The company O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung agency that some of its customers suffered cyber heists exploiting the SS7 flaws.

It has finally happened.

For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device’s location armed with just the target’s phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors.

But on Wednesday, German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts.

This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.

“I’m not surprised that hackers take money that is ‘lying on the table’. I’m just surprised that online bank thieves took so long in joining spying contractors in abusing the global SS7 network,” Karsten Nohl, a cybersecurity researcher who has highlighted vulnerabilities in SS7, told Motherboard in an email.

Signalling System No. 7 (SS7) is a set of telephony signaling protocols developed in 1975, which is used to set up and tear down most of the world’s public switched telephone network (PSTN) telephone calls. It also performs number translation, local number portability, prepaid billing, Short Message Service (SMS), and other mass market services.

In North America it is often referred to as CCSS7, abbreviated for Common Channel Signalling System 7. In the United Kingdom, it is called C7 (CCITT number 7), number 7 and CCIS7 (Common Channel Interoffice Signaling 7). In Germany, it is often called N7 (Signalisierungssystem Nummer 7).

The only international SS7 protocol is defined by ITU-T’s Q.700-series recommendations in 1988.[1] Of the many national variants of the SS7 protocols, most are based on variants of the international protocol as standardized by ANSI and ETSI. National variants with striking characteristics are the Chinese and Japanese (TTC) national variants.

The Internet Engineering Task Force (IETF) has defined the SIGTRAN protocol suite that implements levels 2, 3, and 4 protocols compatible with SS7. Sometimes also called Pseudo SS7, it is layered on the Stream Control Transmission Protocol (SCTP) transport mechanism.

Cybercriminals have exploited vulnerabilities in the SS7 protocol to bypass security mechanisms and steal money from bank accounts. Researchers have warned about the threat for years and these types of attacks have recently become a reality.

SS7, which stands for Signalling System No. 7, is a telephony signaling protocol used by telecommunications providers worldwide. It allows the customers of different networks to communicate with one another and ensures that calls are not interrupted when users are traveling over longer distances.

SS7 was developed back in 1975 and it does not include any protection or authentication, making it easy for third-parties to connect to the SS7 network.

The fact that SS7 has serious weaknesses has been known for years and researchers have often warned that malicious actors could leverage them to locate subscribers, intercept calls and SMS messages, and conduct fraud.

The first case of malicious actors exploiting SS7 flaws to make a profit has now come to light. German newspaper Süddeutsche Zeitung reported on Wednesday that cybercriminals had relied on SS7 attacks to bypass two-factor authentication (2FA) systems and conduct unauthorized wire transfers.