How users of Internet banks were intercepted confirmations received by SMS, and how to protect themselves from this.
The traditional debate "do I need an antivirus" quite often looks like this:
- Yes, I do not need your antivirus, I have nothing to steal! Well, they will infect, well, they will encrypt the computer - I will rearrange the system completely, remove all viruses, but I have nothing of value on my computer.
- But do you have a bank card? Do you buy something in online stores?
- Ha, so the bank has two-factor authentication, it will protect me. Even if the card number is stolen, they will not be able to write off the money.
As practice shows, they can. Firstly, not all online stores use 3D Secure protection, that is, not all transactions require confirmation with a code from SMS. It turns out that you can buy something on your card so that you don't even know about it until you look at the purchase history. And what is really there, even a CVC code (three digits on the back of the card) is not needed everywhere - in some places you can spend money from your card and without it.
Secondly, scammers have learned to intercept SMS with security codes sent by banks and withdraw all the money on the card. Not so long ago, cybercriminals in Germany carried out a major operation to steal funds from credit cards of unlucky users in just this way. Let's take a closer look at how this happened.
OKS-7: the hole in the phone
It is possible to intercept SMS due to a vulnerability in the set of signaling telephone protocols under the general name OKS-7 (they are SS7, they are also Signaling System 7, they are Signaling System 7 or Common Channel Signaling System 7).
These signaling protocols are the basis of the entire modern telephone communication system - they are used to transfer all service information in telephone networks. They were developed back in the 1970s, first used in the 1980s, and since then they have become the generally accepted standard.
Initially, the OKS-7 protocols were developed for fixed communication. The idea was to physically separate voice and signal traffic by placing them on separate channels. This was done to combat telephone burglars - they used special boxes to simulate tone signals, with the help of which service information was then transmitted in telephone networks. It was with these boxes that Steve Jobs and Steve Wozniak began in their time - however, this is a completely different story.
Later, the same set of protocols was used in mobile networks. Along the way, telephonists attached a bunch of functions to it - in particular, it is through OKS-7 that SMS is actually transmitted.
The problem is that half a century ago, little thought was given about information security (at least civilian), and the main focus was on efficiency, so Alarm System No. 7 turned out to be convenient, but full of holes.
The main flaw of the system - like many other systems that were designed in those days - is that it is built on trust. It was assumed that only telecom operators, who are considered good guys by default, would have access to it.
As a result, the level of security of the system as a whole is determined by the lowest level of security among its participants. That is, if one of the operators included in it has been hacked, then the entire system can be considered compromised. Well, or if one of the network administrators of a certain operator decided to slightly exceed his official authority and use SS7 for his own purposes, the result will be the same.
And since, having access to it, you can eavesdrop on conversations, determine the location of the subscriber and intercept text messages, not very authorized access to SS-7 is actively used by both special services of different countries and attackers.
The actual attack
In the case of a recent attack in Germany, the sequence of actions of the attackers looked like this:
1. The victim's computer was infected with a banking Trojan. Trojans are quite easy to pick up if you do not have a security solution, and many of them behave in such a way that it is impossible to detect them without an antivirus, so users did not notice anything.
With the help of this Trojan, cybercriminals stole logins and passwords from victims to access the Internet bank. But stealing only payment information in most cases is not enough - you also need to get the same transaction confirmation code that the bank sends to your phone in the form of an SMS.
2. Apparently, with the help of the same banking Trojan, phone numbers were also stolen - it is often required to specify it when buying in an online store, just before entering the card number. At this point, the scammers had access to the Internet bank, where they could see how much money the victim had on the accounts, and her mobile phone number. All that remained was to withdraw the money.
3. Further, the attackers, using the stolen username and password of the Internet bank, initiated the transfer of money from the card to their account. After that, having gained access to SS7 on behalf of a certain telecom operator from another country, they forwarded SMS sent to the subscriber number of the German operator to their own number. Thus, they received transaction confirmation codes, entered them in the Internet bank and successfully transferred all the money to their account - so that the bank did not even creep in about the possible illegitimacy of the operation.
The attack was also confirmed by a German operator, whose subscribers were the victims of this story. The foreign mobile operator, whose access to the system was used for the attack, was blocked, and the victims were notified of the attack. True, we do not know if this helped them get their money back.
Still don't need an antivirus?
Two-factor authentication seems like a solid security: if only you have access to the phone, then who else can read the text message that comes to it?
As you can see, anyone who has access to the OKS-7 system and is interested in your text messages and money on your bank card can read it.
How to organize two-factor authentication correctly and how to protect against attacks like the one discussed in this post? We have some tips.
The traditional debate "do I need an antivirus" quite often looks like this:
- Yes, I do not need your antivirus, I have nothing to steal! Well, they will infect, well, they will encrypt the computer - I will rearrange the system completely, remove all viruses, but I have nothing of value on my computer.
- But do you have a bank card? Do you buy something in online stores?
- Ha, so the bank has two-factor authentication, it will protect me. Even if the card number is stolen, they will not be able to write off the money.
As practice shows, they can. Firstly, not all online stores use 3D Secure protection, that is, not all transactions require confirmation with a code from SMS. It turns out that you can buy something on your card so that you don't even know about it until you look at the purchase history. And what is really there, even a CVC code (three digits on the back of the card) is not needed everywhere - in some places you can spend money from your card and without it.
Secondly, scammers have learned to intercept SMS with security codes sent by banks and withdraw all the money on the card. Not so long ago, cybercriminals in Germany carried out a major operation to steal funds from credit cards of unlucky users in just this way. Let's take a closer look at how this happened.
OKS-7: the hole in the phone
It is possible to intercept SMS due to a vulnerability in the set of signaling telephone protocols under the general name OKS-7 (they are SS7, they are also Signaling System 7, they are Signaling System 7 or Common Channel Signaling System 7).
These signaling protocols are the basis of the entire modern telephone communication system - they are used to transfer all service information in telephone networks. They were developed back in the 1970s, first used in the 1980s, and since then they have become the generally accepted standard.
Initially, the OKS-7 protocols were developed for fixed communication. The idea was to physically separate voice and signal traffic by placing them on separate channels. This was done to combat telephone burglars - they used special boxes to simulate tone signals, with the help of which service information was then transmitted in telephone networks. It was with these boxes that Steve Jobs and Steve Wozniak began in their time - however, this is a completely different story.
Later, the same set of protocols was used in mobile networks. Along the way, telephonists attached a bunch of functions to it - in particular, it is through OKS-7 that SMS is actually transmitted.
The problem is that half a century ago, little thought was given about information security (at least civilian), and the main focus was on efficiency, so Alarm System No. 7 turned out to be convenient, but full of holes.
The main flaw of the system - like many other systems that were designed in those days - is that it is built on trust. It was assumed that only telecom operators, who are considered good guys by default, would have access to it.
As a result, the level of security of the system as a whole is determined by the lowest level of security among its participants. That is, if one of the operators included in it has been hacked, then the entire system can be considered compromised. Well, or if one of the network administrators of a certain operator decided to slightly exceed his official authority and use SS7 for his own purposes, the result will be the same.
And since, having access to it, you can eavesdrop on conversations, determine the location of the subscriber and intercept text messages, not very authorized access to SS-7 is actively used by both special services of different countries and attackers.
The actual attack
In the case of a recent attack in Germany, the sequence of actions of the attackers looked like this:
1. The victim's computer was infected with a banking Trojan. Trojans are quite easy to pick up if you do not have a security solution, and many of them behave in such a way that it is impossible to detect them without an antivirus, so users did not notice anything.
With the help of this Trojan, cybercriminals stole logins and passwords from victims to access the Internet bank. But stealing only payment information in most cases is not enough - you also need to get the same transaction confirmation code that the bank sends to your phone in the form of an SMS.
2. Apparently, with the help of the same banking Trojan, phone numbers were also stolen - it is often required to specify it when buying in an online store, just before entering the card number. At this point, the scammers had access to the Internet bank, where they could see how much money the victim had on the accounts, and her mobile phone number. All that remained was to withdraw the money.
3. Further, the attackers, using the stolen username and password of the Internet bank, initiated the transfer of money from the card to their account. After that, having gained access to SS7 on behalf of a certain telecom operator from another country, they forwarded SMS sent to the subscriber number of the German operator to their own number. Thus, they received transaction confirmation codes, entered them in the Internet bank and successfully transferred all the money to their account - so that the bank did not even creep in about the possible illegitimacy of the operation.
The attack was also confirmed by a German operator, whose subscribers were the victims of this story. The foreign mobile operator, whose access to the system was used for the attack, was blocked, and the victims were notified of the attack. True, we do not know if this helped them get their money back.
Still don't need an antivirus?
Two-factor authentication seems like a solid security: if only you have access to the phone, then who else can read the text message that comes to it?
As you can see, anyone who has access to the OKS-7 system and is interested in your text messages and money on your bank card can read it.
How to organize two-factor authentication correctly and how to protect against attacks like the one discussed in this post? We have some tips.
- It's not just SMS that can be used for two-factor authentication. If possible, you should use other options - for example, the Google Authenticator app or cryptographic USB keys. Unfortunately, banks do not accept alternative types of two-factor authentication, sending only SMS for confirmation. So, in the event of an unauthorized attempt to access the Internet Banking, only item 2 can be saved.
- Use a reliable security solution on every device. In the case of the attack described in this post, a good antivirus would prevent a banking Trojan from infecting a computer and stealing the username and password from the Internet bank. And it would not be so important whether attackers can get access to your SMS or not - it simply would not have reached this stage.
