Almost all of us would have transferred funds using internet banking. While performing funds transfer or payment, our transaction would pass through another step of authentication, which would either be a password or a one-time password (OTP) on our mobile numbers. Many of us would consider a risk in using password based second authentication, that if by chance our desktop or laptop would have a malware/virus in our system; it would steal our transaction password. Thus, one would prefer going for an OTP, which is an out-of-band authentication mechanism, valid for few minutes with little chance of compromise. However, the bad news is that, recently, a critical flaw has been found in the Signaling System 7 (SS7), which allows hackers to intercept our communication. Cybercriminals are actively exploiting the vulnerability to bypass the SMS based two-factor authentication (2FA) to successfully perform unauthorized funds transfers from our accounts.
What is SS7?
Signaling system No. 7 is a set of telephony signaling protocols in public switched telephone network (PSTN) to exchange information between telephony systems. It helps in performing call-establishment, billing, short message service (SMS) and etcetera.
How is attack performed?
Let’s first assume that the attacker has access to internet banking username and password. These days it is not difficult to steal one’s credentials due to the availability of a large number of tools, hacking-as-a-service, and cyber crime groups. The attacker using the credentials can log in to user bank account and access your information like balance, address, phone number, etc but couldn’t transfer funds or make a payment due to 2FA using SMS based OPT.
To overcome this issue, an attacker would use SS7 to redirect the SMSes for the victim’s phone number to a phone controlled by them. The attacker would then login to the victim’s bank account and initiate the fund's transfer. The attacker phone due to the redirect of victim’s phone would receive the SMS sent by the bank to complete the transaction.
How to mitigate the attack?
We or phone in our hands has little option to mitigate the issue. The telecom (or network) providers would take the time to patch the issue. The banks or any service using SMS based OTP for authentication can move to other more secure 2FA mechanisms like hard or soft tokens, cards, etc.
Authored By - Akash Sharda
TCS Cyber Security Practice