Vulnerability in mobile network allows hackers to empty bank accounts

Hackers have been able to steal money from bank accounts by intercepting text messages (SMS) used for two-factor authentication. The hacks happened in January this year according to the German newspaper Süddeutsche Zeitung.

Interception of the text messages was possible through a vulnerability in the SS7 protocol. This standard is used by telecom providers around the world to exchange information. Thanks to SS7 it’s possible to make calls and send SMS messages in foreign countries. The vulnerability in the protocol was already known since 2014.

Hackers have found a way to intercept the code that is sent by SMS when users try to login to their bank account. By also utilizing phishing technologies the criminals obtained information about their victims such as their bank account number, mobile number and password. The phishing mails appeared to come from the user’s own bank.

As soon as the criminals were able to access a bank account they could use the obtained information, and the intercepted SMS, to transfer money to their own bank account. Victims usually ended up with an empty bank account.

The attacks mainly took place in the middle of the night, because during the attack the hackers have to trick the mobile phone into connecting to a foreign network. This can be seen on the phone. By doing their attacks in the night the victim was less likely to see that his phone was no longer connected to the regular network and take measures.

It’s unknown how many victims have been made. According to the Süddeutsche Zeitung at least some customers of the German O2-Telefonica were hacked. Because the method works with pretty much any mobile provider it’s likely many more users were affected.