Researchers from Positive Technologies recently showed Forbes how, using only a name and a phone number, hackers are able to compromise someone’s Google account, and use it to get to that person’s bitcoins or bank account.
Hackers can do this using a flaw in the global telecoms network, that affects what’s known as Signaling System No. 7 (SS7). In a demonstration video, researchers were able to take control of a Coinbase account and do whatever they wanted to with its funds, via an SS7 flaw. Taking into account that Coinbase has over 10.4 million users, a lot of bitcoiners are at risk.
An SS7 weakness essentially allows anyone with access to the telecoms backbone to send and receive messages from specific cellphones, with some attacks allowing texts, calls, and location data to be intercepted by the hackers.
Positive Technologies’ researchers first used Gmail to find an email account with just a phone number. Then, they reset that account’s password, which prompted a one-time authorization code to be sent to the victim’s phone. Using their SS7 exploit, they intercepted the text and got the code, effectively taking control of the account. Then, they did the same thing to the victim’s Coinbase account, as shown in the video below:
The threat, as Forbes points out, doesn’t just affect bitcoin users, but anyone with anything linked to a Google account. Positive researcher Dmitry Kurbatov stated:
“This hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery.”
The biggest barrier stopping hackers from performing these types of attacks is access to the SS7 network itself. Positive Technologies’ researchers had access to it for research purposes and to help network operators improve security. Malicious hackers would have to buy access, or hack their way in. According to Kurbatov access can be bought in dark web websites.
While this type of attack seems scary, there is a way to secure your bitcoins if they are in a Google account-linked wallet: stop using SMS for two-factor authentication. SS7 attacks, according to Forbes, don’t work when the two-factor authentication system is based on one-time codes – like with Google’s Authenticator app.
Apps like Google Authenticator are safer, so much so that Coinbase’s vice president of operations, Daniel Romero, has been reaching out to customers about changing SMS-based two-factor authentication to apps like these. He stated:
“Additionally, we’ve enhanced our own monitoring systems to prevent phone-related security threats. We are continuing to monitor this vigilantly.”
Other solutions, like using a Google prompt or security key instead of an SMS for two-factor authentication will also prevent SS7 attacks. Nevertheless, to keep your bitcoins safe it’s always advisable to use proper methods.
Featured image from Shutterstock.
Last modified: May 21, 2020 9:13 AM UTC