If you are a fan of the CBS Show 60 Minutes you may have seen a couple of well-done episodes around the espionage and intrigue of spies hacking cell phones. The problem is that these episodes don't go far enough informing the average user as to the extent of the vulnerabilities. Inter-telco communications leverages a protocol called Signaling System 7 (SS7), and that protocol can be used to get your phone to share all your dirty little secrets - as well as your bank account information.
Many are aware of the recent National Institute of Standards and Technology (NIST) guidance around the concept of no longer trusting SMS for your authentication and verification. The questions are why and what are my alternatives? The why, simply, is that Short Message Service (SMS) Messages can be intercepted and used. The interception methods typically utilize some form of malware and/or Remote Access Trojan (RAT). While these are the common methods, we now have a documented case of hackers leveraging SS7.
To understand SS7 you need to know a bit about the time and reason it was built. SS7 was designed and built in 1975 to build up and tear down the connection for the public switched telephone network (PSTN) telephone calls. It was never designed with security in mind as no one considered we would all have a phone in our pocket. On the positive side of SS7, it allowed all the features we take for granted, such as Call Forwarding, Call Waiting, Voice Mail and other redirect functions. Those redirect functions are the problems with the protocol.
Two Factor Authentication (2FA) was developed to help ensure we are who we say we are and protect against the use of stolen credentials. With 2FA we protect ourselves from someone using a stolen password to access our accounts and steal our information or money. The traditional use case of a person typing in a username and password with an SMS sent to the mobile phone is now being frowned upon for the reason mentioned above. If a bad actor utilizes SS7 to redirect an SMS message without the users knowledge, then bad things happen. Many businesses use SMS to validate a user to their accounts and the ability to redirect the message may allow the bad actor access to these accounts. The only visibility you have into this activity is after the access has occurred and the damage is done.
So how do we get better? As an alternative, we could leverage the capabilities of the internet and a data stream in our mobile phones. By leveraging the newer offerings of RSA SecurID® Access you can provide an encrypted end-to-end data push to your phone. This push capability can leverage more secure methods of authentication such as biometrics (fingerprint and eyeprint). This secure message capability of your phone, versus the open SMS channel, will prevent hackers from intercepting the signal and sharing those dirty secrets.
For more information on RSA SecurID Access and the entire RSA SecurID Suite click here.