Mobile hack threatens SMS security codes


Hardly a day goes by without news of another cyber security breach, but some make bigger headlines than others. The global ransomware attack termed ‘wannacry’ stole headlines all over the world in mainstream newspapers and on television. It was, and remains, a significant attack, but it also rather overshadowed another cyber attack that threatens the security of online banking and yet didn’t really attract any coverage outside of the technical media.

Last month, O2 Telefonica in Germany confirmed that it had been the victim of a mobile network hack that led to an undisclosed number of the network’s customers having their bank accounts emptied by fraudsters who hijacked the SMS-based two factor authentication systems used by many banks.

The hack took advantage of the signalling system called SS7 that mobile operators use to interconnect - it is the part of the network that effectively enables roaming. In April last year, it was demonstrated that this part of the network is vulnerable to hackers and is largely unsecured. The equipment needed to access it used to be both costly to buy and require technical expertise to use: sadly, that is no longer the case.

By hacking into the signalling channel, fraudsters can not only track you and snoop on your messages etc, they can also divert your mobile to another number. In the O2 incident in Germany, the fraudsters first used traditional phishing techniques to get personal data and access to online bank accounts to identify some accounts with ‘rich pickings’. Then, in the dead of night they emptied those accounts. When the bank sent the text message with an authorisation code, the customer’s mobile had been diverted to the fraudsters who could verify the transaction to steal the funds. Removing the divert after the theft, also helped cover over the traces and delay the discovery.

This is the first mass incident of SS7 signalling fraud, and consumers are still largely unaware that it can happen. The banks and the mobile operators are, however, getting nervous and looking for ways to counter the threat. In the US, Congressman Ted Lieu is leading a campaign for federal action, describing mobile networks as a locked room with an open window.

In the meantime, text messaging is an unsafe means of adding security. IP-based connections are much stronger and the addition of biometrics into a 2FA solution would further strengthen security.

Our Onescan app could provide this security and usability at the same time. If banks required customers to authorise transactions using Onescan – either by interacting with a computer screen or by carrying out the transactions within the app itself – security could be ensured by using the phone’s own ID technology such as a fingerprint or retinal scan as part of the process.

We have always believed that transactions should be verified in a way that links who you are to the device being used. That registration process removes the potential for 2FA to be hijacked, diverted and used to defraud customers.

Simple SMS-based 2FA alone can no longer be trusted.

Try Onescan Security instead.