Update 1:30PM ET: Updated with statement from Positive Technologies.
As long as SMS is included as an option for two-factor, we’ll continue to see attacks like this. Still, the industry as a whole has been very slow in moving away from SMS as a second factor, which has severely weakened the overall security of the system. Google, for instance, will let you manage two-factor and account recovery here and here just set up Authenticator or a recovery code, then go to the SMS option for each and click “Remove Phone.” Coinbase also offers two-factor through Authenticator or other one-time password tools. On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you’ve got a more secure app-based method established. There are a few concrete steps you can take to protect yourself from this kind of attack.
Other groups have pulled off less sophisticated version of the same hack by breaking into carrier accounts to set up call-forwarding. As long as you’re getting confirmation codes over SMS, you’ll be vulnerable to this kind of attack. “It's much easier and cheaper to get direct access to the SS7 interconnection network and then craft specific SS7 messages, instead of trying to find a ready-to-use SS7 hijack service,” the researchers told The Verge.īitcoin wallets are a popular target for those attacks because of the irreversibility of Bitcoin transactions, but the attack work just as well on any other web service. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces.Įven if a third-party service isn’t available, Positive Technologies researchers say they may simply attack the network directly. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself.
0 kommentar(er)
