Hackers exploit SS7 vulnerability to bypass two-factor authentication and drain bank accounts

Two-factor authentication may be the best way of keeping our online accounts safe, but even this system has vulnerabilities. In Germany, a known security flaw in a networking protocol used by cellphone providers has been exploited to drain funds from bank accounts.

German newspaper Süddeutsche Zeitung reports that the unidentified attackers took advantage of a security hole in Signaling System No. 7, a telephony signaling protocol used by over 800 telecommunication companies. Also known as SS7, it allows the world's cellular carriers to route calls, texts, and other services to each other.

Hackers can expoit SS7 to intercept text messages, listen in on phone calls, and track users' locations. In this instance, thieves used the protocol to circumvent the two-factor authentication banks use when account holders perform withdrawals.

The hackers infected victims' computers using traditional malware, allowing them to steal login and password credentials. They then drained the online accounts by using the SS7 vulnerability to redirect the text messages sent by the banks containing the mTANs (mobile transaction authentication numbers).

"Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January," said a spokesperson for Germany's O2 Telefonica. "The attack redirected incoming SMS messages for selected German customers to the attackers."

Rep. Ted Lieu, who along with Sen. Ron Wyden sent a joint letter to FCC chairman Ajit Pai earlier this year highlighting the dangers of the SS7 flaw, has released a statement regarding the German incident.

Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.