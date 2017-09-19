Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com) 25
An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"
End to end encryption easily solves this and other problems related to government spying.
First of all, these are not cellular network "vulnerabilities." These are "features." And these "tools" are not Proof-of-Concepts for finding weaknesses in the networks. They are "products" that are sold to government for the purpose of spying on YOU and ME.
Why even bother trying to transmit the code? Just use time based codes.
My bank uses text messages to verify transactions. Would that be vulnerable in some way as well?
Basically SMS isn't secure, and shouldn't be treated as a method of securely transmitting data.
My bank uses text messages to verify transactions. Would that be vulnerable in some way as well?
FDIC insurance says everything about the give-a-shit level of most banks.
Google may be savage but Google is legal.
Google won't empty your bank account without your permission, Google won't ask you for a ransom, Google won't use you computer as a proxy for all kind of illegal activity.
That's also why it is better to be in debt to a bank than to the mafia, no matter how savage banks are. Sure, debt collectors are annoying and they may take your house but at least your life will be safe and you won't be mailed body parts of family members.
The exactly same attack "false roaming request" has been in the wild since 2003 or 2004. Literally millions of people loose money due to having their phone number hijacked and being used to send SMSes to paid numbers.
Same trick is being used by Russian spies to regularly steal online accounts of European politicians
If you're paranoid or actually at risk of being hacked, buy a burner phone and use that for your 2 step authentication.
Nobody can social engineer or cell tower hack your number because they don't know it.