[German]Cyber criminals has been successful in an Internet (online) banking heist, misusing a vulnerability known since 2014 within the signaling system #7 mobile.
Advertising
German news magazine Süddeutsche Zeitung reported here about this case. Security experts has been awaiting such a hack for years. Here is how it worked: Some banks are using mTANs (mobile TANs) to authorize banking transactions. An mTAN is send via SMS to the users smartphone. The mTAN received on the phone has to be entered into the online banking form to authorize a transaction (two factor authorization). But there has been warnings since years, that online banking with mTANs and banking apps isn't secure. The reason: Since 2014 a vulnerability in UMTS SS7 protocol is known (see here and here).
Hackers has been using a 2 step attack to heist banking accounts from victims. In a first step they are using a phishing campaign (maybe with Trojans) to steal banking account data (name, account, password, and phone number for SMS/mTAN authorization). Then they uses the vulnerability in SS7 protocol, to hack into the mobile network of a provider (in the current case it was German mobile operator O2, a subsidiary of Spanish Telefonica). They redirected the SMS containing the mTAN send from the bank to their own smartphone. Then they used the mTANs to authorize the online transactions. O2 has confirmed, that some of its customers was affected by an illegal phone number redirection from a foreign provider.
Addendum: The Register has another article about this topic.
