After years of warnings, mobile network hackers have exploited SS7 flaws to drain bank accounts. SS7 is a set of telephony signaling protocols developed in the 1980s, to handle the public switched telephone network (PSTN), SMS etc.
The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.
Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.
So any security that depend on PSTN-SS7 security is proven to be inadequate.
(Score: 4, Informative) by EvilSS on Friday May 05 2017, @02:00PM (2 children)
(Score: 2) by Nerdfest on Friday May 05 2017, @02:40PM
The Google Authenticator or other time based authentication schemes work very well. They do have a flaw as well, but it's not as exploitable as this is.
(Score: 2) by kaszz on Friday May 05 2017, @03:21PM
This is another weak point for sure. How secure is the hand over of security devices and codes? If those are very secure but the other party will hand those over based on the presentation of a flimsy made identity card. The security is not that great. Maybe it's time for challenge-response chipped identity cards and signatures too?
The strength of a chain is determined by the weakest link.