SS7 Fraud Proves Disastrous for Banks
May 09, 2017
Signaling System 7 (SS7) has been used for quite some time to allow mobile networks to communicate back and forth. Though it's a valuable system, it's not one without flaws. These flaws have had a long-realized potential for fraud, and new reports suggest that the potential has become reality, as bank accounts have been attacked and drained using the vulnerabilities in SS7.
SS7's origins go back to the 1980s, where telecom firms were putting the system to work as a means to connect cellular networks, as well as some landline networks. The system still works to this day, reports note, but further word suggested that this same system that served as the interconnection backbone of a variety of transmission types could readily be broken into and misused.
Demonstrations in 2014, meanwhile, illustrated just how such a thing could take place, as insiders—from hackers to disgruntled employees—could get access to any carrier's backend operations using SS7. With backend access, tracking locations, reading messages, and even listening in on calls are all on the table.
Something similar seems to have been done recently, as SS7 fraud was part of a move to access the two-factor authentication system used in German banking systems. Since the system sends a second code to a device before allowing a user access, the SS7 backend access allowed the hackers in question to not only gain access to the username / password combination, but also the message sent to serve as the second part of the two-factor authentication system.
A disaster to say the least, this move has pretty much destroyed the concept of two-factor authentication, at least for mobile devices. That's bad news, even as more mobile security moves to biometrics over two-factor authentication thanks to a growing number of fingerprint scanners on phones. With SS7 providing backdoor access, though, even that may not be enough to protect users from fraud. Biometrics have great potential as a security measure, but if criminals are able to get access to those scans, it could be that this powerful security system could be used against the user.
Shoring up SS7 will serve a great purpose. There's word that the Diameter protocol, which will be used with 5G, also has some security flaws. The more we can do to prevent fraud, the better off we all are. The move to biometric security over two-factor authentication may be a help, but only in one direction. It's certainly not much help for those who have had bank accounts emptied by SS7 fraud.
Edited by Alicia Young
Article comments powered by