Last May, groups of cyber criminals pulled off a series of highly successful bank fraud attack across Germany in which they transferred funds from private accounts by impersonating the owners, according to German media.
The accounts in question were all protected by two-step authentication in the form of SMS delivered one-time-passwords.
How did hackers overcome this extra layer of security?
By exploiting basic flaws contained in the most prevalent cellular data system in the world today, known as Signal System 7 (SS7).
So what is SS7?
SS7 is an internationally used protocol suite utilized by most telecommunications operators to communicate with one another when directing signals. This includes calls, texts and internet data. It also allows cell phone carriers to collect location information from cell phone towers and then share that data to other nodes.
SS7 was introduced decades ago in the 1970’s when only a handful of companies provided data services. Today thousands of companies utilize SS7 and everyone of them may gain access to the network. This exponentialized the vulnerability, and is ultimately what provided criminals with their missing piece to overcome two factor authentication in the German hack.
How it Went Down
Through investigations, cyber researchers were able to retrace the steps taken by the hackers in the May attacks. The attackers first spammed out traditional bank-fraud emails by impersonating bank officials requesting identification details. With this information, hackers were able to gain basic access to victim’s accounts, view balances as well as other personal details, most importantly, their mobile phone numbers.
Although the criminals already had access to the victim’s accounts, the two-factor authentication requirements prevented them from ordering transfers. To overcome this problem, the cyber crooks then obtained access to the SS7 from a fake telecom provider and set-up a redirect for the victim’s phone number to a handset controlled by them and redirected the SMS messages containing the one-time-passwords sent by the banks.
The Fatal Flaw
Major exposure of the flaws in SS7 first came to light during a presentation by a German whitehat hacker at the 2008 Chaos Computer Club conference in Berlin. The hacker demonstrated how a cellphone could be tracked to any location in the world by gleaning data from SS7. The SS7 weaknesses lie primarily in the fact that literally thousands of companies and organizations have access to the network.
While major carriers such as AT&T or Verizon may be able to ensure their access points are secure, smaller companies around the world may not be so competent. This means that any random provider in the Congo could be hacked and provide access to the global system.
Additionally, a hacker ready to invest a bit of cash into his operation could purchase access to SS7 from the myriad of “grey suppliers” that have popped up in recent years, as was the case in the May attacks in Germany. All the hacker needs then is the mobile phone number of the victim being targeted.
Since the 2008 Berlin conference, research into the vulnerabilities of SS7 continued. In December 2014, another German cyber security firm Sternraute, showed its findings at a Hamburg conference revealing the capabilities for actually listening into calls and rerouting SMS data delivery by hacking the SS7.
These findings were later sensationalized in April 2016 when a CBS journalist from 60 Minutes had a computer engineer from the Berlin based Security Research Labs listen in to the cell conversations of California congressman Ted Lieu using the same SS7 exploiting method.
Lieu, who holds a degree in computer science from Stanford University and is a member of the House committee that oversees information technology, is now a major advocate for reforms in cellular data security standards.
It’s Vulnerable. Period.
The recent attacks underscores the fundamental flaws inherent in the SS7 system, and by extension, the insecurity in SMS as a second factor.
While SMS may be part of a two-step authentication protocol for a user, for a committed hacker it is not “two-step” at all. A simple data breach, caused by an accidental information exposure, or in the case of the German hacks via successful phishing, can expose the personal information necessary to circumvent SMS authentication, and for that matter any other device based method.