A security vulnerability which exists in cellular networks allows cyber criminals to intercept SMSs and clean out a victim’s bank account through Internet banking fraud.
The security vulnerability in Signaling System 7 (SS7) makes it possible for a hacker to intercept your phone calls, read your text messages, and determine your movements.
SS7 is an international telecommunications standard developed to manage call set-up, management, and tear down.
A weakness in SS7 means that a cybercriminal can intercept and read your SMS messages. All they need to do this is your mobile number.
The SS7 vulnerability is not new. SR Labs warned of it in 2008, but it was not until 2014 – when the vulnerability was demonstrated at a conference – that people started to take notice.
In 2014, researchers warned that vulnerabilities in the protocol threatened users’ privacy and could lead to user tracking, fraud, denial of service, and call interception.
The security vulnerability made headlines again after criminals exploited it to commit Internet banking fraud.
Criminals successfully attacked German banking customers who used SMS as a two-factor authentication method.
The criminals first launched phishing attacks to steal account login details and mobile numbers from clients, and then used the SS7 vulnerability to intercept SMSs to add beneficiaries and transfer funds.
The attack was similar to Internet banking fraud cases in South Africa, where criminals use phishing attacks and SIM-swap fraud to illegally move money.
SMS no longer safe
This is the latest example of why SMS is no longer considered to be a safe two-factor authentication method for banking.
In 2016, the US National Institute of Standards and Technology (NIST) said SMS notifications are not recommended for two-factor authentication because of weaknesses in the system.
Kaspersky Lab also warned that criminals use banking Trojans to bypass two-factor SMS authentication and access banking accounts.
“Two-factor authentication cannot protect you from banking Trojans. It failed to do that for many years and now the situation is not going to turn for the better,” said Kaspersky Lab.
MTN, Telkom – No comment
Many South Africans have lost money through Internet banking fraud, which raises the question as to whether local networks are vulnerable to SS7 attacks.
The security flaw may have played a role in the recent spate of Internet banking fraud cases in the country, according to industry commentators.
MyBroadband asked the four mobile operators whether their networks contain the SS7 security flaw – Vodacom and Cell C responded.
- MTN – No comment
- Telkom – No comment
Vodacom said its security methods are constantly improving to ensure its customers are protected against fraud.
“In terms of the SS7 matter, an industry-wide issue affecting all mobile operators, Vodacom assures a secure mobile network through the implementation of Strong Security Baseline (SSB) controls – of which IP and SS7 security controls forms an integral part,” said Vodacom.
“These controls… help protect Vodacom customers against vulnerabilities seen in SS7 signalling networks.”
“Vodacom has implemented these measures to improve the resilience of its network against these threats/attacks that seek to exploit SS7 vulnerabilities.”
Vodacom said it works closely with the GSMA and security experts to increase security around SS7 networks.
Cell C stated that SS7 is an international telecom standard prescribed by the GSMA, meaning “all telecommunication providers are required to use it”.
However, there have been no reports of subscribers on the Cell C network being impacted.
“The more security measures that are in place, the better. SMS can be one of them, but should not be the sole measure,” said Cell C.
“The banks have chosen SMS as a means of authentication and we work closely with the banks to ensure that any vulnerabilities are addressed.”
Security vulnerability in Signaling System 7 explained
The video below from CBS explains the SS7 vulnerability.