The Signaling System No. 7 vulnerability, SS7 for short, is a well-documented worldwide network issue that affects all major carriers in the United States and potentially allows anybody with your phone number to intercept SMS messages meant for you, and it seems that hackers have done just that in order to gain illicit access to victims’ bank accounts via online and mobile banking solutions. Many banks use two-factor authentication for secure processes, with one of those factors being an SMS message with a single-use code. That code, paired up with a password or other details, can get a customer into their online banking app, and can just as readily let in hackers.
SS7 has been around for quite some time, and the US Department of Homeland Security recently issued the warning that this known vulnerability has been used in attacks. Since many online services, such as social media, mirror the banking sphere in using SMS as a secondary means of user authentication, the SS7 bug puts all mobile users at potentially disastrous risk. Naturally, on top of being used for two-factor authentication hacking, SS7 could be used to siphon sensitive information that’s relayed via SMS messages, among other uses. The recent banking attacks pointed out by the Department of Homeland Security are among the more serious potential malevolent uses of this vulnerability. SS7 can also expose a user’s location and other sensitive data from their device.
Private users are not the only ones affected by this vulnerability; data breaches have occurred with wireless carriers in the past using the bug. The issue is that SS7 is a system that was designed long ago as a way for providers to communicate across towers, devices, and protocols, which means that putting any kind of vetting system in place for requests and communications could cause issues. SS7 has been widely documented and reported on in the past, but as of this writing, no networks are working on patching it directly, and government officials the world over have yet to talk about the possibility of passing any orders that would compel them to do so. This latest attack could change all of that, as it is the first documented occurrence of hackers using SS7 to do more than simply spy on users or steal critical information without taking direct action.