All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
In the Meadow, our residents don’t have many banking needs. We generally have the usual checking and deposit accounts, and mortgages. Occasionally, especially in the winter, our residents may not desire to visit Margie’s window at the bank. At this point, the residents may check their balances or if a check has cleared with an app on their smartphones, desktops, or laptops. When our residents have checked their accounts, they have used the two-factor authentication recommended by Margie. Generally, this has not been an issue. Current events have indicated there is an issue with this.
Banking is one of the industries where there should be an extra layer or two of security, just to ensure, as much as possible, there are no issues with the client's money being wired out to others by someone other than the bank’s client. To better secure transactions with mobile banking, an additional measure has been used for years. This two-factor authentication has been accepted as an additional layer of security for years. Recent events and attacks have indicated there is an unauthorized, malicious bypass for this cybersecurity feature due to flaws in the SS7 protocol.
SS7 (Signaling System 7)
The SS7 protocol is used by telecom companies to coordinate how they route texts and calls globally. There have been notably significant flaws in the SS7 protocol that have been known for years. The basic issue is the lack of authentication. The protocol does not authenticate who had sent the message. The attacker may gain access to the network and reroute the text message or call.
This may not only be used to intercept the SMS and 2FA codes, however, this also allows for unauthorized access to the user’s personal data. This has the potential for rather unpleasant circumstances for the users. Although known for years, this flaw/bug/feature is still viable. It’s curious as this is still an issue, as the phone companies spend billions upgrading their networks. Although this initially may have been a thought problem, the attack recently has been verified many times.
There have been recent reports indicating at least Metrobank, a UK bank had been targeted by the attackers. The attackers have been using this SS7 flaw to bypass the 2FA with mobile applications. With the banking targets, the attacker would acquire the user’s username and password. This could be accomplished through a simple phishing attack. When the user logs in, the bank may send a verification code to the user. With the SS7 attack, the message would be intercepted by the attackers. While this does appear to be a rather simple and straight-forward attack, this does take time to formulate and execute, and for the user to accept the phishing hook. The attack, while complicated, is still possible.
In the real world, the actual SS7 attacks began to empty the bank client’s accounts in 2017, primarily in Germany. This has spread and was being used throughout Europe. One bank confirming they were targeted and successfully attacked was MetroBank, the UK based bank. The bank did note, however, that only a small number of clients had been affected. This would be expected, as the first step involves a successful phishing attack.
This attack, while not designed for attacking the masses, reminds us even with the most current technology in use, if a third party which the business depends on has a faulty protocol or methodology, there is the direct opportunity for significant issues.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Android Police. (2019, February 3). UK bank falls victim to ss7 attacks, allowing cybercriminals to drain accounts and reminding us why SMS two-factor authentication sucks. Retrieved from https://www.technologybreakingnews.com/2019/02/uk-bank-falls-victim-to-ss7-attacks-allowing-cybercriminals-to-drain-accounts-and-reminding-us-why-sms-two-factor-authentication-sucks/
Cox, J. (2019, January 31). Criminals are tapping into the phone network backbone to empty bank accounts. Retrieved from https://motherboard.vice.com/en-us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
Millman, R. (2019, February 4). Criminals hit metro bank with multi-factor authentication bypass ss7 attack. Retrieved from https://www.scmagazineuk.com/criminals-hit-metro-banks-multi-factor-authentication-bypass-ss7-attack/article/
Security Experts. (2019, February 4). Hackers targeting UK banks through ss7 banks. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/hackers-targetting-uk-banks/
Telegraph. (2019, February 3). Metro bank hit by cyber attack used to empty customer accounts. Retrieved from https://fireballcybersecurity.blogspot.com/2019/02/metro-bank-hit-by-cyber-attack-used-to.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!