The start – or the beginning of the end?
In May, O2 Telefonica in Germany confirmed that it had been the victim of a mobile network hack that led to an undisclosed number of the operator’s customers having their bank accounts emptied by fraudsters. The criminals had hijacked the SMS-based two factor authentication systems that are used by so many banks.
The hack took advantage of the signalling system called SS7 that mobile operators use to interconnect – it is the part of the global network that effectively enables mobiles to be mobile. In April last year, the vulnerability of this part of the network was highlighted on the US TV Show, 60 Minutes, having earlier been publicly demonstrated at the Chaos Computer Congress in 2015. The equipment needed to access SS7 used to be both too costly to buy and require technical expertise to use. That limited protection is no longer in place – the tools, techniques and even a service, are all available and being “openly” traded for very little money on the dark web.
By hacking into the network signalling fraudsters can not only locate and track mobiles, they can also snoop on your activity by intercepting your phone communication. That ability to divert mobiles was the security weakness that was central to the theft in Germany.
According to confirmed reports on the O2 incident, the fraudsters first used traditional banking-fraud phishing techniques and spyware to infect account holders’ computers in order to steal account details, passwords and other personal information. Once they had access to the customers’ online accounts they could then view and target the accounts with ’rich pickings’.
The crime then involved diverting the account holder’s mobile to the fraudster’s own handset, so that – in the middle of the night – they could look to empty those accounts. When the bank sent an automated SMS with the mobile Transaction Authentication Number (mTAN), it was received by the fraudsters, not by the customer. Armed with that, the criminals could authorise transfers to their own, well-hidden, accounts, and could then remove the mobile divert. Removing the divert after the theft, also helped to cover over the traces and delay the discovery of the theft.
O2 in Germany confirmed that the attack had taken place and said in a statement to the newspaper Süddeutsche Zeitung that: “Criminals carried out an attack from a network of a foreign mobile network operator. The attack redirected an incoming SMS message for selected German customers to the attackers.”
This is the first mass incident of SS7 signalling fraud, and consumers are still largely unaware that it can happen. The banks and the mobile operators are, however, getting nervous and looking for ways to counter the threat.
Recently, Vodafone’s CEO Vittorio Colao admitted that the issue of cyber security was one that “kept him awake at night.” Colao said that it needed a pan-European approach to stave off the threat of cyber criminals and called for:
“Much larger collaboration between companies across sectors to create a more integrated cyber-defence system.”
There’s no doubt that operators, and Enterprises, are fighting a cyber security war across many fronts – on their IT systems, their devices and their networks. Hackers will evidently use whatever mechanism they can to attack systems, steal data, cripple operations and defraud businesses and consumers. With the rise of the Bring Your Own Device environment, it is no longer enough for companies to seek to protect the traffic on their IP backbone, end to end security over the mobile network is also required.
It’s a requirement that is well recognised in the US by Congressman Ted Lieu who has been pressuring the US regulators to act on the SS7 weakness. When the US House of Representatives announced it will begin protecting the mobile devices of members of Congress and their staff with endpoint security to help identify threats such unsecured WiFi connections and malicious apps; Lieu welcomed the move but still described Congress cyber security as “a locked building with an open window.”
“Members of Congress and their staff are hugely dependent on mobile devices to do our work, but those phones are not adequately protected”, Lieu said. The Congressman is well aware that simply shutting the open window by protecting the device is not enough when the network itself remains vulnerable.
Of course, Congressman Lieu is quite personally invested in the SS7 security story, as it was his phone that was publicly hacked on the ’60 minutes” TV programme. Naturally, he was quick to react to the news of the SS7 attack in Germany.
“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw,” he said.
Meanwhile in Germany, rival operator Deutsche Telekom was quick to reassure its customers that such an attack could not happen on its network. A statement on the DT website said that it had become one of the first telecommunications providers worldwide to implement an SS7 firewall that would have blocked and prevented the O2 attack.
The signalling weakness is a legacy of the “trusted network” relationships that existed before the telecoms market became so open. It’s a weakness that is also made greater by the sheer size of the market today. To give an idea of the scale, our own signalling firewall can be installed as a software addition to the Network Interface Units (NIFs) that we have deployed in some 60 operator networks around the world. These NIFs support the roaming value added services we provide to operators. Across our systems, we are currently seeing somewhere in the region of 12bn SS7 signalling messages every day.
Apart from the scale, the other challenge is that the fraudulent signalling messages often imitate some of the messages that drive genuine value added services which are revenue generating for the operator. The messages that drive those services differ from normal signalling so the systems need to distinguish between those unusual signals and the unsafe ones – the harmless from the harmful.
The number of messages we see that are unusual but safe by far dwarfs the number of fraudulent ones. Nevertheless, we would still put the number of potentially fraudulent messages at a level of around one per second on every network in the world. Accurately stopping those harmful messages without disrupting normal network traffic is the challenge that the signalling firewalls need to meet.
We are confident that the signalling firewalls we are providing to operators would have caught and blocked the O2 attack – indeed one of our firewalls did stop such an attack about the same time as the O2 incident. One way we can do that is by taking a measure of distance and velocity to make a judgement on the location updates that were behind the O2 attack. A mobile signalling in Germany one evening, cannot be legitimately signalling a short while later from an island in the Pacific or the Caribbean for example. The subscriber could not have travelled that distance in that time.
But, as Vodafone and Deutsche Telekom have pointed out, measures taken by individual operators represent only a limited solution. It will take concerted action by the whole industry to properly protect against fraudsters looking to exploit SS7 signalling weaknesses.
Maybe, this first confirmation of the type of fraud attack that the mobile industry was fearing, might be the catalyst that accelerates the roll-out of protection. Rather than the start of something bad, let’s hope it signals the beginning of the end.