Cybercriminals have cracked the SS7 protocol to steal SMS with banking confirmation codes.
Most banks use two-factor authentication to protect their clients' money - these are the same 4-6-digit codes that are needed to confirm transactions or enter the Internet bank. Banks usually send these one-time codes in SMS messages. Alas, SMS is far from the best option, since text messages can be intercepted. Actually, this is exactly what happened in the UK recently.
Hacking the SS7 protocol and intercepting messages
How do attackers intercept text messages? There are several ways, the most extravagant of them is through the imperfection of the SS7 protocol (which in Russian is called OKS-7). It is used by telecom operators around the world for routing calls and at the same time for sending SMS.
You can read more about the protocol in this article, but the main idea is that the SS7 protocol does not provide for checking who is sending commands. And if cybercriminals manage to penetrate the cellular network, then they are able to redirect messages and calls without the knowledge of the subscriber to whom they are addressed.
How the SMS interception scheme works
The scheme works like this: first, cybercriminals find out the victim's login and password for online banking - for example, using phishing, keyloggers, or banking Trojans. Once logged into an online bank, they submit a money transfer request. Most modern banks require additional confirmation for the transfer and send a code to make sure that the transaction is performed by the account owner.
If the bank sends the code via SMS, the attackers, using the SS7 vulnerability, intercept the message and enter the code as if they received it on the victim's phone. The bank transfers money, considering the operation to be absolutely legitimate, because it is authorized twice: first with a password, and then with a one-time code. As a result, satisfied cyber fraudsters can easily receive other people's money.
Stealing money using SMS hacking: from theory to practice
Information security experts have long warned of the theoretical possibility of such a hack. And a couple of years ago this happened in practice: in Germany, a massive attack on bank customers was recorded under this scenario. More recently, it happened again, this time in the UK : according to Motherboard, some Metro Bank clients were targeted.
But there is good news as well. As representatives of Metro Bank commented, very few clients faced such a situation and “no one lost their money as a result of the attack”.
How to protect your bank account
All of this could have been avoided were it not for the banks' commitment to two-factor authentication based on text messages instead of, for example, special applications or even hardware authenticators like YubiKey.
Unfortunately, with a few exceptions, financial institutions generally don't offer any other form of two-factor authentication other than SMS. Hopefully, the situation will change in the future and the number of banks around the world that provide customers with a wider range of reliable protection options will grow.
The following conclusions can be drawn from this story:
Most banks use two-factor authentication to protect their clients' money - these are the same 4-6-digit codes that are needed to confirm transactions or enter the Internet bank. Banks usually send these one-time codes in SMS messages. Alas, SMS is far from the best option, since text messages can be intercepted. Actually, this is exactly what happened in the UK recently.
Hacking the SS7 protocol and intercepting messages
How do attackers intercept text messages? There are several ways, the most extravagant of them is through the imperfection of the SS7 protocol (which in Russian is called OKS-7). It is used by telecom operators around the world for routing calls and at the same time for sending SMS.
You can read more about the protocol in this article, but the main idea is that the SS7 protocol does not provide for checking who is sending commands. And if cybercriminals manage to penetrate the cellular network, then they are able to redirect messages and calls without the knowledge of the subscriber to whom they are addressed.
How the SMS interception scheme works
The scheme works like this: first, cybercriminals find out the victim's login and password for online banking - for example, using phishing, keyloggers, or banking Trojans. Once logged into an online bank, they submit a money transfer request. Most modern banks require additional confirmation for the transfer and send a code to make sure that the transaction is performed by the account owner.
If the bank sends the code via SMS, the attackers, using the SS7 vulnerability, intercept the message and enter the code as if they received it on the victim's phone. The bank transfers money, considering the operation to be absolutely legitimate, because it is authorized twice: first with a password, and then with a one-time code. As a result, satisfied cyber fraudsters can easily receive other people's money.
Stealing money using SMS hacking: from theory to practice
Information security experts have long warned of the theoretical possibility of such a hack. And a couple of years ago this happened in practice: in Germany, a massive attack on bank customers was recorded under this scenario. More recently, it happened again, this time in the UK : according to Motherboard, some Metro Bank clients were targeted.
But there is good news as well. As representatives of Metro Bank commented, very few clients faced such a situation and “no one lost their money as a result of the attack”.
How to protect your bank account
All of this could have been avoided were it not for the banks' commitment to two-factor authentication based on text messages instead of, for example, special applications or even hardware authenticators like YubiKey.
Unfortunately, with a few exceptions, financial institutions generally don't offer any other form of two-factor authentication other than SMS. Hopefully, the situation will change in the future and the number of banks around the world that provide customers with a wider range of reliable protection options will grow.
The following conclusions can be drawn from this story:
- While it is highly desirable to use two-factor authentication everywhere, it is better to use more secure options instead of SMS, such as authenticator apps or YubiKey .
- Protect your devices from banking Trojans and keyloggers with a reliable antivirus solution - this way you prevent them from finding out your logins and passwords and protect yourself from the situations described in this article.
