Security researchers have been warning for years about critical security holes in the Signaling System 7 (SS7) that could allow hackers to enter SMS codes. The attacks, first reported in Germany, are the first time that criminals have been able to exploit the SS7 flaws to intercept two-factor authentication codes (one-time passcode, or OTP) sent to online banking customers and drained their bank accounts.

This is how they did it

The attackers first spammed out traditional bank-fraud trojans to infect account holders’ computers and steal passwords used to log into bank accounts, view accounts balance, along with their mobile number. But what prevented the attackers from making money transfers is the one-time password the bank sent via a text message to its online banking customers in order to authorise the transfer of funds between accounts.

To overcome this issue, the cyber crooks then purchased the access to a fake telecom provider and set-up a redirect for the victim’s phone number to a handset controlled by them. Specifically, they used SS7 to redirect the SMS’s containing OTPs sent by the bank. Next, the attackers logged into victims’ online bank accounts and transferred money out, because as soon as the authorization codes were sent by the bank, instead of designated account holders, they were routed to numbers controlled by the attackers, who finalised the transaction.

What does SS7 normally do?

SS7 is a set of protocols allowing phone networks to exchange the information needed for passing calls and text messages between each other and to ensure correct billing. It also allows users on one network to roam on another, such as when travelling in a foreign country.

Fixing the problem

But the security of SS7 is only as good as its weakest link.  Unfortunately, there’s nothing that the average person can do to patch this security flaw, or even ensure that their bank is not affected. Due to the nature of this SS7 system, the issue will need to be fixed by the FCC and telecommunications industry.

What’s even more alarming is that these two parties don’t seem to be all that concerned about your security. If it had only been a few weeks or months since the issue had been brought to their attention, that would be one thing. But researchers discovered and reported the SS7 flaw back in December 2014!

Change passwords of bank accounts

Right now, it’s a good idea to change the password for your bank account, and any other account where you use two-factor authentication, as hackers would need them to access to account before exploiting the SS7 attack.

Sources: Komando, The Hacker News, The Guardian