Two days ago, a friend who invested te Bitcoin asked mij how secure hier Coinbase investment wasgoed. She had plans to waterput hier coins te cold storage, but spil a security stopgap wasgoed relying on two-factor authentication (2FA) through Coinbase, spil many people do. My main question: What kleintje of two-factor?
The problem with 2FA is that often a distinction isn’t made inbetween SMS-based 2FA, which sends a code to the user via text, and 2FA that requires a user to react to a thrust verification sent to a specific physical device. Security researchers at Positive Technologies have demonstrated yet another reason that the former is bad news. After identifying the Gmail account associated with a Coinbase account, they were able to use the well-known security crevices te Signaling System 7 (SS7) — an international telecom protocol that permits phone networks to route texts and calls inbetween users — to intercept the SMS-based verification code to commandeer it, theoretically draining all of the cryptocurrency stored within. All the researchers needed wasgoed a name, a phone number and an educated guess about a user’s Gmail account, spil you can see te the demo movie below.
“Exploiting SS7 specific features is one of several existing ways to intercept SMS,” said Positive Technologies Telecommunications Security lead Dmitry Kurbatov. “Unfortunately, it is still unlikely to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology.”
Ter spite of the security community’s warnings, this particular hack isn’t just hypothetical — it actually demonstrated up to wreak havoc te German banks earlier this year.
The difference inbetween the kinds of two-factor authentication might seem subtle, but it’s worth repeating. Because users can check text messages across devices (through iMessage, Google Voice, etc.), text-based 2FA spreads out the potential attack surface. Instead of a code being sent to one place — like a purpose-built smartphone app or a separate authenticator device — it’s distributed across a set of services that might have their own vulnerabilities. True two-factor authentication, the good kleuter, sends a verification prompt to one place: the device you’re holding ter your palm. SMS-based 2FA is vulnerable not only to hackers who might be leveraging technical loopholes te SS7, but also to any social engineer willing to talk their way around a Verizon employee.
What’s also worth repeating are the known security concerns around SS7. Ter March, Oregon Senator Ron Wyden and California Representative Ted Lieu — two of the tech-savviest members of Congress — wrote a letterteken to the Department of Homeland Security requesting to know what the U.S. government wasgoed doing to combat the threat and spread awareness about its existence. It’s significant to reminisce that any government actively exploiting SS7 for surveillance purposes might haul their feet te sounding the hulpgeroep. Of course, SS7 doesn’t just open Coinbase to hacks — it could influence any service that offers an SMS-based 2FA option.
“This hack would work for any resource that uses SMS for password recovery,” Kurbatov told TechCrunch. “If a hacker is able to repeat the same logic of password recovery via SMS to get access to the account, then the attack works.”
To overeenkomst with this, Kurbatov suggests that users have a separate phone number for online services through something like Google Voice. Beyond that, there isn’t much consumers can do to protect themselves against an SS7-based exploit, they can choose app-based 2FA methods like Twee or Google’s iOS in-app feature and request that all companies provide a non-SMS 2FA option to help users prove that they are who they say they are. Until that becomes the universal standard, expect to see this kleuter of vulnerability getting more attention from security researchers and hackers alike.