Hackers take advantage of the insecurity of verification in two steps through SMS to steal bank accounts
In case there were doubts that the verification in two steps through SMS is not secure, now the cybercriminals take advantage of their weaknesses to steal money from bank accounts. We have already spoken before, yes, the verification in two steps is an excellent layer of additional security to protect our online accounts, except when the second factor is an SMS.
One of the main reasons for this is a known defect in Signaling System Number 7 (SS7), the protocol used by most telecommunications operators to connect us when we make calls, send SMS or share data on the Internet. Its infrastructure is very outdated and this makes it very easy for crackers to redirect calls and messages to their own devices.
According to the German publication Süddeutsche Zeitung these vulnerabilities in the protocol which has been warning around since 2008, they have been exploited by hackers so far unidentified, to bypass authentication in two steps from banks in Germany .
The attackers were able to use the vulnerability to divert the SMS sent by the bank to the clients . These messages contain disposable codes that are used only once and that serve to authorize transfers. According to the report, the attackers intercepted the messages to steal the funds.
To get hold of the account numbers, login details and bank account balances, the attackers first launched a malware campaign. Then they carried out the attack using a foreign telephony operator not yet identified to redirect the SMS.
In view of this news, the member of the United States House of Representatives, Ted Lieu, issued a press release urging the Congress of his country to pressure the telecommunications industry and the FCC to resolve the ruling in the protocol. SS7 :
All accounts protected by two-step authentication based on SMS, as in the case of bank accounts, are potentially at risk until the FCC and the telecommunications industry fix the devastating security flaw in SS7.