Why You Shouldn’t Use Texts for Two-Factor Authentication

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Security experts have warned that text messages are vulnerable to hijacking, and now, hackers from Positive Technologies are proving that with a video demonstration where they take control of a Coinbase bitcoin wallet and start pilfering funds via Signalling System No. 7 (SS7) flaws. The SS7 network is normally used by telecoms companies to talk with one another, yet weaknesses have allowed for various attacks such as silent interception of SMS texts, calls, and location data.

In their attack, the Positive researchers first went to Gmail, using Google's service to find an email account with just a phone number. Once the email account was identified, the hackers initiated a password reset process, asking one-time authorization codes to be sent to the victim's phone. By exploiting SS7 weaknesses they were able to intercept text messages containing those codes, allowing them to choose a new password and take control of the Gmail account. They could then simply head to the Coinbase website and do another password reset using the email they'd compromised.
 
If a site gives you no other 2 form authentication method (email) and requires 2 form what do you do?
 
My first thought was...fuck! But really, everything is hack able with unlimited resources or motivation. Even if I had backup email as a recovery, they can hack that. The loop can only go so far...
 
This popped up a few weeks ago as a topic but was still theoretical at the time. Looks like that didn't last long.

Rahh said:
If a site gives you no other 2 form authentication method (email) and requires 2 form what do you do?
Click to expand...

Don't use that site?
 
I always thought it was dumb to do 2F over SMS. Mostly because at the time they started rolling out I had limited SMS on my account (I hardly use it 90% of the people I message have iPhones).
 
What if they send a fingerprint/iris verification to an enabled device? Probably would need an app installed.
 
yuck. good to lay low and not be super active on reddit etc about your large transactions. I see alot of people write boasts... probably easy targets
 
This reminds me of previous incidents, where accounts were compromised to steal bitcoin wallets using a different weakness in carriers and 2FA. I assumed previous ones would be an inside job with the exchange or someone close (neighbor/relative) to pull it off, but with all these breaches it's hard to be sure.
 
mnewxcv said:
And that apps head of security would have a music degree.
Click to expand...

lol, I mean more so for Google Mail to prompt for fingerprint authentication. Not a third party app.
So if you're working on a desktop, your phone hardware ID system will authenticate your account, like Touch ID on the Macbook.
 
I never did think that a cell phone number was a good way to identify/authenticate someone, but I was always dismissed. Looks like I was right. :pompous:
 
Megalith said:
Security experts have warned that text messages are vulnerable to hijacking, and now, hackers from Positive Technologies are proving that with a video demonstration where they take control of a Coinbase bitcoin wallet and start pilfering funds via Signalling System No. 7 (SS7) flaws. The SS7 network is normally used by telecoms companies to talk with one another, yet weaknesses have allowed for various attacks such as silent interception of SMS texts, calls, and location data.

In their attack, the Positive researchers first went to Gmail, using Google's service to find an email account with just a phone number. Once the email account was identified, the hackers initiated a password reset process, asking one-time authorization codes to be sent to the victim's phone. By exploiting SS7 weaknesses they were able to intercept text messages containing those codes, allowing them to choose a new password and take control of the Gmail account. They could then simply head to the Coinbase website and do another password reset using the email they'd compromised.
Click to expand...


I've been saying this shit wasn't true Two-Factor Authentication for years and it never was and still isn't.
 
2FA isn't perfect by any means, even when properly implemented, and no one serious has ever said it was. Every method has some weakness.

Still better than a simple password though.
 
Bandalo said:
2FA isn't perfect by any means, even when properly implemented, and no one serious has ever said it was. Every method has some weakness.

Still better than a simple password though.
Click to expand...

No one said 2FA is a perfect security scheme, but implementing a security scheme and calling it 2FA when it isn't, is just stupid.
 
And if you use an app that can be hacked. If you use a RSA key fob somebody can use a camera to see what you your fob says or break into your house / office and steal that... there is no perfect method.

If somebody knows your phone number, your carrier and already has access to that network to steal your SMS AND has your account information to log into your account, you are probably already fucked anyway.

Like somebody else said above, everything is hackable with enough resources and how crazy you want to star to think.
 
lcpiper said:
No one said 2FA is a perfect security scheme, but implementing a security scheme and calling it 2FA when it isn't, is just stupid.
Click to expand...

It meets the technical definition, since it requires your phone. This attack though is a man-in-the-middle type, where they're hijacking or at least copying the authentication message. It's STILL 2FA by definition.
 
Bandalo said:
It meets the technical definition, since it requires your phone. This attack though is a man-in-the-middle type, where they're hijacking or at least copying the authentication message. It's STILL 2FA by definition.
Click to expand...

Nope, it's not.

Entering a password for site is "Something you know", sending an SMS message with a temp pin is still "Something you know" even thought they are passing it to you via a phone "Something you have", it doesn't change the actual security factor in use, which is why this is being compromised.

And as this whole issue shows, introducing a phone into the equation actually introduced a vulnerability and ready made exploit due to weaknesses in the transmission scheme.
 
Last edited:
This article and the research is dumb, common sense should tell you that access to the system that routes texts will let you re-route texts but the real question is how easy it is to access the system and they barely touch on that. Now if they found a way to easily get into the system or could confirm that access is being sold on the black market at affordable prices I might be a little more concerned.

Nothing is 100% secure and this sounds like a lot more effort than most people would go to if their goal is to steal something like a steam account, I could maybe see it for something more valuable like a hefty bitcoin wallet but it would probably still be easier to go the social engineering route and just get the number switched over to a new phone.
 
You can add an extra layer by using Gmail's alias system.

Every Gmail email has the ability to have unlimited email addresses, this is done by using a + after the name, but before the @. So [email protected] .

If you use this once to sign up for an important site and nowhere else, the hackers have to not only get your email, but guess the word you put after the plus (they also have to know you did so). Doesn't solve the underlying email being compromised issue, but prevents people willynilly trying your email address in a ton of different services to see which one has an account, since your standard email wouldn't be there.
 
Yep, two factor is hacked, here's our one (foolish) factor example....
 
Dead Parrot said:
This popped up a few weeks ago as a topic but was still theoretical at the time. Looks like that didn't last long.
Click to expand...

Theoretical? It was just a little while ago that bank accounts across Germany were getting drained...

And a nice link in that article with a report from DHS of all saying mobile networks are vulnerable. That post a little while ago about all the Telecoms making empty announcement about 2FA working group wasnt pro-active. Its them being dragged forward by bean counters.

This is like ancient news from decades ago. Its not a bug, its how it was designed from the beginning because of pre-internet foundation
 
It's the same hack that was demo'd about 2 years ago -- and the groups that did both demos had unrestricted SS7 access to the carriers in question. The US carriers are pretty well locked down on access.

I've read about retina scans being jacked, and about taking high-res photos of hands in order to print out fingerprints.

SMS based 2FA isn't fool proof - frankly, nothing is, as long as the target is valuable enough. For the general population, SMS based 2FA is pretty good.
 
No need for two factor when just open up new email accounts/don't share anything using unique username/emails and passwords for everything and letting a non-cloud password manager handle all the passwords. Only PITA is forwarding all the emails to other email accounts to make checking emails easier. Spread the target out makes a whole lot more work, that being said SMS is far from a secure system, if you're using two factor though a phone that should really be in an app that tied to the phone that can be encrypted end to end. This seems like a call to obfuscate your phone that is tied to accounts vs your phone for doing business so the number doesn't become readily available.
 
The better bitcoin exchanges offer Google Authenticator 2FA with IP whitelisting and bitcoin address whitelisting. You can also turn off TOR access, and assorted operating system compatibility.
 
SticKx911 said:
My first thought was...fuck! But really, everything is hack able with unlimited resources or motivation. Even if I had backup email as a recovery, they can hack that. The loop can only go so far...
Click to expand...
Hijacking phones is an old trick. People do it to steal service, etc. for a long time. It was already a bad idea when someone suggested it for 2-factor.
 
You must log in or register to reply here.
Back
Top