he security of SMS-based two-factor authentication has been long-debated. Despite flaws in Signalling System No. 7 (SS7), which is an internationally used telecom protocol to route texts and calls, it continues to be used at a large scale in banking and other services.
The security researchers Positive Technologies have shown how a bitcoin wallet can be hacked using SS7 vulnerabilities. By getting their hands on SS7 network, the hackers were able to reset the Gmail passwords using SMS-based two-factor authentication.
A big flaw in SMS-based 2FA is that the one-time password can be accessed on a variety of devices and services, which might have their own flaws. Thus, the attack surface increases. On the other hand, the true 2FA, which is like a push notification popup, sends the verification prompt to one device.
In a video posted by the researchers, which is embedded below, it’s shown how easy it is to carry out the attack. By intercepting the text messages in transit, the hackers can take control of your Gmail account and any other service associated with it.
Not just cryptocurrency wallets, this flaw puts your banking and social media accounts at risk. “This hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery,” the researchers told Forbes.
Getting access to the SS7 network is the biggest barrier one needs to cross. The cybercriminals can buy the access on the dark web. In the past, at least at one occasion, SS7 was used to empty bank accounts. According to Forbes, many surveillance companies are also selling services to spy using SS7 flaw.
What should the user do?
As stressed earlier, SS7 flaw has been known to the telecom industry from a long time. So, unless they don’t take steps to make it more secure, the users need to take steps on their own. You can use tools like Google Authenticator, Google prompt, or security key for extra security.
Did you find this story on SSL flaw attack interesting? Don’t forget to share your views and feedback.