2FA fail; hackers exploit SS7 flaw to drain bank accounts

From as early as 2014, common vulnerabilities in Signaling System 7 (SS7) have been spotlighted for allowing cybercriminals to spy on conversations and text messages on mobile phones, but also track location by simply knowing the victim”s phone number.

Having ignored the warning signs, the telecom system is now used to bypass two-factor authentication and hack into users” bank accounts. This has been confirmed by O2 Telefonica, the German network provider, which had a few customers affected. If criminals can intercept phone messages with safe codes, millions of internet users will struggle with major privacy and security risks.

The hype around two-factor authentication is starting to fade after the technique has repeatedly proven ineffective, but it may just be too late to go back and fix it. This calls for new security measures, as two-factor authentication is commonly used to authorize online payments, or access email and social media accounts, while profit-driven hackers develop ingenious ways to drain bank accounts through vulnerability exploits.

In the past, Ted Lieu, Democratic member of the US House of Representatives for California, spoke out about the vulnerabilities and SS7 attacks.

“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number,” said Lieu in relation to the incident affecting the customers of O2 Telefonica. “It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”