This Is Why You Shouldn’t Use Texts for Two-Factor Authentication
For a long time, security experts have warned that text messages are vulnerable to hijacking — and this morning, they showed what it looks like in practice. A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit.
The group targeted a Coinbase account that was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn’t actually steal anyone’s bitcoin, although that would have been an easy step to take.
At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces.
Even if a third-party service isn’t available, Positive Technologies researchers say they may simply attack the network directly. “It's much easier and cheaper to get direct access to the SS7 interconnection network and then craft specific SS7 messages, instead of trying to find a ready-to-use SS7 hijack service,” the researchers told The Verge.
Bitcoin wallets are a popular target for those attacks because of the irreversibility of Bitcoin transactions, but the attack work just as well on any other web service. As long as you’re getting confirmation codes over SMS, you’ll be vulnerable to this kind of attack. Other groups have pulled off less sophisticated version of the same hack by breaking into carrier accounts to set up call-forwarding.
There are a few concrete steps you can take to protect yourself from this kind of attack. On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you’ve got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click “Remove Phone.” Coinbase also offers two-factor through Authenticator or other one-time password tools.
Still, the industry as a whole has been very slow in moving away from SMS as a second factor, which has severely weakened the overall security of the system. As long as SMS is included as an option for two-factor, we’ll continue to see attacks like this.
Update 1:30PM ET: Updated with statement from Positive Technologies. Also added more detail on protecting against recovery phone attacks in Google accounts.