Slashdot Mirror

← Back to Stories (view on slashdot.org)

Criminals Are Tapping Into the Phone Network Backbone to Empty Bank Accounts (vice.com)

Posted by msmash on from the security-woes dept.

Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself. From a report: This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank -- the UK's Metro Bank -- that fell victim to such an attack. The news highlights the gaping holes in the world's telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK's signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking.

"We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," The NCSC told Motherboard in a statement. "Some of our clients in the banking industry or other financial services; they see more and more SS7- based [requests],â Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. "All of a sudden you have someone's text messages."

5 of 52 comments (clear)

  1. Why would telcos care? by Stormy+Dragon · · Score: 4, Interesting

    They're not personally being held responsible for the losses and they're not going to lose business to the other phone company for providing crappy service.

  2. Another backdoor accessible only to the good guys? by Anonymous Coward · · Score: 5, Insightful

    So, was this supposed to be a backdoor accessible only to "the good guys"? And now the bad guys are using it?

    I'm shocked! Shocked, I tell you!

  3. This is the problem: by QuietLagoon · · Score: 4, Informative
    ... intercepting SMS text messages used as 2-Factor Authentication (2FA), ...

    .

    SMS should not be used for 2FA. Full stop.

    1. Re:This is the problem: by lgw · · Score: 4, Informative

      No. It's so weak that it doesn't count as 1 factor. This has been true for years. The first exploits in the wild of MitB + SMS hack happened years ago. Any organized crime group that can hack your browser can be assumed to also be hacking SMS.

      Plenty of other 2FA approaches actually work. Especially those that (gasp!) don't use a phone (a mobile sack of vulnerabilities).

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:This is the problem: by Anonymous Coward · · Score: 5, Insightful

      It's so weak that it doesn't count as 1 factor.

      The reason it doesn't count as a factor is not because it is weak.
      In multi-factor authentication acceptable factors are:
      * something you have
      * something you are
      * something you know

      Text messaging is neither of those. It's just a different authentication channel.