Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday May 05 2017, @12:59PM   Printer-friendly
from the what-next? dept.

After years of warnings, mobile network hackers have exploited SS7 flaws to drain bank accounts. SS7 is a set of telephony signaling protocols developed in the 1980s, to handle the public switched telephone network (PSTN), SMS etc.

The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number. Then they purchased access to a rogue telecommunications provider and set up a redirect for the victim's mobile phone number to a handset controlled by the attackers.

Next, usually in the middle of the night when the mark was asleep, the attackers logged into their online bank accounts and transferred money out. When the transaction numbers were sent they were routed to the criminals, who then finalized the transaction.

So any security that depend on PSTN-SS7 security is proven to be inadequate.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by edIII on Friday May 05 2017, @08:08PM

    by edIII (791) on Friday May 05 2017, @08:08PM (#505121)

    The security credentials are often not enough. I started noticing a few years ago that the banks were fingerprinting the browsers and systems quite heavily, and tying it to IP addresses.

    In order to use my bank, I needed to be using the same browser, same machine, same IP address. Anything else and the bank initiated additional verification like security questions and token verification (those images).

    I would imagine that coming from a different IP address would engage SMS 2FA immediately if it were setup. That never happens with me because I've refused to use the SMS system on general principles. You're paying for something that happens regardless of whether you use it, and at a 10000000% markup at that. Fuck that noise :)

    Falling back the PSTN and SMS is quite typical of businesses, and not just the banking sector. Both of them are incredibly insecure though. SMS is not all that secure to begin with, you can hijack accounts, and SS7 is NOT a secure protocol. You're just betting that nobody has the skills to do it, but the article proved that there are some that do.

    Rogue telecommunications providers are not difficult to set up, nor is difficult to start using SS7 either once you have the infrastructure and connections in place. The catch is that you want to deal with the PSTN, and that is where you lose all security, privacy, and anonymity the instant you touch that network.

    Think BGP and how the Russians channeled financial sector traffic through a Russian telecom for a few minutes.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2