Signaling System No. 7 known as SS7 has been exploited by hackers in attacks designed to steal money from victims’ online bank accounts. SS7 is a set of telephony signaling protocols developed in 1975, que é usado para configurar e desativar a maioria das chamadas de rede telefônica pública comutada do mundo. Ele também realiza tradução de números, portabilidade de número local, faturamento pré-pago, SMS, e outros serviços de mercado de massa.
Hackers Exploit SS7 in Attacks on German Banks
Pelo visto, hackers have exploited the SS7 system in attacks in Germany by using call-forwarding features built into this protocol, as reported by German newspaper Süddeutsche Zeitung.
How did the attacks exactly happen? When users travel abroad, the SS7 administrative data network allows local phone networks to verify that the user’s SIM card is valid using the Home Location Register. Contudo, SS7 can be used as well. The attacks on German banks basically happened in two stages: phishing and call forwarding.
As with every phishing attack, hackers used fake emails to lure victims into visiting banks using the domain lookalike technique. Victims were then told to enter their login credentials and other details needed for a money transfer. Account numbers, senhas da conta, mobile phone numbers and mTAN (Mobile Transaction Authentication Number) foram comprometidos. mTANs are used to approve money transfers.
The second stage, the call forwarding, involved using a mobile telephony network located abroad which was instructed by the attackers to forward calls and SMS messages sent to the targeted device to the attackers’ number. This was done via SS7. The attackers were then able to log into the victim’s account, initiate a money transfer and receive the mTAN needed for the transfer to be approved.
These attacks are smartly crafted and illustrate weaknesses in sending one-time security tokens via SMS. Escusado será dizer, this communication is easily intercepted via SS7 exploits and other means, including malware already installed on users’ devices.
The employment of mTANs is often criticized by security experts and financial services regulators. Por exemplo, the German Federal Office for Information Security suggests that banks shouldn’t use mTANs or other two-step verification schemes. Em vez de, they say, banks should use two-factor authentication and should generate a TAN using a hardware- or software-based method.