful, domestic internet traffic could not be easily rerouted - as is currently possible via BGP hijacking; SS7 call-interception exploits could be blocked; and it should be possible to prevent malware-infected U.K.-based endpoints from being pressed into service as part of large-scale distributed denial-of-service attacks, Ian Levy, technical director of the U.K.'s National Cyber Security Center - part of intelligence agency GCHQ - said in a November 2016 blog post.

"Once we have proved this works, we intend to work with the international ISP and IX [internet exchange] community to have similar protections built in other major exchanges - in order to make DDoS and prefix hijacks globally much harder prospects," Levy wrote. "The SS7 hardening work should allow us to make traffic rerouting harder but also to make smishing (that's phishing over text message if you've not heard of it) harder in the U.K. for certain SMS TPOAs - Transmission Path Originating Address (think 'from address'). That'll all be through working with the relevant companies to get the implementation standards written and implemented."