German network provider O2 Telefonica has confirmed that few of its subscribers have been drained of their bank accounts, due to hackers exploiting a flaw in the Signaling System 7 (SS7) protocol, used by networks to communicate with each other for many years.
The German company O2 Telefonica has confirmed to Sddeutsche Zeitung that hackers have used an SS7 exploit to drain the bank accounts of few of its subscribers. The hackers intercepted two-factor authentication codes needed for online banking, and after gaining access, emptied their entire bank accounts. This has been occurring for a few months now, the report states.
For security reasons, German banks use a two-factor authentication system, and online customers need to punch a code that is sent to their phone to process transferring the funds from one account to the other. The attackers have exploited this 2FA system, the report ads, allowing them to empty the bank accounts of affected customers easily.
To do this, the hackers first got inside the users' PCs and got hold of sensitive information like login details, password, account balance, and mobile number. "Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers," The Register explains.
The attackers then logged into victims' bank accounts, preferably at a time when they are asleep, and then transfer out all the money. The code sent to the phone was routed to the criminals, making it easy for them to enter.
The report adds that the SS7 flaw has been an issue since many years, and while researchers have been making noise, and asking telcos to do something, network operators have been very complacent about it. Now, that one of the telcos has confirmed a hack due to the SS7 exploit, a solution may come to fruition. Also, the alternative method proposed to replace SS7, is equally flawed, and the dubbed Diameter protocol cannot be considered as a viable solution for now.