Hackers have taken advantage of a known security vulnerability in mobile networks that allowed them to intercept two-factor authentication messages to hijack user login information and drain bank accounts.
The attack, first reported by German newspaper Süddeutsche Zeitung, is the first known instance of a criminal exploit to the phone network routing system known as Signaling System 7 (SS7), and presents new challenges for smartphone users and mobile carriers.
To break into a victim’s account, the attackers first acquire the username and password — possibly gathered from previous data breaches that revealed millions of account credentials. Because people often recycle passwords or use variations on the same password, prior leaks can put seemingly unrelated accounts at jeopardy.
Once the attackers entered the username and password, they would have to gain access to a two-factor authentication code — a secondary protection that sends a temporary login code to a device associated with a user. It often comes in the form of a text message sent to the user’s primary phone number.
This type of protection typically ensures a login attempt is from the purported user, as it requires physical access to the device itself to receive the code. However, using an exploit in SS7, the attackers were able to intercept that message containing the two-factor login code before it arrived on the user’s device.
With access to that code, the attackers could then enter the victim’s bank account and drain it of money by transferring the funds to another account.
The attack has wide-ranging repercussions since it exposes a vulnerability in a system designed to make user accounts more secure. Everything from bank accounts to social network sites like Facebook and Twitter and email accounts like Gmail support and promote two-factor authentication as a valuable security protocol.
What makes the attack all the more frustrating for victims and prospective future victims of similar attacks is the exploit in SS7 has been known for years.
A flaw in the protocol was first discovered in 2014 when German security researcher Karsten Nohl discovered a hole in the system that, if exploited, would allow an attacker to record phone calls, intercept texts, place and forward calls to other devices, and track the location of an individual device.
A number of lawmakers have pushed for investigation of the flaw and have attempted to push telecommunications companies to take action to fix the issue.
Rep. Ted Lieu, D-Calif., and Sen. Ron Wyden, D-Ore., sent a joint letter to Federal Communications Commission Chairman Ajit Pai earlier this year to encourage the agency to take action to address the issue. “It is clear that industry self-regulation isn’t working when it comes to telecommunications cybersecurity,” the legislators wrote.
A statement issued by Lieu Wednesday responded to the attack.
“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw,” he said.
“Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”