We’ve written many times about the vulnerability of mobile networks, and their consumers, to attacks by fraudsters exploiting the security weaknesses in the SS7 signalling protocol used by every mobile operator in the world.
To recap, fraudsters that gain access to the signalling system – using what are now becoming fairly freely available tools – can use SS7 to track target mobiles, snoop on activity, and divert calls and messages to another mobile number. That last tactic is a particular favourite of fraudsters looking to target consumer bank accounts and intercept the two-factor authentication (2FA) messages sent by banks to their customers to authorise the release or transfer of funds.
However, intercepting a banking 2FA message is just one weapon in the mobile hijackers’ armoury. That hijack is simply another form of identity theft that can have widespread ramifications and exploit weaknesses – especially authentication weaknesses – in many services.
Take Twitter as an example. The so-called ethical hackers at Insinia recently demonstrated how they could use the insecurities within mobile networks to gain control of the Twitter accounts of some celebrity Tweeters in the UK. It just required the hackers to send messages to Twitter from what appeared to be the account holder’s mobile number.
Insinia just used its control of the accounts to send messages to show what it had done, before leaving the scene and allowing the celebrities concerned to take back control of their accounts.
But the potential to take control of a company or an individual’s Twitter account and then use that control to send messages that could embarrass or discredit the account’s rightful owner is extremely worrying. In the case of a company, for example, pushing out damaging fake news via Twitter could hit share prices and company value before anyone has a chance to correct the information. And bad news stories have a habit of popping up again long after they have been corrected.
Mobile operators that deploy SS7 Firewalls can prevent that hijacking of mobile phone accounts and also block false two-factor authentication messages to help prevent fraud and account hijacking. But Twitter could also block the path Insinia exploited by insisting that tweets from a mobile are sent over mobile data via an app, rather than simply using text messaging.
Every day it seems we read about another data breach, or about our personal data being sold or exploited. The need for vigilance and action has never been greater.