Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks

Two-factor authentication by SMS? More like SOS

By John Leyden

Posted in Security, 18th September 2017 23:37 GMT

Once again, it's been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages.

Specifically, the security shortcomings lie in the Signaling System 7 (SS7) protocol, which is used to by networks worldwide to talk to each other to route calls, and so on.

There are little or no safeguards in place on SS7 once you have access to a cell network operator's infrastructure. If you can reach the SS7 equipment – either as a corrupt insider or a hacker breaking in from the outside – you can reroute messages and calls as you please. Someone working for, or who has compromised, a telco in Morocco, for instance, can quietly hijack and receive texts destined for subscribers in America.

Infosec outfit Positive Technologies, based in Massachusetts, USA, obtained access to a telco's SS7 platform, with permission for research purposes, to this month demonstrate how to commandeer a victim's Bitcoin wallet. First, they obtained their would-be mark's Gmail address and cellphone number. They then requested a password reset for the webmail account, which involved sending a token to the cellphone number. Positive's team abused SS7 within the telco to intercept the authentication token and gain access to the Gmail inbox. From there, they were able to reset the password to the user's Coinbase wallet, log into that, and empty it of crypto-cash.

Minimum personal information about a victim – just their first name, last name, and phone number – was enough to get their email address from Google's find-a-person service and hack a test wallet in Coinbase.

Earlier this year, crooks exploited these aforementioned weaknesses in SS7 to log into victims' online bank accounts in Germany and drain them of funds. The cyber-robbers intercepted texts with login authentication codes sent to customers of Telefonica Germany before using the stolen information to carry out unauthorized transactions, as we previously reported.

Why are creepy SS7 cellphone spying flaws still unfixed after years, ask Congresscritters


"Exploiting SS7-specific features is one of several existing ways to intercept SMS," said Dmitry Kurbatov, head of the telecommunications security department at Positive Technologies.

"Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level."

Banks try to strike a balance between usability and security. Tokens in text messages are easy to receive and type in. For sensitive accounts, using a phone for authentication will be risky if SS7 hijacks increase. However, if the choice is phone authentication or no two-factor authentication at all, it's a good idea to use the phone for security reasons – or, even better, find a service that offers second-factor authentication from an app, key fob or other gizmo.

Ultimately, login token stealing, via SS7, is still rare. Most headaches with SMS tokens are caused by people getting locked out of their stuff, rather than having it all stolen.

"We should stop using SMS for 2FA, but also worth noting: for providers the biggest problem with 2FA is account lockouts, not bypasses," said Martijn Grooten, a security researcher and editor of industry journal Virus Bulletin. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

WikiLeaks a 'hostile intelligence service', SS7 spying, Russian money laundering – all now on US Congress todo list

Ron Wyden tacks measures onto snoop funding bill

Why are creepy SS7 cellphone spying flaws still unfixed after years, ask Congresscritters

And why won't the NSA open up about Section 702 spying?

Micron gets edgy with 256GB surveillance SD card reveal in China

But still outclassed in capacity by SanDisk's tiny whopper

After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

O2 confirms online thefts using stolen 2FA SMS codes

Hey FCC, when you're not busy screwing our privacy, how about those SS7 cell network security flaws, huh?

No one else seems to care, sniff politicians

IRS tax bods tell Americans to chill out about Equifax

Your personal data was probably already in crims' hands

SanDisk's little microSD card sucks up 400GB

iPhone charging and backup base unit also on cards

Amazon dodges $1.5bn US tax bill: It's OK to run sales through Europe out of IRS reach – court

If only we could all open a Luxembourg office, eh?

Micron's new storage division lead is third former SanDisk recruit

Anand Jayapalan replaces Darren Thomas

IRS kills off PINs citing increasing suspicious activity

Pulls plug early