Ted Lieu (D-Calif.)
Ted Lieu (D-Calif.)

A U.S. congressman is again calling for the FCC and telecom industry to fix a security flaw in the Signalling System No. 7 (SS7) that is allowing hackers to bypass two-factor authentication and wipe out bank accounts.

The issue was again brought to light when European carrier O2-Telefonica reported that some of its customers had been hit with attacks taking advantage of the SS7 vulnerability resulting in money being removed from their bank accounts.

Rep. Ted Lieu (D-Calif.) this week reiterated a call he and Sen. Ron Wyden (D-Ore.) made in late March for the SS7 vulnerability to be addressed by forcing cellular carriers to take action on these issues; warn Americans about the hacking and surveillance threats to their phones; and promote the use of end-to-end encryption apps, which may mitigate some SS7 risks, as the FCC working group recommended.

“Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw,” Lieu said, calling it “unacceptable” that the FCC and telecoms have been aware of the problem for quite some time.

The issue over SS7 Elad Yoran, executive chairman of Koolspan, “SS7 is a set of 1970s era protocols used by most of the world's telephone networks.  Its original purpose was to establish and disconnect calls made over the public switched telephone network (PSTN).  Today, SS7 protocols are used in providing a broad array of mobile device services, including global roaming and SMS text messaging.”

“The vulnerability exists because the “trusted” carrier networks were designed for more important goals, interoperability, reliability, forward/backward compatibility, etc.  New technologies like LTE have improved security locally in the networks that deployed them, but the problem still exists.  Global networks are massive, complex, support older technology and are interoperable, so the vulnerabilities will continue to survive for some time," Yoran told SC Media.


The flaw was discovered in 2006 and fully disclosed in an FCC report in March when Wyden and Lieu called for a patch to be found and implemented.