The recent successful attacks on bank accounts using the signalling system 7 (SS7) protocol to bypass two-factor authentication will have repercussions for telcos, and they should have long seen it coming.
SS7, created in the 1970s, is used by hundreds of telcos globally to allow customers in one country to route voice and text communications between users.
Even though SS7 has been shown multiple times to be technically vulnerable, cyber robbers targeting German banks over the past few months did the heist the easy way.
They looked for the weakest link in the security chain used by banks and other organisations, which happened to be SS7, but no clever hack of the telco network took place.
Instead, the attackers simply bought access to the network.
Once inside, they used the flaws inherent in the protocol to snag user authentication tokens sent out via SMS, and made off with customers' money.
Anyone using SMS in 2017 - banks, social networks, you name it - to protect access to sensitive information deserves a slap, because it hasn’t been safe for a long while.
This doesn’t mean 2FA is dead, however.
The SS7 attacks should provide an impetus for organisations to implement challenge and response authentication out-of-band without relying on a network that has been demonstrably insecure for years now.
Regulators and authorities should urgently act on this rather than getting bogged down with trying to make telcos around the world get their act together on SS7.
Which is not to say authorities should give up on the SS7 issue and ignore it. There are more problems with the protocol than hijacking SMS 2FA codes - SS7 can also be used to track users’ mobile phone locations worldwide [pdf], a privacy threat that has been known for years.
The inevitable death of SMS for 2FA will be a big problem for telcos.
Organisations will instead use encrypted data over the internet, and telcos will become even more like “dumb pipes” providing the infrastructure but not the service.
That’s not where telcos want to be, but it's the best for security.
Don't feel too bad for telcos, however; flaws with SS7 have been known about since at least 2008. It’s not like they didn’t know this was coming.
