Hackers have exploited long-known vulnerabilities in the SS7 networking protocol to drain customer bank accounts, despite years of warnings about the security holes.
Signaling System No.7 (SS7), as the protocol is known, is used by more than 800 telcos around the world, allowing customers in one country to send text messages to users in different countries.
The protocol also helps with interoperability between networks, and allows for phone calls to go uninterrupted while in low signal areas.
However the protocol, which was created in the 1970s, can be used to track users and eavesdrop on their conversations.
These vulnerabilities have been publicised as early as 2008, yet most recently, security researchers in 2016 were able to demonstrate the ease at which they could track the movements of US Representative Ted Lieu using his phone number and the SS7 network.
It has now emerged that unidentified hackers used the same vulnerabilities in the SS7 protocol to bypass two-factor authentication services of banks in Germany, according to the Süddeutsche Zeitung newspaper.
The hackers were able to use SS7 to divert the text messages that the banks send to customers as one-time password checks - two-factor authentication via SMS - sending them instead to phones controlled by the attackers.
The codes were then used to authorise the transfer of funds out of customer accounts, according to the report.
To locate the targets, the hackers used a malware campaign to identify bank account numbers, login details, passwords and balance amounts. They were then able to purchase access to an as yet unidentified foreign telecommunications provider to gain backdoor access to the customers' phones.
The news won't come as a surprise to those advocating against the use of the SS7 protocol. In August last year, Lieu requested the FCC investigate the reported vulnerabilities of SS7, and impose changes to prevent these kinds of attacks.
However, this could take years to address given the size of its reach and the number of companies using it.
The silver lining is that since this is the first reported public attack using the SS7 protocol, it may spur other regulators to help fix the vulnerabilities.
