Signaling System No. 7 known as SS7 has been exploited by hackers in attacks designed to steal money from victims’ online bank accounts. SS7 is a set of telephony signaling protocols developed in 1975, which is used to set up and tear down most of the world’s public switched telephone network telephone calls. It also performs number translation, local number portability, prepaid billing, SMS, and other mass market services.
Hackers Exploit SS7 in Attacks on German Banks
Apparently, hackers have exploited the SS7 system in attacks in Germany by using call-forwarding features built into this protocol, as reported by German newspaper Süddeutsche Zeitung.
How did the attacks exactly happen? When users travel abroad, the SS7 administrative data network allows local phone networks to verify that the user’s SIM card is valid using the Home Location Register. However, SS7 can be used as well. The attacks on German banks basically happened in two stages: phishing and call forwarding.
As with every phishing attack, hackers used fake emails to lure victims into visiting banks using the domain lookalike technique. Victims were then told to enter their login credentials and other details needed for a money transfer. Account numbers, account passwords, mobile phone numbers and mTAN (Mobile Transaction Authentication Number) have been compromised. mTANs are used to approve money transfers.
The second stage, the call forwarding, involved using a mobile telephony network located abroad which was instructed by the attackers to forward calls and SMS messages sent to the targeted device to the attackers’ number. This was done via SS7. The attackers were then able to log into the victim’s account, initiate a money transfer and receive the mTAN needed for the transfer to be approved.
These attacks are smartly crafted and illustrate weaknesses in sending one-time security tokens via SMS. Needless to say, this communication is easily intercepted via SS7 exploits and other means, including malware already installed on users’ devices.
The employment of mTANs is often criticized by security experts and financial services regulators. For example, the German Federal Office for Information Security suggests that banks shouldn’t use mTANs or other two-step verification schemes. Instead, they say, banks should use two-factor authentication and should generate a TAN using a hardware- or software-based method.