Cybersecurity researchers
warned us that this would happen, eventually.
Earlier this year, hackers were
able to remotely pilfer German bank accounts
by taking advantage of vulnerabilities evident in an important yet
outdated communications protocol known as Signaling System 7, or SS7,
which enables global cellular networks to communicate with one another.
The high-tech robbery, initially reported last week by German
newspaper Süddeutsche Zeitung, represents the first known, real-world
case of thieves exploiting SS7 to intercept confirmation codes that are
typically sent by banks to validate actions taken by online banking
customers. Recently disclosed intrusions showcase a unique and
sophisticated hacking operation that leveraged a combination of both
targeted phishing emails and SS7 exploits to essentially bypass
two-factor authentication, or 2FA, protection.
Telecommunications giant O2-Telefonica confirmed details of the SS7-based cyberattacks to Süddeutsche Zeitung.
The multi-stage cybercrime campaign required that the hackers steal
user credentials to access individual bank accounts in order to transfer
money into dummy funds. After stealing the necessary login details via
phishing emails, the perpetrators intercepted the associated
authentication codes sent to the victims — messages notifying them of
account activity — to validate the transactions and remain hidden,
investigators say.
News of the incident prompted widespread concern online, as security
advocates railed against the popular and continuous use of text messages
to authenticate account information while a mountain of growing
evidence now exists proving SS7 is unsafe to deliver such data.
Security experts say that the same SS7-centric hacking techniques
used against German banks will become increasingly prevalent in the
future, forcing organizations to reconsider how they authenticate user
activity.
“While this is not the end of 2FA, it may be the end of 2FA over SS7,
which comprises a majority of 2FA systems,” said Cris Thomas, a
strategist at Tenable Network Security. “Vulnerabilities in SS7 and
other cellular protocols aren’t new. They have been presented at
security conferences for years … there are other more secure protocols
available now that systems can switch to as attacks on SS7 become
increasingly common.”
Cybersecurity researchers
first began warning the public and private sector in late 2014
about dangerous flaws in SS7 that allow hackers to, among other things,
track a phone’s GPS location, listen to calls and read or redirect SMS
messages.
“This latest attack serves as a warning to the mobile community about
what is at stake if these loopholes aren’t closed, and provides a
rallying-cry to mobile carriers to act fast and work with vendors to
protect their customers and their networks,” said Mark Windle, director
of Mavenir, a Texas-based network partner for major telecommunications
service providers.
“The industry at large needs to go beyond simple measures such as
two-factor authentication, to protect mobile users and their data, and
invest in more sophisticated mobile security,” Windle added.
While the Washington Post and Forbes magazine previously reported that intelligent agencies
and defense contractors are known to boast related capabilities, the widespread adoption of SS7 exploitation by the cybercriminal underground remains to be seen.
“We have known about this issue for sometime but despite warnings,
institutions have adopted text messages for 2FA because its cheap. Its
another chapter in the same saga when there is a choice of free/cheap
and spending a little more and protecting users, free/cheap wins all the
time,” said John Bambenek, a threat intelligence manager at Fidelis
Cybersecurity. “The reality is that its 2017, we are even more dependent
on our technology, mobiles devices, and tablets and we simply have not
taken the time to figure out and implement a way to have effective
authentication online.”
In March, just two months ago, Oregon Sen. Ron Wyden and California Rep. Ted Lieu
sent a letter to Homeland Security Secretary John Kelly
requesting that DHS investigate and provide information regarding the
impact of SS7 vulnerabilities to U.S. companies and governmental
agencies.
Kelly has not responded to the letter from the
two Democrats, a spokesperson for Wyden told CyberScoop.
cyberscoop.com 8 May 2017
