Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.
This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK's Metro Bank—that fell victim to such an attack.
The news highlights the gaping holes in the world’s telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals. The National Cyber Security Centre (NCSC), the defensive arm of the UK’s signals intelligence agency GCHQ, confirmed that SS7 is being used to intercept codes used for banking.
"We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)," the NCSC told Motherboard in a statement.
“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”
"This is not an isolated case."
Metro Bank, which launched in 2010, confirmed it had faced an SS7 attack, and said in a statement it has supported a law enforcement investigation into SS7 attacks across the industry.
“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue,” a Metro Bank spokesperson told Motherboard in an email.
“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website,” the statement added.
UK Finance, a trade association for UK banks, told Motherboard in a statement that “The protection of customer accounts is an absolute priority for the industry. We are aware of reports of a small number of incidents and understand that immediate steps were taken by the relevant telecommunication bodies to resolve the issue.” Metro Bank is a member of UK Finance.
Major UK telco BT told Motherboard in a statement, “We’re aware of the potential of SS7 to be used to try to commit banking fraud. Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” This statement also applies to the telco EE, which is part of BT, the spokesperson added.
A Vodafone spokesperson told Motherboard in a statement, "We have specific security measures in place to protect our customers against SS7 vulnerabilities that have been deployed over the last few years, and we have no evidence to suggest that Vodafone customers have been affected. Vodafone is working closely with GSMA, banks and security experts on this issue." The GSMA is a trade group that represents mobile network operators.
O2 and TalkTalk did not provide statements in time for publication.
The fundamental issue with the SS7 network is that it does not authenticate who sent a request. So if someone gains access to the network—a government agency, a surveillance company, or a criminal—SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else’s. There are protections that can be put in place, such as SS7 firewalls, and ways to detect certain attacks, but room for exploitation remains.
In the case of stealing money from bank accounts, a hacker would typically first need a target’s online banking username and password. Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message. With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code.
In 2017, German newspaper The Süddeutsche Zeitung reported that criminals had exploited SS7 to drain funds from bank accounts in Germany. The Metro Bank incident appears to be the first publicly reported case of a UK bank falling victim to an SS7 attack, however, and multiple sources confirmed the issue is broader in scope.
One source familiar with SS7 attacks across banks said the exploitation has targeted banks globally, but that American banks seem to be less impacted. The SS7 issue applies particularly to Europe, they added. Motherboard granted the source anonymity to talk more openly about sensitive incidents.
Nohl, the cybersecurity researcher who has worked on SS7, echoed that exploitation by financially-driven cybercriminals is more common than many may believe. Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile, which focuses particularly on SS7, told Motherboard in a phone call, “We have seen a diversity of continents that have been targeted.”
The NCSC statement added “While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”
Multiple sources said the attacks are highly targeted; something that members of the general public don’t necessarily have to worry about. An SS7 attack is unlikely to be effective if the bank uses a form of 2FA that doesn’t rely on text messages, such as an authenticator app.
The news highlights the gaping holes in the world’s telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals.
Over the past several years, Motherboard has collected examples of different criminals advertising alleged SS7 capabilities. In one from December 2017 sent over a direct message in a chat protocol commonly used by criminals, one hacker claimed to offer voice and text message interception as well as geolocation. Another message advertised a particular website claiming to sell bank token interception via SS7. A source with underground connections told Motherboard one SS7 reselling service was tested and did work. Some SS7 offerings are very likely fakes, however.
Coffey from AdaptiveMobile said he believes the sort of criminal gangs that are carrying out these SS7 attacks are unlikely to resell that capability.
“These gangs—the guys who are really seriously coordinated, very, very targeted, and active—I don’t think they want to associate with anyone that is going to risk their operation,” Coffey added. “I think that is a very closed, small group of professionals.”
Coffey said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate. Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.
“This is not an isolated case,” Nohl said.
Update: This piece has been updated to include a statement from Vodafone.
Subscribe to our new cybersecurity podcast, CYBER.