Is your money safe? Bank hack could affect millions across globe

The vulnerability exposed in the hack could be used against any bank that uses two-step login verification. Photo / 123RF

It was designed as a security measure to increase protection of internet users across the globe.

But hackers have used a well-known security vulnerability in worldwide mobile telecoms networks to steal access codes to online bank accounts, the Daily Mail reports.

The exploit could be used against any bank that uses two-step login verification, as well as high-profile websites like Facebook, Google and many others.

And until money has come out of your bank account, or malicious messages have been sent on social media, you won't know you've been hit.

The attacks, first reported in Germany, are the first time that criminals have been able to exploit the Signal System 7 (SS7) to steal funds from bank accounts.

SS7 service helps mobile networks across the world route calls and texts, for example by keeping calls connected as users speed along roads, switching from signal tower to signal tower.

But it can also be used by criminals to redirect data, and hackers have now found a way to intercept the two-stage authentication codes sent out by banks.

These are used to verify the identity of customers attempting log in to their accounts or to place some online transactions.

They are usually sent in the form of SMS messages and by intercepting these codes through the SS7 service, criminals have free reign to empty funds from your account.

The attacks, reported by German newspaper Süddeutsche Zeitung, were confirmed by telecoms company O2 Telefonica although it is not known how many of their customers were affected.

But most banks and high profile websites use the two-step method, meaning millions of users around the world could be vulnerable.

And the attacks have already come to the attention of legislators in the US who are calling for a crack down on the flaw, which has been known since 2014.

Congressman Ted W Lieu said in a statement: "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw.

"Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number.

"It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security."

It was also in Germany that researchers discovered the flaw in SS7 in December 2014.

They warned at the time that hackers could use the exploit to locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption.

Despite this, two-step authentication codes continue to be sent via SMS messages by many of the world's largest internet companies.

Among them is Google, who promotes '2-Step Verification' as an extra-layer of security designed to 'keep the bad guys out.

Thankfully hackers must already have access to the first stage of verification, namely your username and password, for the attack to work, and this is something you can control.

Login details are usually sourced from data leaks affecting other sites, as people often use the same passwords.

There are a number of websites that collect information on mass data-breeches and allow you to check whether your details are among them, including one widely-used site 'Have I Been Pwned?'.

It is important to note that in a data breech, for example where your Hotmail email address is listed in a breech of LinkedIn, it is the password for LinkedIn which hackers have access to rather than the Hotmail account - unless they are the same.

This is why it is vital to use different and complex passwords across different sites, so that a breech of your password on one site does not allow hackers to access your account on others..

Reputable password managers that suggest strong passwords and stores them in an encrypted file on your own computer can make these more simple to generate and remember.