Tuesday September 19, 2017

Why You Shouldn’t Use Texts for Two-Factor Authentication

Security experts have warned that text messages are vulnerable to hijacking, and now, hackers from Positive Technologies are proving that with a video demonstration where they take control of a Coinbase bitcoin wallet and start pilfering funds via Signalling System No. 7 (SS7) flaws. The SS7 network is normally used by telecoms companies to talk with one another, yet weaknesses have allowed for various attacks such as silent interception of SMS texts, calls, and location data.

In their attack, the Positive researchers first went to Gmail, using Google's service to find an email account with just a phone number. Once the email account was identified, the hackers initiated a password reset process, asking one-time authorization codes to be sent to the victim's phone. By exploiting SS7 weaknesses they were able to intercept text messages containing those codes, allowing them to choose a new password and take control of the Gmail account. They could then simply head to the Coinbase website and do another password reset using the email they'd compromised.