A vulnerability that last year allowed a team of German hackers to eavesdrop on a US Congressman's phone conversations was, once again, exploited in January, this time to bypass two-factor authentication and drain bank accounts, according to a new report.
The attackers leveraged weaknesses in Signaling System Seven (SS7)—a set of international telecommunications protocols—to "redirect the text messages the banks used to send one-time passwords," according to Ars Technica, which cites German newspaper Süddeutsche Zeitung.
Texts were intercepted by hackers, who "used the mTANs—short for 'mobile transaction authentication numbers'—to transfer money out of the accounts," Ars reports.
Prior to intercepting the mTANs, the attackers used traditional malware to steal people's online banking credentials and break into their accounts. This allowed the attackers to view a person's balance, but they needed a one-time password from the bank to transfer money out of the account. That's where the SS7 compromise came in.
The attack affected an unspecified number of German individuals, who were notified about the breach, Germany's O2 Telefonica told Süddeutsche Zeitung.
SS7, among other functions, keeps calls connected as callers' phones switch from one cell tower to another, if they're using their phone in a car on the highway, for instance.
News of the attack comes after 60 Minutes in April 2016 highlighted SS7 bugs, which security researchers—and international spy agencies—have known about for years. Karsten Nohl, a chief scientist for Berlin-based Security Research Labs, demonstrated the flaws by tapping an iPhone conversation between Rep. Ted Lieu, a California Democrat, and 60 Minutes reporter Sharyn Alfonsi using only a phone number.
Following the incident, Lieu called for a congressional investigation into the SS7 flaws. The FCC's Communications Security, Reliability and Interoperability Council (CSRIC)—which provide advice and recommendations to the FCC about improving the nation's communications systems—later investigated the issue and recommended in a March report that more attention be paid to SS7 vulnerabilities.
But the CSRIC's charter expired shortly thereafter. In a March 28 letter to FCC Chairman Ajit Pai, Rep. Lieu and Sen. Ron Wyden, both Democrats, urged the FCC to renew the charter and expand the CSRIC's scope to fully address the issue.
"It is clear that industry self-regulation isn't working when it comes to telecommunications cybersecurity," Lieu and Wyden wrote. They pushed Pai to force wireless carriers "to address these serious cybersecurity vulnerabilities, [warn] the American public that their movements, communications, and devices may be vulnerable to foreign governments and hackers, and [promote] the use of end-to-end-encryption apps, which…can be used to mitigate some of the SS7 risks."
The FCC renewed the CSRIC charter on April 10, and called for membership nominations.
This week, Rep. Lieu tweeted that he has "been screaming for FCC & telecom industry to fix #SS7 security flaw. Perhaps bank losses will get them to act."