In theory, two-factor authentication (2FA) is an excellent method to keep your accounts secure. The problem with this security method, however, is that it typically relies on text messaging to send you a code which you then enter to unlock your account. While this seems fine on the surface, there are big problems with the underlying network that delivers the code to your phone.
Signaling System No. 7 or SS7 is the protocol system pretty much every telecom in the world uses to manage calls and messages. If a hacker breaches that network, they can intercept 2FA codes sent to your phone number. A security research firm posted a video (above) where they carry out just such an attack.
Using a research tool, Positive Technologies was able to capture all messaging going to a number for five minutes. That allowed the researchers to reset the password for both a Coinbase account and the Gmail account associated with it, both with two-factor authentication enabled. If a hacker were to do this to you, you can kiss your Bitcoins goodbye.
The scariest part might be that Positive Technologies is using commonly known flaws in the system. SS7 has been around since 1975, so there’s been plenty of time to poke holes in it. While access is supposed to be restricted to telecoms only, there are a number of hijacking services currently available for purchase. Even if no third-party exploits are currently available, researchers say that hackers may just attack the network itself.
It’s much easier and cheaper to get direct access to the SS7 interconnection network and then craft specific SS7 messages, instead of trying to find a ready-to-use SS7 hijack service(…)
Even though the vast majority of companies use SMS for two-factor authentication, some are moving beyond that. Companies like Google offer app-based authentication that completely bypasses the SMS protocol. You can download Google Authenticator now and after setting it up, remove your phone number as your second step in your two-factor authentication settings. This ensures that even if hackers do use this method to intercept your messages, there won’t be anything 2FA-related to intercept.