[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”3.0.47″][et_pb_row admin_label=”row” _builder_version=”3.0.48″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.0.47″ parallax=”off” parallax_method=”on”][et_pb_text admin_label=”Text” _builder_version=”3.11″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”]
Dual/Multi-factor authentication is an essential method to add another layer of security for authenticating the identity where the user not only authenticates through the credentials (username/password) but also through a secret code. There are various modes to transact this ‘secret code’ (commonly OTP – one-time password) and one of which is using cellular signals to transmit the OTP to the recipient. This mode utilizes the SS7 protocol. Recently, applications have increased the usage of OTPs even at the first level of authentication, to log-in using the
What does SS7 do?
Signaling System 7 (SS7) is an international telecommunications standard that defines how network elements in a public switched telephone network (PSTN) exchange information over a digital signaling network. Nodes in an SS7 network are called signaling points.
SS7 allows phone networks to exchange the information needed for passing calls and text messages between each other and to ensure correct billing. It also allows users on one network to roam on another, such as when traveling in a foreign country.
What can hackers do with access to SS7?
Once hackers have access to the SS7 system they can have access to the same amount of information and snooping capabilities as security services.
They can transparently forward calls, giving them the ability to record or listen in to them. They can also read SMS messages sent between phones, and track the location of a phone using
What are the implications for users?
The risk of surveillance with access to the SS7 system and a phone number.
One of the biggest dangers, beyond someone listening to calls and reading text messages, is the interception of two-step verification codes that are often used as a security measure when logging into email accounts or other services sent via text message.
Banks and other
How to protect snooping via SS7?
It is very little you can do to protect yourself beyond not using the services.
For text messages, avoiding SMS and instead using encrypted messaging services that allow you to send and receive instant messages without having to go through the SMS network, protecting them from surveillance.
For calls, using a service that carries voice over data rather than through the voice call network will help prevent your calls from being snooped on.
Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.
As German newspaper, Süddeutsche Zeitung first reported, once hackers obtained a bank customer’s username, password, and telephone number, they were able to use SS7 vulnerabilities to reroute the two-factor codes that act as the last line of defense against fraud. Security experts say that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.
Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
Two-factor means you as the user have to have a second thing with you to serve as the second factor. Some services offer a physically unique device to serve as the second factor – often something along the lines of an “RSA Token” – a small device about the size of a USB flash drive that displays a number, which changes every minute or so. Less common is a token the size and shape of a credit card that does the same.
But think about the number of important accounts you have: banks, credit card accounts, email accounts, social media accounts. Carrying one “second factor” around might not be a nuisance but carrying a dozen around becomes impractical. What is something almost everyone has though and has with them at almost all times? A cell phone.
Service providers caught onto this a few years ago and began implementing a form of two-factor authentication in which the provider sends an SMS or text message with a typically six-digit code to enter along with your password. Similar to a physical code generator, the SMS code is only useful for about a minute before it changes to something else.
More recently, companies have produced Android and iOS authenticator apps that emulate the function of a code generator. Functionally though, they behave the same: they give a one-time-use token that is good for about a minute and must be used along with the password in order to log into an account.
The designing flaws in SS7 allow an attacker to divert the SMS containing a one-time passcode (OTP) to their own device, which lets the attacker hijack any service, including Twitter, Facebook or Gmail, that uses SMS to send the secret code to reset the account password.
DISCLAIMER: The views expressed are
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]