Why SMS two-factor authentication puts your bitcoins at risk

For years, we’ve known that there’s a flaw in the backbone of the public switched telephone network (PSTN) that makes it vulnerable to hackers, crooks and surveillance-happy governments.

The flaw is in Signaling System No. 7 (SS7): the telephony signaling protocols used to establish interoperability across more than 800 service providers worldwide. SS7 is what lets you receive an SMS text from anywhere, be it at home, in a moving car or traveling abroad, using a foreign network.

Unfortunately, third parties can breach SS7, enabling spying, data interception and redirection of two-factor authentication (2FA) codes that a bank sends to its customers.

That’s what we saw in May: crooks pried open that SS7 vulnerability to raid consumers’ online bank accounts. It was a two-pronged attack that zeroed in on SS7 call-forwarding features that allow networks to validate your SIM card when you travel internationally. First, the hackers sent phishing emails; then, they vacuumed up account numbers, phone numbers and passwords, set up a redirect for the victim’s mobile phone number to a handset they controlled, then swooped in late at night to log onto the accounts and set up money transfers.

Now, we have yet more troubling news on the SS7 front and more evidence that you shouldn’t use texts for two-factor authentication (2FA). In a video uploaded on Monday, researchers from the Russian security firm Positive Technologies demonstrated that they were able to use the SS7 flaws to take control of a Coinbase Bitcoin wallet and suck out funds.

Here’s the video:

Being security researchers, they didn’t steal anything, but they did show that it’s easy as pie to do so. All a hacker needs is a bitcoin wallet users’ first name, last name and mobile phone number.

As the video shows, the Positive researchers targeted a Coinbase account protected by 2FA. The bitcoin account was registered to a Gmail account that was also protected by 2FA.

They started at Gmail, using Google’s service to find an email account with a victim’s phone number. Once they identified an email address, the hackers used it to reset the password, which is done via email. Since the hacker in this scenario knows the victim’s phone number, they can exploit SS7 vulnerabilities to intercept the SMS text that contains the one-time authorization codes for account recovery.

Next, the attacker chooses a new password and takes over the Gmail account. Next, it’s on to the Coinbase website, where they do another password reset by using the email account they’ve just hijacked.

The vulnerability of Gmail and Coinbase/Bitcoin to this attack is only the latest in a long history of SS7 exploits. At the time of the SS7-facilitated bank account raids in May, Bank Info Security summarized the exploit history of SS7, which was developed in 1975 and has since been picked apart in oh, so many ways:

  • Tobias Engel’s 2008 Chaos Communication Congress presentation showed how unauthorized SS7 users could track a phone’s location.
  • Ed Snowden’s 2013 document dump revealed that the NSA was using SS7 to spy on individuals.
  • Karsten Nohl’s 2014 Chaos Communication Congress presentation showed how SS7 could be hacked, enabling hackers to listen to calls, read short messages, and intercept internet traffic. (He even demonstrated the technique by hacking a US Congressman’s messages on America’s number one news documentary program, 60 Minutes.)
  • The same year, Positive Technologies demonstrated even more powerful SS7 message interception and redirection hacks using standard Linux PCs and freely accessible software tools, reporting that “the world’s 10 largest mobile telephony providers were vulnerable… and that blocking related exploits was difficult, because attacks could be crafted using legitimate SS7 messages, meaning it was almost impossible to filter them out.”
  • Also in 2014, Ukraine’s telecommunications regulator reported evidence of “in the wild” SS7 attacks apparently coming from Russia.

As Naked Security has noted in the past, the long-term solution is to fix SS7. According to the UK’s National Security Cyber Centre, they’re already at work at hardening SS7, with the aim of stopping “trivial re-routing of UK traffic,” to make it much tougher to pull UK machines into scaled distributed denial-of-service (DDoS) attacks, and to ultimately get the hardened protocols propagated out into the major phone exchanges. The US National Institute for Standards and Technology (NIST) also recently published new guideliness forbidding SMS-based authentication for the US public service.

SS7 hacks are, in fact, only one of the ways that thieves can divert a target’s SMS messages and calls to another device. They can also social engineer a customer service person at the phone company, for one, or they can drain accounts in what’s known as a SIM swap.

As Naked Security’s Paul Ducklin has explained, SIM swaps – when you swap out your subscriber identity module (SIM) card in order to activate a new handset – can be done fraudulently. In fraudulent SIM swaps, crooks’ objectives are to intercept your 2FA codes; change as many profile settings on your account as they can; add new payment recipient accounts belonging to accomplices; and to milk money out of your account and into an account from which it can be withdrawn quickly in cash, never to be seen again.

Paul gives a ton of good advice about how to avoid falling prey to SIM swaps, which are common enough that ActionFraud UK, part of the UK’s National Fraud Intelligence Bureau (NFIB), warned about it recently.

For example, you might consider switching from SMS-based 2FA codes to codes generated by an authenticator app. Doing so means that the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of logon codes.

Indeed, that’s the advice that Coinbase is giving customers. Daniel Romero, Coinbase vice president of operations, told Forbes that the company has been talking to customers about migrating from SMS-based 2FA to apps like Google Authenticator, among other things:

Additionally, we’ve enhanced our own monitoring systems to prevent phone-related security threats. We are continuing to monitor this vigilantly.

But as Paul notes, even avoiding SMS-based 2FA codes isn’t a cure-all:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

If in doubt, don’t give it out!

To learn more about the dangers of SIM swaps and what you can do about them, read Fraudsters draining accounts with ‘SIM swaps’ – what to do.