* Posts by izmiaz

3 publicly visible posts • joined 11 May 2017

After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

izmiaz

Re: The "solution" is simple.

I think its not that simple. You would need to change this in ALL carriers and fine on an international level. Who ever rote the letter of guarantee, that SMS is a secure communication? It was invented as a side product when having some spare signalling capacity in the E1s and then suddenly overrun by its own success. So, if you allow roaming with e.g. Uganda (not to mean they are particularly bad there), you have to understand that you can not expect them to interact with latest technology on an ARPU of 12EUR/month/subs .... Or you simply dont allow certain traffic, which brings other complains onto stage.

Yes, it can be solved on carrier level. But the particular case to me just indicates a flaw in the authentication method, not in the carrier of information.

izmiaz

SS7 Firewalls are not yet widely deployed and mostly available by startups who do not have the capability to intergate this technology on a large scale, unfortunately. But it is work in progress.

SMS home routing can work to some extend, but hey, see my other post: Its not SMS that is the problem (then we could switch to whatsapp, hein?)

The problem is, that your bank tries to tell you that this is a great way to authenticate your transactions. THE BANKS, once more, not the TelCos are to be blamed here!

izmiaz

Re: The "solution" is simple.

well, fines to whom? Regardless what SS7 is, I would not find it OK to make this now a TelCo bashing:

- first you need someone to break into your phone/computer and get your online banking data. With all known issues about security n the Internet, this is a matter of personal responsibility. Not only technology of the 70 (SS7) meets 2017 here, but also a common technical understanding of the average user limited to the past millenium is needed to make such an attack possible.

- It is the BANKS who - despite better knowledge in their IT departments I suppose - implemented an authentication system that is convenient but not secure! Banks normally are never responsible for anything, we know since a while, that they earn on ANY transaction regardless who pays to whom ....

- Use TAN generators, or the good old paper-TAN-letter (you can personally pick it up on your bank) or anything else that is secure! Those systems existed long before smartphones and they worked well, even allowing you internet banking.

- Now it happened in O2, but SMS works pretty much the same in all European operators.

BTW: Install Tor browser and get access to a different internet. Many SS7 hosts are compromised and we have boxes connected to the global SS7 network that should definitely not be there. I think that statement about renting an E1 link is by today as outdated as SS7 itself ... you dont need that patience. In the worst case, pay 10kEUR and you get what you need, SS7 access included.

AND: You can do much more, as e.g. track locations or tap calls as well. This has long been published and was even commercialized in countries like US. Any surprises now ?