A known vulnerability in a networking protocol used by mobile phone network providers has been exploited by hackers to intercept two-factor authentication SMS messages to steal funds from bank account.

The vulnerability, first identified in 2014, involves a security hole in the Signaling System No. 7, a telephony signaling protocol used by telecommunications providers worldwide that allows hackers to intercept and listen to private phone calls and intercept text messages even when mobile networks are using advanced encryption techniques.

While the SS7 vulnerability has been demonstrated by security researchers previously, a German newspaper reported that mobile operator 02-Telefonica has confirmed that a number of its customers have had their bank accounts drained using a two-stage attack that exploits SS7. The report claims that hackers initially loaded malware onto victims’ computers, allowing them to obtain bank account logins, passwords and mobile phone numbers. They then exploited the SS7 vulnerability to intercept 2fa codes sent to those victims to confirm transfer requests, allowing them to empty the targeted accounts.

Although not detailing the types of equipment used to intercept the call, experts told the paper that access to SS7 networks can be acquired for under €1,000 ($1,097).

Chiming in on the seriousness of the discovery, Rep. Ted Lieu (D-Calif.), one of the few in Congress with a computer science background, said in a press released titled, “We Were Warned About Flaws in the Mobile Data Backbone for Years. Now 2FA Is Screwed” that “Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw.”

“Both the Federal Communications Commission and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number,” Lieu added before calling on Congress to hold hearings on the matter.

A replacement to SS7, called the Diameter Protocol, has been proposed for 5G networks. However, a report published by the Federal Communication Commission’s Communications Security, Reliability and Interoperability Council found that the new, supposedly more secure standard also suffers from security holes that make it similarly vulnerable to attack.

Photo: Pixabay