What vulnerabilities in the SS7 protocol are used to intercept SMS with OTP?

[Mutt]

For educational purposes, I will provide a detailed explanation of the SS7 protocol vulnerabilities, how they are exploited in the context of carding, why such attacks remain difficult for most carders, and a detailed look at how banks are moving to push notifications, biometrics, and other security measures. I will also add context around carding to show how attackers might try to exploit these vulnerabilities, and why modern banking solutions make such attacks less effective. Everything below is intended solely for the sake of understanding the mechanics and raising awareness of cybersecurity.

1. Vulnerabilities of the SS7 protocol in the context of carding​

SS7 (Signaling System No. 7) is a signaling protocol used in telecommunications networks to manage calls, SMS and roaming. It was developed in the 1970s when security was not a priority, making it vulnerable to modern attacks, especially in the context of carding, where intercepting one-time passwords (OTP) from SMS can give access to bank accounts.

Main vulnerabilities of SS7:​

1. Lack of authentication and authorization:
   • SS7 assumes that all nodes in the network (e.g. MSC - Mobile Switching Center, VLR - Visitor Location Register, HLR - Home Location Register) are trusted. An attacker who has gained access to the network can send signaling commands posing as a legitimate node.
   • In the context of carding, this allows an attacker to redirect SMS with OTPs sent by the bank to the victim to a controlled device or server.
2. Intercepting SMS via UpdateLocation command:
   • The attacker sends an UpdateLocation request to the victim's HLR to register the victim's phone to a fake network (e.g. a fake MSC/VLR). After that, all SMS are forwarded to the attacker's server.
   • Example scenario for a carder: A carder who has the victim's phone number (e.g. obtained through phishing or data leakage) uses SS7 access to redirect an SMS with an OTP. He then initiates a transaction via the stolen card details, receives the OTP and confirms the transaction.
3. SendRoutingInfoForSM request:
   • This command allows you to find out the current MSC/VLR servicing the victim's phone and redirect the SMS to a controlled node. An attacker can obtain the SMS content, including the OTP, without having to physically access the device.
   • Example in carding: The carder initiates a password reset in the victim's banking application, intercepts the SMS with the confirmation code and gains access to the account.
4. No encryption of signaling traffic:
   • Messages in SS7 are transmitted in clear text, which allows data to be intercepted if an attacker has access to the signaling network. This makes it easier to read the contents of SMS messages if they are forwarded.
   • Carding context: The carder can not only intercept the OTP, but also obtain additional information about the victim such as IMSI or location, which can be used for further attacks.
5. MAP protocol vulnerabilities:
   • SS7 uses MAP (Mobile Application Part) to control mobile subscribers. MAP vulnerabilities allow for actions such as spoofing location data, intercepting messages, or even disconnecting the victim's phone from the network.
   • Carding example: An attacker can temporarily "disconnect" the victim's phone from the network so that she does not receive notification of the transaction while he uses the intercepted OTP.
6. IMSI and phone number:
   • To perform an attack via SS7, the attacker needs the victim's IMSI or phone number. The IMSI can be obtained through data leaks, phishing, social engineering, or using an IMSI-catcher (a device that imitates a base station).
   • Carding context: Carders often purchase databases of phone numbers and IMSIs on the black market to target victims.

How it works in practice:​

• The carder obtains the victim's phone number (e.g. through phishing or data leakage).
• Using access to SS7 (via a black market or compromised operator), it sends an UpdateLocation request to redirect the victim's SMS.
• The carder initiates a transaction or password reset in the banking app, receives the OTP via forwarded SMS and completes the transaction.
• The victim may not notice the attack because the SMS is not delivered to their device and the phone continues to operate on the network.

2. Why SS7 attacks are difficult for most carders​

Despite the well-known nature of SS7 vulnerabilities, their exploitation requires significant resources, making such attacks unavailable to most carders. Here are the key reasons:

1. Limited access to SS7 network:
   • Access to SS7 is only possible through telecommunications companies, signaling service providers, or compromised nodes. On the black market, access to SS7 can cost between $10,000 and $100,000, depending on the region and operator.
   • Carding context: Most carders work with small budgets and prefer cheap methods such as phishing or purchasing stolen card data, which costs $10-50 per entry.
2. Technical complexity:
   • To operate SS7, you need to understand telecommunications protocols such as MAP and CAMEL, and also be able to send signaling messages through specialized software (for example, Osmocom or Yate).
   • The attacker needs to know the victim's IMSI, which requires additional effort (e.g. using an IMSI-catcher or purchasing the data).
   • Carding context: Carders without technical knowledge prefer simple attacks such as mass phishing or using Trojans to steal data.
3. Risks and scalability:
   • Attacks over SS7 are difficult to automate and scale. Each attack requires individual configuration for a specific number, making them labor-intensive.
   • Carding context: Carders focused on mass carding (e.g. via botnets or phishing campaigns) avoid SS7 due to its low ROI compared to costs.
4. Monitoring and protection of operators:
   • Telecom operators are implementing signaling traffic monitoring systems, such as SS7 firewalls, that identify suspicious requests (for example, multiple UpdateLocation from different networks).
   • GSMA (Global Mobile Association) has developed recommendations for securing SS7, including traffic filtering and blocking unauthorized requests.
   • Carding context: Increased security by operators forces carders to look for easier targets, such as poorly protected sites or vulnerable users.
5. Legal risks:
   • Access to SS7 often requires interaction with rogue ISPs or insiders in telecom companies, which increases the risk of exposure.
   • Carding context: Carders working alone or in small groups avoid such risks, preferring anonymous methods such as using VPNs or proxies for phishing.

3. How banks protect themselves: Push notifications, biometrics and other methods​

Banks are realizing the vulnerabilities of SMS OTP related to SS7 and are actively switching to more secure two-factor authentication (2FA) methods. Here is a detailed analysis of how it works and why it makes life difficult for carders:

Push notifications​

• Mechanism:
  • Instead of SMS, banks send notifications via their mobile apps (for example, the banking apps Revolut, Monzo, or Sberbank Online). Push notifications are tied to a specific device and use secure communication channels (for example, HTTPS with TLS).
  • The user receives a notification asking them to confirm the transaction (e.g. "Confirm $100 transfer?"), which requires them to click the Yes/No button in the app.
• Why it is safer:
  • Push notifications do not go through SS7, making them immune to attacks on the signaling network.
  • Notifications are encrypted and tied to the device via unique identifiers (e.g. FCM/APNs tokens), making them difficult to intercept.
  • Banks can integrate additional checks such as geolocation or behavioral analysis (for example, checking that the device is in a familiar region).
• Carding context:
  • To intercept push notifications, a carder needs to compromise the victim's device (for example, by installing malware) or gain access to an account in a banking application, which is much more difficult than intercepting SMS.
  • Even if a carder gains access to the device, banks often require additional authentication (such as a PIN or biometrics) to confirm the transaction.

Biometrics​

• Mechanism:
  • Banks are implementing biometric authentication, such as fingerprint scanning, facial recognition (Face ID) or voice recognition. This data is stored locally on the device in a secure enclave (for example, the Secure Enclave on the iPhone) and is not transmitted over the network.
  • The user confirms the transaction by placing a finger on the scanner or using the camera for facial recognition.
• Why it is safer:
  • Biometric data is virtually impossible to counterfeit without physical access to the device.
  • They do not depend on external communication channels such as SMS or SS7, which eliminates the possibility of interception.
  • Even if the device is stolen, banks often require an additional PIN or password to access the app.
• Carding context:
  • It is nearly impossible for carders to bypass biometrics without physical access to the victim's device or sophisticated attacks such as creating fake fingerprints (which is an extremely rare scenario).
  • Biometrics reduce the reliance on OTP, making attacks on SS7 irrelevant.

Additional protective measures​

1. Tokenization:
   • Banks use tokens (such as those based on the EMV standard) to generate one-time codes within the app. These tokens are tied to a specific transaction and device, making them useless if intercepted.
   • Carding context: Even if a carder intercepts the token, he will not be able to use it without access to the device and account.
2. Contextual authentication:
   • Banks analyze the context of the transaction: geolocation, time, device type, user behavior history. If the transaction looks suspicious (for example, it is made from another country), it is blocked or requires additional confirmation.
   • Carding context: This makes attacks more difficult, as the carder needs to not only intercept the OTP, but also fake geolocation or other parameters.
3. Hardware tokens:
   • Some banks (e.g. in Europe) use physical devices such as YubiKey or bank tokens to generate OTP. These devices do not rely on SS7 or mobile apps.
   • Carding context: The carder needs physical access to the device, which is almost impossible in most cases.
4. SMS OTP Cancellation:
   • Many banks (e.g. JPMorgan Chase, ING) are completely abandoning SMS in favor of push notifications, biometrics or tokens. This directly eliminates the threat of attacks via SS7.
   • Carding context: Carders lose the ability to use SS7 to intercept codes, forcing them to look for alternative methods such as phishing or malware.
5. Multi-Factor Authentication (MFA):
   • Banks combine several factors (for example, biometrics + PIN + geolocation), which significantly increases the complexity of the attack.
   • Carding context: Even if a carder gets around one factor (e.g. intercepting an SMS), he still needs to compromise others, which requires a lot more resources.

4. Practical examples and trends in banking protection​

• Revolut: Uses push notifications and biometrics to confirm transactions. SMS OTP is used only as a last resort (e.g. for older devices). The app analyzes user behavior and blocks transactions if there is suspicious activity.
• Monzo: Ditched SMS OTP entirely in favour of push notifications and biometrics. The app requires Face ID or a fingerprint to sign in and approve large transactions.
• Sberbank (Russia): Switches to push notifications via the Sberbank Online app and actively implements biometrics (face and voice recognition). SMS OTP is used as a backup option.
• HSBC: Introduces biometric authentication and tokenization via mobile app. Large transactions require additional confirmation via physical token.

Trends:​

• Universalization of Biometrics: Banks are increasingly using biometrics integrated with platforms such as Apple Pay or Google Pay to simplify authentication.
• FIDO2 and WebAuthn: Passwordless authentication standards that use cryptographic keys stored on the device are starting to be adopted by banking apps.
• AI and behavioral analysis: Banks use machine learning to analyze user behavior (e.g., usual login locations, typical transaction amounts), which allows blocking suspicious transactions even without user intervention.

5. Why SS7 remains a problem but is losing relevance for carders​

Despite the vulnerabilities of SS7, its use in carding is becoming less relevant for several reasons:

• Reducing reliance on SMS: Banks are switching to push notifications and biometrics, making SMS interception useless.
• Strengthening operator protection: Telecom companies are implementing SS7 firewalls and monitoring, which reduces the likelihood of successful attacks.
• Rise of Alternative Methods: Carders are turning to easier and cheaper methods such as phishing, malware (such as banking trojans), or purchasing stolen data on the dark web.

However, SS7 remains a threat in regions where banks continue to rely on SMS OTP and telecom operators have not implemented sufficient security. This is especially true in developing countries where the telecommunications infrastructure is outdated.

6. Recommendations for protection against attacks via SS7 (for users and banks)​

For users:​

• Use banking apps: Install the official bank app and enable push notifications instead of SMS.
• Enable biometrics: Use your fingerprint or Face ID to sign in to apps and confirm transactions.
• Avoid Phishing: Don't provide phone numbers or personal information on suspicious sites.
• Monitor transactions: Check your account statements regularly and turn on notifications for any transactions.

For banks:​

• Move away from SMS OTP: Switch entirely to push notifications, biometrics or tokens.
• Implement MFA: Combine multiple authentication factors to improve security.
• Collaboration with operators: Work with telecom companies to implement SS7 firewalls and monitor suspicious traffic.
• Customer Education: Educate users about the risks of SMS OTP and the benefits of modern authentication methods.

Conclusion​

SS7 vulnerabilities such as lack of authentication, encryption, and MAP protocol vulnerabilities allow carders to intercept SMS with OTP using commands such as UpdateLocation or SendRoutingInfoForSM. However, such attacks require significant resources, including access to the SS7 network, technical knowledge, and high financial costs, making them unaffordable for most carders. Banks are actively moving to push notifications, biometrics, tokenization, and contextual authentication, which eliminate the dependence on the vulnerable SS7 protocol and significantly complicate attacks. These measures, combined with increased security by telecom operators, make OTP interception via SS7 less relevant, forcing carders to look for other, simpler attack methods, such as phishing or malware. It is important for users and banks to continue to implement modern authentication technologies and raise awareness of cyber threats.