The Metro Bank SMS authentication hack shows the risk of relying on ancient protocols for security
The SS7 telephony protocols date back to 1975 - much has changed since then as hackers know
We all know the drill: you are signing into your online banking and for some reason or another, the bank fails to recognise who you are - perhaps you are signing in from new device or you can't remember your password. The bank then sends you an SMS or calls an already provided telephone number to share an authorisation code to input into the app or platform as a means of validating your identity. Lots of companies are now using this type of SMS or outbound calling method as a second step of authentication.
The problem: Signalling System 7 (SS7). This international telecommunications standard is used by mobile network operators (MNOs) all over the world to exchange the information needed for passing calls and text messages between each other and to guarantee correct billing. It also allows the transfer of data between networks, including when we switch between network providers, for example when roaming in another country. When it was first introduced, back in the 1970s, it was fit for purpose as there were very few telephony networks, and the companies involved counted on one another to be trustworthy. But now the market is burgeoning with huge numbers of MNOs, meaning call and SMS networks have no way of verifying that these SS7 messages originate from legitimate sources.
Case in point: last week Metro Bank fell victim to a sophisticated two-factor authentication (2FA) bypass attack after hackers infiltrated a MNO's SS7 text messaging protocol.
How does a fraudster take advantage of this flaw in SS7?
Even if they have managed to get their hands on a banking customer's credentials and attempted to login, in theory SMS or outbound calling authentication should stop hackers in their tracks. However, hackers are ingenious; they have discovered that this vulnerability in SS7 allows them to get into any network and access the data, meaning they can simply get these messages and calls sent to a mobile phone of their choice. The fraudster will set up a misdirection of the legitimate customer's SMS or outbound verification call using the SS7 protocol vulnerabilities, via a compromised gateway (which can be in any country). There are a number of scenarios that make this possible, for example:
- Physical connection
- Political sponsorship
- Hacking
- Insider coercion
Despite several documented cases, due to the complexity of the historic technology it has been difficult to resolve the SS7 vulnerability. Whilst some effort has been made by the network operators to address the problem, some SS7 messages just cannot be filtered at the network boundaries because there are some legitimate reasons to send cross-network messages, for example, to set up call roaming. Therefore, if an attacker can infiltrate any SS7 network, they can send certain SS7 messages to their fraud target's home network. Call and SMS redirection can be set up using this mechanism from a remote location with no interaction from the MNO's operating staff, nor the fraud target.
So, what is the solution? Although there is no ‘one size fits all', there is a way to design security from the inside out, taking a three-pronged approach:
1. Keep on top of your security policies
A strong and agile governance process in terms of authentication policies is key. It's crucial that organisations are mitigating against future scenarios that might not even be apparent at this stage where SS7 might be compromised. They should also regularly review these policies, so that they are fully up to date, and adjust their authentication methods as required.
2. Stay ahead of the game
There is absolutely nothing wrong with using calls and SMS for authentication if the company is protecting itself and its customers against its vulnerabilities. One way is using the services of a security provider which has a proactive research arm and can keep track of the new attacks being made on SS7.
3. Utilise an intelligence engine
The best way to combat the security issues associated with SS7 is to use an intelligence engine to spot anomalous behaviour. Companies gather as many data points as possible: device, call divert, SIM swap, and roaming statuses from MNOs and specialist services, in order to build up a picture of their customers. An integrated approach then correlates this data to provide a single view of the person undertaking the transaction. A feedback loop to the intelligence engine to inform it about known fraud cases can also help it learn about bad behaviour, and to recognise that a fraudster is at work based on similar combinations of these data points.
Technology can be used to make rigorous checks on the person initiating the transaction to make sure that compromised credentials are not being used, and that malware has not been used by a fraudster to initiate the transaction.
When a possible SS7 compromise has been detected based on the data points mentioned above, or further anomalies such as differences in the locations detected between initiating, authenticating, and observed customer phone devices, a higher ‘risk score' can be applied to the transaction. Whenever a higher risk score is flagged, additional layers of authentication should then be introduced - whether that be more rigorous behavioural authentication or using a non-telephony-based validation method, for example a card reader.
Advice for consumers
Consumers also need to be made aware of the issues, as there are a few basic steps they can take to help avoid being defrauded - for example letting the bank know when they are going on holiday.
Just as you wouldn't tell a stranger on the street all your personal information, the same rule applies to talking to a person you don't know over the telephone, especially if they've called you. Consumers should never divulge any personal information whatsoever, because banks never ask for personal data to be disclosed that way.
Also, privacy settings on social media accounts should be set to limit the exposure of personal information to only those people you know - the typically default "viewable by everyone" approach means that fraudsters can glean sufficient information to impersonate you or to answer challenge questions asked by some organisations during customer verification processes.
Lastly, regularly review your statements and any notifications you receive from the bank for unidentified transactions - it's better to spot these early so any compromises can be nipped in the bud.
No end in sight
Despite putting these precautions in place, there is no 100 per cent sure way to guarantee that customers won't be affected by the vulnerabilities in SS7. Even the newer protocols, such as Diameter for 4G networks, whilst making some improvements, still have vulnerabilities. In any case, to date, Diameter is only used for data services. Even on 4G networks, calls and SMS still use SS7 for backwards compatibility and to maintain coverage.
The good news is that SS7 will eventually be replaced. However, this will take several years, so it is crucial that action is taken immediately before more cases of fraud are reported. It is critical that players in the sector embrace collaboration now and work together more proactively to ensure that future standards will not have the same flaws as SS7, and that they will provide the most appropriate approach for the long-term.
For new protocols to be a success, the goal must be to create a secure communication system with minimal risk and maximum effectiveness. The key to achieving this is to think about potential misuse cases, as well as the normal usage scenarios, from the outset.
Ryan Gosling is head of partnerships and telco at Callsign