Long-known but relatively obscure vulnerabilities in global mobile telecommunications systems are reaching a wider audience, including cybercriminals, who are always looking for new ways to intercept sensitive data and co-opt user authentication sessions intended to protect digital banking and payments.
A recent malicious attack on customers of O2-Telefonica in Germany saw many of their bank accounts emptied of funds. This time, the thieves exploited flaws in the mobile SS7 protocol over several months to intercept two-factor authentication codes sent to online banking customers, thereby gaining access to their accounts and draining them of funds.
Signaling System 7 (SS7) is an international telecommunications standard that defines how cellphone networks connect with each other. It allows cellphone users in South Africa, for example, to roam on networks anywhere else in the world. SS7 means they can make and receive calls, as well as text messages across networks. It’s the backbone of worldwide mobile communication used by billions of people.
Once they have gained access to the SS7 network, intruders can impersonate a phone’s location, read or redirect messages, and even listen to calls. This poses significant risks for any institution that uses mobile networks to transmit authentication information such as SMS one-time passwords (OTPs).
There has been a high level of complacency around the risks of SS7, despite repeated warnings from security researchers in recent years. That’s because no large-scale fraud attack has ever been reported – until now. (It is extremely likely, of course, that spy agencies and law enforcement have used SS7 for years to gather data on so-called persons of interest.)
The May attack on German consumers clearly showed that SS7 vulnerabilities can be weaponised against SMS OTP. In this instance, hackers accessed victims’ computers via spammed malware and collected login details, passwords, bank balances and mobile numbers. By redirecting OTPs from the victims’ phones, the attackers were soon able to access their bank accounts. As in most mobile SIM-based attacks, the fraudsters made the online bank transfers late at night, when it was less likely that victims would notice and raise the alarm.
Financial institutions, social media sites and other organisations that are reliant on mobile authentication protocols cannot control the technology on which global telecommunications systems rest, but they can institute measures that will mitigate much of the risk to their customers.
The first and most obvious way to avoid this kind of attack is to move away from SMS OTPs altogether. This approach to authentication is, in any case, being phased out by financial institutions globally.
Network-initiated unstructured supplementary service data (NI-USSD, also known as push USSD) is a safer option for authenticating transactions than is SMS. Unlike SMS, which is a store-and-forward technology, push USSD allows a two-way exchange of data in real time, and no data useful to fraudsters is stored on the device.
Push USSD sessions can, however, still be illegally redirected in the same way that calls can because the process depends on the handset’s SIM card. An attacker could redirect an entire USSD session to their own phone and the victim would never know. If a network operator is vulnerable to SS7 attack, then USSD is technically no safer than SMS. However, by deploying adequate SS7 firewalls, mobile operators can provide some resistance to attacks.
To completely avoid the kind of eavesdropping SS7 makes possible, you need to open a completely isolated, end-to-end encrypted communications channel between the mobile phone and the servers that process payments or store sensitive data, and to properly authenticate the users of this channel.
Using a self-contained cryptographic infrastructure deployed to the phone, you avoid having to rely on the security provided by telecommunications protocols, mobile network operators or the device’s operating system. No third party can access or modify data travelling over this protected channel, making it impervious to the kind of attacks seen in Germany.
As yet, no SS7 attacks have been reported in South Africa – network operators indicate that they remain vigilant – but they rely on detection schemes rather than an encrypted channel that would render any SS7 attack approach ineffective.