The attacks successfully targeted online bank account holders in Germany by using call-forwarding features built into the SS7 protocol. When mobile phone users travel abroad, the SS7 administrative data network allows local phone networks to verify if the users SIM card is valid using a Home Location Register. Nevertheless, that SS7 functionality can also be abused. In the case of the German online bank attacks, the hackers employed a two-stage assault: phishing attack and call forwarding.
Using a mobile telephony network located abroad, attackers instruct it - via SS7 - to forward all calls and SMS messages sent to a victims mobile phone number to an attacker-controlled number. Fraudsters can then log into a victims account, initiate a money transfer and then receive the mobile transaction authentication number (mTAN) required to approve the transfer.
Security experts and financial services regulators - including the German Federal Office for Information Security, known as the BSI - recommend that banks never use mTANs or other two-step verification schemes. Instead, they recommend using two-factor authentication and generating a transaction authentication number, or TAN, via a hardware-based or software-based dongle, according to BankInfoSecurity.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now