February 2019. At the British retail bank, Metro Bank, a serious problem has been discovered: someone is accessing sensitive client information. More specifically, this intrusion happens when a client receives a code on their mobile phone in order to carry out a certain operation.
Metro Bank detected that this was the step where a possible data breach was occurring, and where the code in question could fall into a cybercriminal’s hands, leading to real danger for the cybersecurity of the bank’s clients. The bank recognizes and accepts the vulnerability, but says that it is not an isolated case. In fact, it is not the first large banking organization to be affected by this vulnerability. It is, however, the first to admit it.
Indeed, this is not the first time that something like this has happened. In May of last year, the US senator Ron Wyden claimed that a large telecoms operator had suffered a very similar cyberattack. This attack exposed its customers’ and users’ sensitive data to cybercriminals, who didn’t even need a high level of experience in the field to get their hands on this information. This vulnerability, therefore, is common, and not so hard to exploit.
The problem with SS7
Where does the problem lie? The answer is Signaling System 7 (SS7). This protocol allows users to change network and operator when they travel around the world and connect to different networks from their mobile phones. This protocol was created in 1975, and has hardly been updated since, which means that, as of today, it lacks sufficient security for those that make use of it.
This vulnerability is amplified in situations where operators and users employ SS7 in two-factor authentication processes via mobile phones. Although this login method offers many cybersecurity guarantees, it is far from infallible. Here, the vulnerability becomes more evident when the user receives an SMS with a code to carry out a certain operation. According to the UK’s National Cyber Security Centre (NCSC) and the telecoms operators, this SMS can easily fall into the hands of cybercriminals.
The ramifications of this vulnerability
The flaw in the SS7 protocol is no trifling matter; it can have devastating upshots for operators, large organizations, and for users themselves.
1.- Theft of information. Metro Bank customers have already seen this in action: gaining access to an SMS with the code for an operation can be enough to enable cybercriminals to steal their information or, in the case of financial operations, even to steal their money.
2.- Espionage. Exploiting this vulnerability doesn’t necessarily mean the theft of data or information. What it could lead to is an intensive cyber espionage regime. In this scenario, a user, could carry on using the service in question, unaware that someone is following their every move.
3.- Escalated exploitation Until relatively recently, this kind of cybercrime seemed to be limited to large cyberintelligence agencies. However, as the NCSC has recognized, the vulnerability is such that it has become available to cybercriminals with a much less technical profile, who need a minimal budget to exploit it. What’s more, the fact that the protocol was created over 40 years means that the emergence of new vulnerabilities is much more scalable.
4.- Reputation and fines No company wants to be known for endangering their customers’ information. This damage to reputations also affects telephone operators that, because of SS7, do not feel able to guarantee total cybersecurity for all communications. What’s more, the loss of data can also lead to hefty fines.
How to avoid the risks of SS7
Although companies concerned about their corporate cybersecurity can’t stop the existence of vulnerabilities in the SS7 protocol, they can manage the consequences and stop them from affecting their clients.
1.- Sophisticated passwords. If we bear in mind the fact that two-factor authentication can’t guarantee total cybersecurity, what companies can do is to choose other authentication methods that don’t rely on SMS, or that at least introduce more dynamic and changing passwords.
2.- Monitoring. If anyone should manage to get in, it is vital that companies have the capacity to check what activity is occurring on their corporate servers and devices at all times. Panda Adaptive Defense automatically monitors all processes on the system, and takes actions against possible threats, even before they happen.
3.- Updates. The fight against cybersecurity vulnerabilities is never-ending. Cybercriminals will always find new ways to cause security breaches that allow them to get their hands on user and customer data. This is why Patch Management is so important. It is a complementary module of Adaptive Defense that analyzes endpoint security in real time in order to provide the updates needed to protect against vulnerabilities.
It is not, therefore, a case of putting a stop to an internal problem, since the vulnerabilities in the SS7 protocol are external to the company. What needs to be done is to make sure that, if the vulnerability is exploited, it doesn’t affect users or the organizations themselves. To do this, Panda Security’s solutions prevent incidents by reducing the attack surface caused by vulnerabilities, keeping companies safe from the risks that SS7 and other similar vulnerabilities pose.