Hackers exploit SS7 telco flaw to raid German bank accounts

02 has confirmed that hackers exploited long-known weaknesses in a protocol that connects back-end telco networks to intercept and re-route two-factor verification codes sent by German banks to customer mobiles to authorise online funds transfers.

  37 1 comment

Hackers exploit SS7 telco flaw to raid German bank accounts

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Weaknesses in the Signaling System 7 (SS7) protocol - which is used for data communications between different telco networks - have been known about since 2014.

Researchers demonstrated that anyone with internal access to a telco can easily log in to third party networks, enabling them to track phones and redirect messages.

O2 in Germany has now confirmed that some customers in Germany have had their accounts drained by hackers after initially falling victim to phishing scams which harvested user names, passwords, phone numbers and bank account details.

The attackers then used SS7 to intercept and redirect mTANs - mobile transaction authentication numbers sent by banks in Germany to authorise transfers out of accounts - to their own phones.

"Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January," 02 told German newspaper Süddeutsche Zeitung. "The attack redirected incoming SMS messages for selected German customers to the attackers."

The news is likely to send a chill down other banks and organisations currently using SMS codes as a customer verification mechanism.

Sponsored [New Report] Managing Fraud Risks with Synthetic Data: A Practical Approach for Businesses Services Industry

Related Company

Comments: (1)

A Finextra member 

SEVERAL BIG AND IMPORTANT BANKS in BRAZIL use extensive SMS messages as 2nd authetication factor.

[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming MandatesFinextra Promoted[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates