The loophole hackers can use to get around South African banks’ SMS verification

 ·11 Aug 2017

Long-known but relatively obscure vulnerabilities in global mobile telecommunications systems are reaching a wider audience, including cyber criminals, according to Neil Bester, senior vice president at fintech company Entersekt.

Bester was citing a recent malicious attack on customers of O2-Telefonica in Germany which saw many bank accounts emptied of funds.

In the attack, the thieves exploited flaws in the mobile SS7 protocol over several months to intercept two-factor authentication codes sent to online banking customers, thereby gaining access to their accounts and draining them of funds.

Signaling System 7 (SS7) is an international telecommunications standard that defines how cellphone networks connect with each other.

It allows cellphone users in South Africa, for example, to roam on networks anywhere else in the world.

SS7 means they can make and receive calls, as well as text messages across networks.

“It’s the backbone of worldwide mobile communication used by billions of people,” said Bester.

He noted that once they have gained access to the SS7 network, intruders can impersonate a phone’s location, read or redirect messages, and even listen to calls.

This poses significant risks for any institution that uses mobile networks to transmit authentication information such as SMS one-time passwords (OTPs).

“There has been a high level of complacency around the risks of SS7, despite repeated warnings from security researchers in recent years, he said.

“That’s because no large-scale fraud attack has ever been reported – until now.”

South Africa

According to Bester, while there as yet have been no SS7 attacks reported in South Africa – network operators have had to remain vigilant.

This is because they rely on detection schemes rather than an encrypted channel that would render any SS7 attack approach ineffective, he said.

“Network-initiated unstructured supplementary service data (NI-USSD, also known as push USSD) is a safer option for authenticating transactions than is SMS.”

“Unlike SMS, which is a store-and-forward technology, push USSD allows a two-way exchange of data in real time, and no data useful to fraudsters is stored on the device.”

“Push USSD sessions can, however, still be illegally redirected in the same way that calls can because the process depends on the handset’s SIM card,” he said. “An attacker could redirect an entire USSD session to their own phone and the victim would never know,” Bester said.

If a network operator is vulnerable to SS7 attack, then USSD is technically no safer than SMS, he added.

However, by deploying adequate SS7 firewalls, mobile operators can at least provide some resistance to attacks.

According to Bester the only way to completely avoid the kind of eavesdropping SS7 makes possible, you need to open a completely isolated, end-to-end encrypted communications channel between the mobile phone and the servers that process payments or store sensitive data, and to properly authenticate the users of this channel.

“Using a self-contained cryptographic infrastructure deployed to the phone, you avoid having to rely on the security provided by telecommunications protocols, mobile network operators or the device’s operating system,” he said.

“No third party can access or modify data travelling over this protected channel, making it impervious to the kind of attacks seen in Germany.”


Read: The banking and finance jobs we’re most likely to lose to robots in SA

Show comments
Subscribe to our daily newsletter