Is This the Start - or the Beginning of the End?

Posted May 2017

News broke publicly last week of a successful SS7 attack on O2’s customers in Germany. The attack abused the SS7 network to hijack the text-based two-factor authentication system used by banks to authorise funds transfers.

According to confirmed reports, the fraudsters first used banking-fraud malware and spyware to infect account holders’ computers and steal account details, passwords and other personal information. Once they had access to the customer accounts they could then view and target available balances.

The fraud then involved diverting the account holder’s mobile to the fraudster’s own handset, so that they received the bank’s text message with the mobile Transaction Authentication Number (mTAN). Armed with that, the criminals could then authorise transfers to their own accounts.

O2 in Germany confirmed that the attack had taken place and told the newspaper Suddeutsche Zeitung that: “Criminals carried out an attack from a network of a foreign mobile network operator. The attack redirected incoming SMS message for selected German customers to the attackers.”

After the news broke in Germany, rival operator Deutsche Telekom was quick to reassure its customers that such an attack could not happen on its network. A statement on the DT website said that it had become one of the first telecommunications providers worldwide to implement an SS7 firewall that would have blocked and prevented the O2 attack.

The successful attack also caught the attention of Congressman Ted Lieu in the US who has been pressuring the US regulators to act on the SS7 weakness. “Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw,” said Lieu.

He added that he felt it was unacceptable that the FCC and telecoms industry had not acted sooner to protect subscriber privacy and financial security and urged the US Congress to hold immediate hearings on the issue.

The signalling firewalls we are providing to operators would have caught and blocked the O2 attack by spotting the fake location updates – indeed one of our firewalls did stop such an attack about the same time as the O2 incident. But, as Deutsche Telekom has pointed out, measures taken by individual operators represent a limited solution. It will take concerted action by the whole industry to properly protect against fraudsters looking to exploit SS7 signalling weaknesses.

This first confirmation of the type of fraud attack the industry was fearing, might be the catalyst that accelerates the roll-out of protection. Rather than the start of something bad, let’s hope it signals the beginning of the end.