The usual argument \u201cdo you really need an antivirus\u201d quite often goes something like this:<\/p>\n
\u2014 I don\u2019t need antivirus! I have nothing to steal! Viruses? Ransomware? Go on and infect me! I\u2019ll just reinstall the operating system, and I don\u2019t have anything to lose \u2014 there is nothing valuable on my computer.<\/p>\n
\u2014 But you have a bank account, right? You do online shopping, don\u2019t you?<\/p>\n
\u2014 Bah, the bank has two-factor authentication. That will protect me. Even if hackers stole my card number, they could not withdraw my money.<\/p>\n
Well, turns out they can. First, not every online store uses 3D Secure protection<\/a>, which means that not every transaction requires a confirmation SMS message with a code. Even the CVC code (three digits on the back of the card) is no guarantee against misuse \u2014 not all transactions require one.<\/p>\n Also, hackers can intercept the SMS messages banks send and use the verification codes to gain full access to an account. Recently, a substantial sum of money was stolen<\/a> from unlucky consumers in Germany in exactly this manner. Let\u2019s take a closer look at how it happened.<\/p>\n Intercepting SMS messages is possible because of vulnerabilities in a set of telephony signaling protocols referred to by a common name \u2014 SS7<\/a> (aka Signaling System 7, aka Common Channel Signaling System 7).<\/p>\n These signaling protocols are the backbone of the contemporary telephone communication system; they are designed to transmit all of the service information within a telephone network. They were developed as far back as the 1970s and implemented for the first time in the 80s, and since then they have become a worldwide standard.<\/p>\n Initially, SS7 protocols were designed for fixed phones. The idea was to physically separate voice and service signals by putting them on different channels, and it was done to harden protection against telephone intruders using special boxes<\/a> to imitate the tone signals used at the time to transfer service information within telephone networks. (Yes, the same boxes Steve Jobs and Steve Wozniak were making back in the day \u2014 but that\u2019s another story.)<\/p>\n The same set of protocols was implemented later, in mobile networks. In between, developers added a range of features. Among other things, SS7 is used to transfer SMS messages.<\/p>\n But information security was not a matter of concern fifty years ago \u2014 at least, not for civil technologies. Efficiency was what mattered, and that got us the efficient but insecure Signaling System 7.<\/p>\n The main weak point of this system (along with many other systems designed in those times) is that it is based on trust. It was assumed that only network operators would access it, and they were generally thought to be nice guys.<\/p>\n Ultimately, however, the system\u2019s security level is defined by the least<\/i> protected member<\/a>. If any of its operators is hacked, then the whole system is compromised. The same is true if any network administrator working for any of those operators decides to exceed authority and to use SS7 for their own purposes.<\/p>\n SS7 access can allow someone to wiretap conversations, determine the location of the user, and intercept SMS messages, so it\u2019s no surprise that both secret services of various countries and criminals are active users of unauthorized SS7 access.<\/p>\n In the case of the recent attack in Germany, it went like this:<\/p>\n 1. Users\u2019 computers were infected by a banking Trojan. It\u2019s very easy to be infected by a Trojan if you do not use a security solution, and they can work without any obvious signs, so users may not notice them at all.<\/p>\n Using the Trojan, hackers stole bank logins and passwords. (Of course, stealing those credentials is not enough in most cases \u2014 the confirmation code from the bank sent by SMS is also required.)<\/p>\n 2. Apparently, the same Trojan was used to steal the users\u2019 phone numbers. This data is usually requested when people make purchases online, and it\u2019s not hard to steal. So, the crooks had both the credentials to access the users\u2019 bank accounts and their mobile phone numbers.<\/p>\n 3. The criminals used the stolen bank logins to initiate the money transfer to their own bank account. After that, having access to SS7 on behalf of some foreign carrier, they forwarded SMS messages sent to those phone numbers to their own phone and received the confirmation codes they needed to complete the logins and transfer money. The bank didn\u2019t have a reason even to suspect possible abuse.<\/p>\n The German carrier whose subscribers were harmed by this case has confirmed the attack. The foreign carrier whose SS7 network access was used for the attack was blocked, and affected persons were notified. We do not know if they managed to get the money back.<\/p>\n Two-factor authentication is usually considered solid security \u2014 if no one but you has access to your mobile phone, then who else could read a message on it? Well, anyone who has access to the SS7 system and who is interested in using your SMS messages to get to your money.<\/p>\n What can you do to build proper two-factor authentication and protect against attacks similar to the one described in this post? Here are two tips.<\/p>\nSS7: A hole in the phone<\/h2>\n
How the attack actually happened<\/h3>\n
Don\u2019t you still need an antivirus?<\/h3>\n
\n