Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com)

Posted by BeauHD on from the heads-up dept.

An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"

6 of 102 comments (clear)

  1. All SMS-based 2FA Systems should use Signal by Anonymous Coward · · Score: 5, Insightful

    End to end encryption easily solves this and other problems related to government spying.

    First of all, these are not cellular network "vulnerabilities." These are "features." And these "tools" are not Proof-of-Concepts for finding weaknesses in the networks. They are "products" that are sold to government for the purpose of spying on YOU and ME.

  2. Re:bank? by nine-times · · Score: 3, Insightful

    Basically SMS isn't secure, and shouldn't be treated as a method of securely transmitting data.

  3. Still better than password only by MightyYar · · Score: 5, Insightful

    So... still better than password-only. That's probably good enough for my purposes.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    1. Re:Still better than password only by Solandri · · Score: 5, Insightful

      No, it's worse than password-only. If your account is only protected by a password, then there's no password recovery. You forget your password and you're locked out of the account, permanently. OTOH that means anyone trying to get into your account has to guess/know your password in order to get in.

      With this SMS intercept exploit, they can get into your account without knowing your password.

      You're thinking of using a SMS in addition to your password in order to login to an account - i.e. 2FA. Yes in that case it's better than password-only (unless it lulls you into picking a poor password because you think you're being protected by the SMS). But that's not what this exploit is about. It's about resetting your password by intercepting a SMS that was supposed to go to your phone. The SMS is used to bypass your password, not to augment it. (In your defense, TFA conflates the two as well, leading to the confusion.)

      In other words, it's stupid using 2FA to login, if your password reset procedure is 1FA. Attackers will simply ignore the stronger security to target the weakest link - the 1FA step.

  4. 2FA with SMS is not about security by Carewolf · · Score: 4, Insightful

    It is just an excuse to harvest your phonenumber.

  5. Re:This is two-step, NOT two factor by TheRaven64 · · Score: 4, Insightful

    SMS is intended for two-factor authentication when the phone is a thing that you have and is separate from the thing that you know. The problem that TFA points out is that 'having the phone' and 'being the only one who can receive SMS to that number' are not even slightly the same thing. The other problem is that an increasing amount of stuff is done on the phone, so the phone stops being a separate 'something you have' and is just your terminal, which is as likely to be controlled by the attacker as any other terminal (probably more so, given how many run unpatched operating systems with known vulnerabilities).

    --
    I am TheRaven on Soylent News