Once again, it's been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages.
Specifically, the security shortcomings lie in the Signaling System 7 (SS7) protocol, which is used to by networks worldwide to talk to each other to route calls, and so on.
There are little or no safeguards in place on SS7 once you have access to a cell network operator's infrastructure. If you can reach the SS7 equipment – either as a corrupt insider or a hacker breaking in from the outside – you can reroute messages and calls as you please. Someone working for, or who has compromised, a telco in Morocco, for instance, can quietly hijack and receive texts destined for subscribers in America.
Infosec outfit Positive Technologies, based in Massachusetts, USA, obtained access to a telco's SS7 platform, with permission for research purposes, to this month demonstrate how to commandeer a victim's Bitcoin wallet. First, they obtained their would-be mark's Gmail address and cellphone number. They then requested a password reset for the webmail account, which involved sending a token to the cellphone number. Positive's team abused SS7 within the telco to intercept the authentication token and gain access to the Gmail inbox. From there, they were able to reset the password to the user's Coinbase wallet, log into that, and empty it of crypto-cash.
Minimum personal information about a victim – just their first name, last name, and phone number – was enough to get their email address from Google's find-a-person service and hack a test wallet in Coinbase.
Earlier this year, crooks exploited these aforementioned weaknesses in SS7 to log into victims' online bank accounts in Germany and drain them of funds. The cyber-robbers intercepted texts with login authentication codes sent to customers of Telefonica Germany before using the stolen information to carry out unauthorized transactions, as we previously reported.
Why are creepy SS7 cellphone spying flaws still unfixed after years, ask CongresscrittersREAD MORE
"Exploiting SS7-specific features is one of several existing ways to intercept SMS," said Dmitry Kurbatov, head of the telecommunications security department at Positive Technologies.
"Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level."
Banks try to strike a balance between usability and security. Tokens in text messages are easy to receive and type in. For sensitive accounts, using a phone for authentication will be risky if SS7 hijacks increase. However, if the choice is phone authentication or no two-factor authentication at all, it's a good idea to use the phone for security reasons – or, even better, find a service that offers second-factor authentication from an app, key fob or other gizmo.
Ultimately, login token stealing, via SS7, is still rare. Most headaches with SMS tokens are caused by people getting locked out of their stuff, rather than having it all stolen.
"We should stop using SMS for 2FA, but also worth noting: for providers the biggest problem with 2FA is account lockouts, not bypasses," said Martijn Grooten, a security researcher and editor of industry journal Virus Bulletin. ®