Cybersecurity researchers warned us that this would happen, eventually.
Earlier this year, hackers were able to remotely pilfer German bank accounts by taking advantage of vulnerabilities evident in an important yet outdated communications protocol known as Signaling System 7, or SS7, which enables global cellular networks to communicate with one another.
The high-tech robbery, initially reported last week by German newspaper Süddeutsche Zeitung, represents the first known, real-world case of thieves exploiting SS7 to intercept confirmation codes that are typically sent by banks to validate actions taken by online banking customers. Recently disclosed intrusions showcase a unique and sophisticated hacking operation that leveraged a combination of both targeted phishing emails and SS7 exploits to essentially bypass two-factor authentication, or 2FA, protection.
Two-factor authentication over text messages is dying. https://t.co/ax5nRFcXGq
— Mikko Hypponen (@mikko) May 4, 2017
Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyberattacks to Süddeutsche Zeitung.
The multi-stage cybercrime campaign required that the hackers steal user credentials to access individual bank accounts in order to transfer money into dummy funds. After stealing the necessary login details via phishing emails, the perpetrators intercepted the associated authentication codes sent to the victims — messages notifying them of account activity — to validate the transactions and remain hidden, investigators say.
— Ted Lieu (@tedlieu) May 3, 2017
News of the incident prompted widespread concern online, as security advocates railed against the popular and continuous use of text messages to authenticate account information while a mountain of growing evidence now exists proving SS7 is unsafe to deliver such data.
— Alan Woodward (@ProfWoodward) May 4, 2017
Security experts say that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.
“While this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems,” said Cris Thomas, a strategist at Tenable Network Security. “Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to as attacks on SS7 become increasingly common.”
Cybersecurity researchers first began warning the public and private sector in late 2014 about dangerous flaws in SS7 that allow hackers to, among other things, track a phone’s GPS location, listen to calls and read or redirect SMS messages.
“This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed, and provides a rallying-cry to mobile carriers to act fast and work with vendors to protect their customers and their networks,” said Mark Windle, director of Mavenir, a Texas-based network partner for major telecommunications service providers.
“The industry at large needs to go beyond simple measures such as two-factor authentication, to protect mobile users and their data, and invest in more sophisticated mobile security,” Windle added.
While the Washington Post and Forbes magazine previously reported that intelligent agencies and defense contractors are known to boast related capabilities, the widespread adoption of SS7 exploitation by the cybercriminal underground remains to be seen.
“We have known about this issue for sometime but despite warnings, institutions have adopted text messages for 2FA because its cheap. Its another chapter in the same saga when there is a choice of free/cheap and spending a little more and protecting users, free/cheap wins all the time,” said John Bambenek, a threat intelligence manager at Fidelis Cybersecurity. “The reality is that its 2017, we are even more dependent on our technology, mobiles devices, and tablets and we simply have not taken the time to figure out and implement a way to have effective authentication online.”
In March, just two months ago, Oregon Sen. Ron Wyden and California Rep. Ted Lieu sent a letter to Homeland Security Secretary John Kelly requesting that DHS investigate and provide information regarding the impact of SS7 vulnerabilities to U.S. companies and governmental agencies.
Kelly has not responded to the letter from the two Democrats, a spokesperson for Wyden told CyberScoop.