This week we learned about two new cyberattacks: a Google Doc scam that tricks users into downloading an app that gives hackers access to the victim’s accounts and an online banking attack that uses SS7 to intercept SMS authentication.
The use of SMS authentication texts to protect online banking has become common place worldwide, and has both advantages and disadvantages from a customer friction and security perspective. From a customer perspective, it is often more convenient as compared to a physical token, as the customer normally has their mobile phone with them no matter where they are. On the downside from a security perspective, it is possible to either change the mobile number on the account, or to circumvent bank controls by doing a SIM swap attack at the telco level.
The latest attack vector that we learned about this week, exposes another way of subverting the SMS authentication message within the mobile network. Before we explain how this is working, it is important first to understand that the cellular network we all use is made up of a number of different protocols – one of which is SS7. This protocol is involved in the delivery and routing of SMS messages amongst other things, but security flaws have been noted in it since 2008. By 2014, it was realised that hackers could compromise it and track specific devices.
In the German attack, rather than hacking the customer telco, the attackers utilised a rogue telco company; this was seemingly achieved via a virtual mobile operator (VMO) which buys network capacity off larger telcos. It seems that O2 Germany was affected by one of these VMO’s and once network access had been achieved by the attackers, they were then able to redirect the mobile numbers of the customer for SMS delivery on that network.
While from an online banking perspective there still needs to be a combination of other steps for the attack to work – the customer credentials need to be compromised by malware or phishing, their mobile number obtained and then access to the account undertaken – the big development that people should be concerned about is volume. Instead of time consuming social engineering at the user level, at the telco there can be automated redirection of a much larger number of mobile numbers in a short time.
Fortunately, from a behavioural biometrics perspective, there are still obvious anomalies which can be spotted. Banks now understand the online problem space and have tools to monitor emerging attacks such as this; they are continually evolving their controls and adding new layers to their risk management stacks. Over time, they have gone from transaction monitoring, to device tracking (IP and fingerprinting) and to malware detection. The latest generation behavioural biometrics, provides the ability to look behind the device to see the person controlling the account and identify whether it is the known owner of the account. Criminal behaviour detection can spot when there is automated activity such as malware being used, or identify specific techniques or MO’s that criminal groups utilise.
Online banking attacks are now increasing happening in areas outside of the bank control, with their risk management having to be extended to cope with this. It is no longer enough just to look at the devices being used (whether for account access or providing the authentication) but to increasingly look behind the device at who or what is undertaking the activity.