A known security flaw in the Signaling System 7 (SS7) protocol, which controls the way mobiles exchange calls and text messages across the globe, has been used by cyber criminals to crack into the European bank accounts.
According to German newspaper Süddeutsche Zeitung the vulnerability was exploited in January and used to bypass the two-factor authentication European banks were using to secure access to customer accounts.
The attackers were able to use SS7 to redirect text messages used by the banks to send one-time-use passwords to their own numbers then use ‘mobile transaction authentication numbers (mTANs) to transfer money out of a targeted account.
“Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January,” a representative with Germany’s O2 Telefonica told Süddeutsche Zeitung . “The attack redirected incoming SMS messages for selected German customers to the attackers.”
The unidentified network has since been blocked, and affected people have been warned of their bank account breach.
However, the SS7 security hole remains and has been in place since it first came to light in 2008. Awareness of the hole in a protocol that allows mobiles to functions with each other across the world, has been low and the risk of the SS7 vulnerability was deemed to be low.
With such bank accounts hack attacks, the flaw in SS7 has been dragged back out into the limelight and highlights that even small security holes can be exploited by savvy cyber criminals to great effects if left as they are.
The bank accounts attacks should act as a means to motivate telecoms companies to address it, though given the global reach of the protocol, that is not likely to be an easy task. So we will have to wait to see if the attacks will spur major providers to work on shutting out the vulnerability.
Such ‘baked in’ flaws in telecoms protocols should serve as a lesson to companies working on Internet of Things (IoT) devices and systems, which lack security standardisation to prevent them from being riddled with security holes ripe for exploitation in the near future.
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…